From 5932b651e3a367f8446fb5f2fefa5202043a5415 Mon Sep 17 00:00:00 2001
From: jordanp <jordan@gorgias.com>
Date: Tue, 24 Sep 2024 16:25:58 +0200
Subject: [PATCH] doc: set file_permission 0600 for kubeconfig file

It's only documentation, but kubeconfig file contains sensitive info so it's better to secure it a little
---
 README.md                          | 5 +++--
 docs/fedora-coreos/aws.md          | 6 +++---
 docs/fedora-coreos/azure.md        | 5 +++--
 docs/fedora-coreos/bare-metal.md   | 6 +++---
 docs/fedora-coreos/digitalocean.md | 6 +++---
 docs/fedora-coreos/google-cloud.md | 5 +++--
 docs/flatcar-linux/aws.md          | 6 +++---
 docs/flatcar-linux/azure.md        | 5 +++--
 docs/flatcar-linux/bare-metal.md   | 5 +++--
 docs/flatcar-linux/digitalocean.md | 5 +++--
 docs/flatcar-linux/google-cloud.md | 5 +++--
 docs/index.md                      | 6 +++---
 12 files changed, 36 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 460495f9..055fd1e0 100644
--- a/README.md
+++ b/README.md
@@ -96,8 +96,9 @@ module "yavin" {
 
 # Obtain cluster kubeconfig
 resource "local_file" "kubeconfig-yavin" {
-  content  = module.yavin.kubeconfig-admin
-  filename = "/home/user/.kube/configs/yavin-config"
+  content         = module.yavin.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/yavin-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/fedora-coreos/aws.md b/docs/fedora-coreos/aws.md
index 051863a7..f20de0a9 100644
--- a/docs/fedora-coreos/aws.md
+++ b/docs/fedora-coreos/aws.md
@@ -134,8 +134,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-tempest" {
-  content  = module.tempest.kubeconfig-admin
-  filename = "/home/user/.kube/configs/tempest-config"
+  content         = module.tempest.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/tempest-config"
+  file_permission = "0600"
 }
 ```
 
@@ -241,4 +242,3 @@ Check the list of valid [instance types](https://aws.amazon.com/ec2/instance-typ
 #### Spot
 
 Add `worker_price = "0.10"` to use spot instance workers (instead of "on-demand") and set a maximum spot price in USD. Clusters can tolerate spot market interuptions fairly well (reschedules pods, but cannot drain) to save money, with the tradeoff that requests for workers may go unfulfilled.
-
diff --git a/docs/fedora-coreos/azure.md b/docs/fedora-coreos/azure.md
index 7effd562..8f0c18ad 100644
--- a/docs/fedora-coreos/azure.md
+++ b/docs/fedora-coreos/azure.md
@@ -152,8 +152,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-ramius" {
-  content  = module.ramius.kubeconfig-admin
-  filename = "/home/user/.kube/configs/ramius-config"
+  content         = module.ramius.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/ramius-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/fedora-coreos/bare-metal.md b/docs/fedora-coreos/bare-metal.md
index a6d9a99b..0e8df442 100644
--- a/docs/fedora-coreos/bare-metal.md
+++ b/docs/fedora-coreos/bare-metal.md
@@ -302,8 +302,9 @@ systemd[1]: Started Kubernetes control plane.
 
 ```
 resource "local_file" "kubeconfig-mercury" {
-  content  = module.mercury.kubeconfig-admin
-  filename = "/home/user/.kube/configs/mercury-config"
+  content         = module.mercury.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/mercury-config"
+  file_permission = "0600"
 }
 ```
 
@@ -373,4 +374,3 @@ Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/bare-me
 | kernel_args | Additional kernel args to provide at PXE boot | [] | ["kvm-intel.nested=1"] |
 | worker_node_labels | Map from worker name to list of initial node labels | {} | {"node2" = ["role=special"]} |
 | worker_node_taints | Map from worker name to list of initial node taints | {} | {"node2" = ["role=special:NoSchedule"]} |
-
diff --git a/docs/fedora-coreos/digitalocean.md b/docs/fedora-coreos/digitalocean.md
index 145687b3..eea0f7d0 100644
--- a/docs/fedora-coreos/digitalocean.md
+++ b/docs/fedora-coreos/digitalocean.md
@@ -144,8 +144,9 @@ In 3-6 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-nemo" {
-  content  = module.nemo.kubeconfig-admin
-  filename = "/home/user/.kube/configs/nemo-config"
+  content         = module.nemo.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/nemo-config"
+  file_permission = "0600"
 }
 ```
 
@@ -248,4 +249,3 @@ Check the list of valid [droplet types](https://developers.digitalocean.com/docu
 
 !!! warning
     Do not choose a `controller_type` smaller than 2GB. Smaller droplets are not sufficient for running a controller and bootstrapping will fail.
-
diff --git a/docs/fedora-coreos/google-cloud.md b/docs/fedora-coreos/google-cloud.md
index 636e76e7..73198d37 100644
--- a/docs/fedora-coreos/google-cloud.md
+++ b/docs/fedora-coreos/google-cloud.md
@@ -136,8 +136,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-yavin" {
-  content  = module.yavin.kubeconfig-admin
-  filename = "/home/user/.kube/configs/yavin-config"
+  content         = module.yavin.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/yavin-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/flatcar-linux/aws.md b/docs/flatcar-linux/aws.md
index 7c6e7b53..b61a8a79 100644
--- a/docs/flatcar-linux/aws.md
+++ b/docs/flatcar-linux/aws.md
@@ -134,8 +134,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-tempest" {
-  content  = module.tempest.kubeconfig-admin
-  filename = "/home/user/.kube/configs/tempest-config"
+  content         = module.tempest.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/tempest-config"
+  file_permission = "0600"
 }
 ```
 
@@ -239,4 +240,3 @@ Check the list of valid [instance types](https://aws.amazon.com/ec2/instance-typ
 #### Spot
 
 Add `worker_price = "0.10"` to use spot instance workers (instead of "on-demand") and set a maximum spot price in USD. Clusters can tolerate spot market interuptions fairly well (reschedules pods, but cannot drain) to save money, with the tradeoff that requests for workers may go unfulfilled.
-
diff --git a/docs/flatcar-linux/azure.md b/docs/flatcar-linux/azure.md
index 93461d92..e33f6e65 100644
--- a/docs/flatcar-linux/azure.md
+++ b/docs/flatcar-linux/azure.md
@@ -140,8 +140,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-ramius" {
-  content  = module.ramius.kubeconfig-admin
-  filename = "/home/user/.kube/configs/ramius-config"
+  content         = module.ramius.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/ramius-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/flatcar-linux/bare-metal.md b/docs/flatcar-linux/bare-metal.md
index 9f741d11..61355940 100644
--- a/docs/flatcar-linux/bare-metal.md
+++ b/docs/flatcar-linux/bare-metal.md
@@ -312,8 +312,9 @@ systemd[1]: Started Kubernetes control plane.
 
 ```
 resource "local_file" "kubeconfig-mercury" {
-  content  = module.mercury.kubeconfig-admin
-  filename = "/home/user/.kube/configs/mercury-config"
+  content         = module.mercury.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/mercury-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/flatcar-linux/digitalocean.md b/docs/flatcar-linux/digitalocean.md
index d5e34c2e..f4b82345 100644
--- a/docs/flatcar-linux/digitalocean.md
+++ b/docs/flatcar-linux/digitalocean.md
@@ -144,8 +144,9 @@ In 3-6 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-nemo" {
-  content  = module.nemo.kubeconfig-admin
-  filename = "/home/user/.kube/configs/nemo-config"
+  content         = module.nemo.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/nemo-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/flatcar-linux/google-cloud.md b/docs/flatcar-linux/google-cloud.md
index 3229fcde..e9c6ca3f 100644
--- a/docs/flatcar-linux/google-cloud.md
+++ b/docs/flatcar-linux/google-cloud.md
@@ -136,8 +136,9 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ```
 resource "local_file" "kubeconfig-yavin" {
-  content  = module.yavin.kubeconfig-admin
-  filename = "/home/user/.kube/configs/yavin-config"
+  content         = module.yavin.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/yavin-config"
+  file_permission = "0600"
 }
 ```
 
diff --git a/docs/index.md b/docs/index.md
index 7302078c..798016d8 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -87,8 +87,9 @@ module "yavin" {
 
 # Obtain cluster kubeconfig
 resource "local_file" "kubeconfig-yavin" {
-  content  = module.yavin.kubeconfig-admin
-  filename = "/home/user/.kube/configs/yavin-config"
+  content         = module.yavin.kubeconfig-admin
+  filename        = "/home/user/.kube/configs/yavin-config"
+  file_permission = "0600"
 }
 ```
 
@@ -157,4 +158,3 @@ Poseidon's Github [Sponsors](https://github.com/sponsors/poseidon) support the i
 <br>
 
 If you'd like your company here, please contact dghubble at psdn.io.
-