Lack of control of file permissions of rendered secrets

[mrproper]

out of the box, vault injector renders secrets as:
uid: 100 gid: 1000 file mode: 0644
These are pretty ordinary defaults.

Consider that many applications that use lets say a cert key etc expect permissions of 0400
The uid/gid control is already handled in the unreleased commits for using:

        vault.hashicorp.com/agent-run-as-user: "1000"
        vault.hashicorp.com/agent-run-as-group: "1000"

The only work around i managed for permissions of the rendered files is the following:

        vault.hashicorp.com/agent-inject-command-${secret}: "chmod 400 ${secret_volume_path}/${secret}

Proposal:
Just with many of the other annotations:

1. set a default render file permission in the agent (ie not in annotations)
2. allow annotations to set a default file permission
3. allow per secret to set a file permission

Cheers!

[jasonodonnell]

This would be pretty easy to add. Consul Template supports perms for rendered templates, so we'll just need to add an annotation for it.

[lawliet89]

May I chime in to add my support for this feature please. Some applications refuse to even contemplate loading a private key that is not 0600, for good reason.