openstack-k8s-operators · rabi · Jan 21, 2026
diff --git a/internal/dataplane/util/ansible_execution.go b/internal/dataplane/util/ansible_execution.go
@@ -30,6 +30,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
@@ -324,7 +325,7 @@ func SetAeeSSHMounts(
 		sshKeyMountSubPath = fmt.Sprintf("ssh_key_%s", sshKeyNodeName)
 		sshKeyMountPath = fmt.Sprintf("/runner/env/ssh_key/%s", sshKeyMountSubPath)
 
-		CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey")
+		CreateVolume(ansibleEEMounts, sshKeyName, sshKeyMountSubPath, sshKeySecret, "ssh-privatekey", ptr.To(int32(0600)))
 		CreateVolumeMount(ansibleEEMounts, sshKeyName, sshKeyMountPath, sshKeyMountSubPath)
 	}
 }
@@ -361,18 +362,20 @@ func SetAeeInvMounts(
 			inventoryMountPath = "/runner/inventory/hosts"
 		}
 
-		CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory")
+		CreateVolume(ansibleEEMounts, inventoryName, inventoryName, inventorySecrets[nodeName], "inventory", nil)
 		CreateVolumeMount(ansibleEEMounts, inventoryName, inventoryMountPath, inventoryName)
 	}
 }
 
 // CreateVolume creates a volume configuration for Ansible Execution Environment mounts
-func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string) {
+// If defaultMode is nil, Kubernetes default (0644) is used
+func CreateVolume(ansibleEEMounts *storage.VolMounts, volumeName string, volumeMountPath string, secretName string, keyToPathKey string, defaultMode *int32) {
 	volume := storage.Volume{
 		Name: volumeName,
 		VolumeSource: storage.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: secretName,
+				SecretName:  secretName,
+				DefaultMode: defaultMode,
 				Items: []corev1.KeyToPath{
 					{
 						Key:  keyToPathKey,

diff --git a/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml b/test/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml
@@ -162,7 +162,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -258,7 +258,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -362,7 +362,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -460,7 +460,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -558,7 +558,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -656,7 +656,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -808,7 +808,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -917,7 +917,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1056,7 +1056,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1165,7 +1165,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1274,7 +1274,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1383,7 +1383,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1492,7 +1492,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global
@@ -1631,7 +1631,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-global
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-global

diff --git a/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-global-service-test/02-assert.yaml
@@ -151,7 +151,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset
@@ -254,7 +254,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset

diff --git a/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml
@@ -212,7 +212,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls
@@ -319,7 +319,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls

diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml
@@ -147,7 +147,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -252,7 +252,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -352,7 +352,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -452,7 +452,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -552,7 +552,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -700,7 +700,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -810,7 +810,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -950,7 +950,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1060,7 +1060,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1170,7 +1170,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1280,7 +1280,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1390,7 +1390,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes
@@ -1530,7 +1530,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/02-assert.yaml
@@ -90,7 +90,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/04-assert.yaml
@@ -165,7 +165,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/06-assert.yaml
@@ -157,7 +157,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset
@@ -258,7 +258,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-beta-nodeset
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-beta-nodeset

diff --git a/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml b/test/kuttl/tests/dataplane-deploy-no-nodes-test/07-assert.yaml
@@ -85,7 +85,7 @@ spec:
       volumes:
       - name: ssh-key-edpm-compute-no-nodes
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_edpm-compute-no-nodes

diff --git a/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml b/test/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml
@@ -249,7 +249,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls
@@ -361,7 +361,7 @@ spec:
           secretName: combined-ca-bundle
       - name: ssh-key-openstack-edpm-tls
         secret:
-          defaultMode: 420
+          defaultMode: 384
           items:
           - key: ssh-privatekey
             path: ssh_key_openstack-edpm-tls