From 670a78bcbee5f275de2f48adf5fe3bc4f4f8b9a6 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Thu, 29 Jun 2017 14:36:44 -0500
Subject: [PATCH] Fix file permission and readOnly flag

This patchset enforces stricter file permission on *-etc configmap and
sets readOnly flag to true in a number of charts.

Change-Id: I233689a5d56dd1352e0d81997a94b4cdd6bed5d2
Signed-off-by: Tin Lam <tin@irrational.io>
---
 barbican/templates/deployment-api.yaml        |  1 +
 barbican/templates/job-db-init.yaml           |  5 +++--
 barbican/templates/job-db-sync.yaml           |  1 +
 ceph/templates/daemonset-osd.yaml             |  1 +
 ceph/templates/deployment-mds.yaml            |  1 +
 ceph/templates/deployment-moncheck.yaml       |  1 +
 ceph/templates/deployment-rgw.yaml            |  1 +
 ceph/templates/job-keyring.yaml               |  1 +
 ceph/templates/job-storage-admin-keys.yaml    |  1 +
 ceph/templates/statefulset-mon.yaml           |  1 +
 cinder/templates/deployment-api.yaml          |  1 +
 cinder/templates/deployment-backup.yaml       |  2 ++
 cinder/templates/deployment-scheduler.yaml    |  1 +
 cinder/templates/deployment-volume.yaml       |  1 +
 cinder/templates/job-bootstrap.yaml           |  3 +++
 cinder/templates/job-db-init.yaml             |  1 +
 cinder/templates/pod-rally-test.yaml          |  1 +
 glance/templates/deployment-api.yaml          |  3 +++
 glance/templates/deployment-registry.yaml     |  1 +
 glance/templates/job-bootstrap.yaml           |  1 +
 glance/templates/job-db-init.yaml             |  1 +
 glance/templates/job-db-sync.yaml             |  1 +
 glance/templates/pod-rally-test.yaml          |  1 +
 heat/templates/deployment-api.yaml            |  1 +
 heat/templates/deployment-cfn.yaml            |  1 +
 heat/templates/deployment-cloudwatch.yaml     |  1 +
 heat/templates/job-db-init.yaml               |  1 +
 heat/templates/job-db-sync.yaml               |  1 +
 heat/templates/statefulset-engine.yaml        |  1 +
 horizon/templates/deployment.yaml             |  1 +
 ingress/templates/deployment-ingress.yaml     |  2 ++
 keystone/templates/deployment.yaml            |  1 +
 keystone/templates/job-bootstrap.yaml         |  1 +
 keystone/templates/job-db-init.yaml           |  1 +
 keystone/templates/job-db-sync.yaml           |  1 +
 keystone/templates/pod-rally-test.yaml        |  1 +
 magnum/templates/deployment-api.yaml          |  1 +
 magnum/templates/job-db-init.yaml             |  1 +
 magnum/templates/job-db-sync.yaml             |  1 +
 magnum/templates/statefulset-conductor.yaml   |  1 +
 mariadb/templates/statefulset.yaml            |  1 +
 mistral/templates/deployment-api.yaml         |  1 +
 mistral/templates/deployment-executor.yaml    |  1 +
 mistral/templates/job-db-init.yaml            |  1 +
 mistral/templates/job-db-sync.yaml            |  1 +
 mistral/templates/statefulset-engine.yaml     |  1 +
 .../templates/statefulset-event-engine.yaml   |  1 +
 neutron/templates/daemonset-dhcp-agent.yaml   |  1 +
 neutron/templates/daemonset-l3-agent.yaml     |  1 +
 .../templates/daemonset-metadata-agent.yaml   |  1 +
 neutron/templates/daemonset-ovs-agent.yaml    |  1 +
 neutron/templates/daemonset-ovs-db.yaml       |  1 +
 neutron/templates/deployment-server.yaml      |  1 +
 neutron/templates/job-db-init.yaml            |  1 +
 neutron/templates/job-db-sync.yaml            |  1 +
 neutron/templates/pod-rally-test.yaml         |  1 +
 nova/templates/daemonset-compute.yaml         |  2 ++
 nova/templates/daemonset-libvirt.yaml         |  3 +++
 nova/templates/deployment-api-metadata.yaml   |  1 +
 nova/templates/deployment-api-osapi.yaml      |  1 +
 nova/templates/deployment-conductor.yaml      |  1 +
 nova/templates/deployment-consoleauth.yaml    |  1 +
 nova/templates/deployment-scheduler.yaml      |  1 +
 nova/templates/job-bootstrap.yaml             |  1 +
 nova/templates/job-db-init.yaml               |  1 +
 nova/templates/job-db-sync.yaml               |  1 +
 nova/templates/pod-rally-test.yaml            |  1 +
 rabbitmq/templates/deployment.yaml            | 20 ++++++++++---------
 senlin/templates/deployment-api.yaml          |  1 +
 senlin/templates/job-db-init.yaml             |  1 +
 senlin/templates/job-db-sync.yaml             |  1 +
 senlin/templates/statefulset-engine.yaml      |  1 +
 72 files changed, 93 insertions(+), 11 deletions(-)

diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index 11e20006..58855941 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -91,6 +91,7 @@ spec:
         - name: barbican-etc
           configMap:
             name: barbican-etc
+            defaultMode: 0444
         - name: barbican-bin
           configMap:
             name: barbican-bin
diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml
index e23f0fed..25ff06d3 100644
--- a/barbican/templates/job-db-init.yaml
+++ b/barbican/templates/job-db-init.yaml
@@ -45,12 +45,12 @@ spec:
           command:
             - /tmp/db-init.py
           volumeMounts:
+            - name: barbican-etc
+              mountPath: /etc/barbican
             - name: barbican-bin
               mountPath: /tmp/db-init.py
               subPath: db-init.py
               readOnly: true
-            - name: barbican-etc
-              mountPath: /etc/barbican
             - name: barbican-conf
               mountPath: /etc/barbican/barbican.conf
               subPath: barbican.conf
@@ -61,6 +61,7 @@ spec:
         - name: barbican-conf
           configMap:
             name: barbican-etc
+            defaultMode: 0444
         - name: barbican-bin
           configMap:
             name: barbican-bin
diff --git a/barbican/templates/job-db-sync.yaml b/barbican/templates/job-db-sync.yaml
index 1cb7a850..29ba8879 100644
--- a/barbican/templates/job-db-sync.yaml
+++ b/barbican/templates/job-db-sync.yaml
@@ -49,6 +49,7 @@ spec:
         - name: barbican-etc
           configMap:
             name: barbican-etc
+            defaultMode: 0444
         - name: barbican-bin
           configMap:
             name: barbican-bin
diff --git a/ceph/templates/daemonset-osd.yaml b/ceph/templates/daemonset-osd.yaml
index f0c5ffa5..4f4197ff 100644
--- a/ceph/templates/daemonset-osd.yaml
+++ b/ceph/templates/daemonset-osd.yaml
@@ -114,6 +114,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-client-admin-keyring
           secret:
             secretName: {{ .Values.secrets.keyrings.admin }}
diff --git a/ceph/templates/deployment-mds.yaml b/ceph/templates/deployment-mds.yaml
index 964677ec..a77ccff3 100644
--- a/ceph/templates/deployment-mds.yaml
+++ b/ceph/templates/deployment-mds.yaml
@@ -101,6 +101,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-client-admin-keyring
           secret:
             secretName: {{ .Values.secrets.keyrings.admin }}
diff --git a/ceph/templates/deployment-moncheck.yaml b/ceph/templates/deployment-moncheck.yaml
index 54228cf3..95a8923f 100644
--- a/ceph/templates/deployment-moncheck.yaml
+++ b/ceph/templates/deployment-moncheck.yaml
@@ -92,6 +92,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-client-admin-keyring
           secret:
             secretName: {{ .Values.secrets.keyrings.admin }}
diff --git a/ceph/templates/deployment-rgw.yaml b/ceph/templates/deployment-rgw.yaml
index c754b1ae..76b20e86 100644
--- a/ceph/templates/deployment-rgw.yaml
+++ b/ceph/templates/deployment-rgw.yaml
@@ -104,6 +104,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-client-admin-keyring
           secret:
             secretName: {{ .Values.secrets.keyrings.admin }}
diff --git a/ceph/templates/job-keyring.yaml b/ceph/templates/job-keyring.yaml
index 677167df..aa067605 100644
--- a/ceph/templates/job-keyring.yaml
+++ b/ceph/templates/job-keyring.yaml
@@ -81,5 +81,6 @@ spec:
         - name: ceph-templates
           configMap:
             name: ceph-templates
+            defaultMode: 0444
 {{ end }}
 {{ end }}
diff --git a/ceph/templates/job-storage-admin-keys.yaml b/ceph/templates/job-storage-admin-keys.yaml
index 571057b8..f2fbd4f0 100644
--- a/ceph/templates/job-storage-admin-keys.yaml
+++ b/ceph/templates/job-storage-admin-keys.yaml
@@ -74,4 +74,5 @@ spec:
         - name: ceph-templates
           configMap:
             name: ceph-templates
+            defaultMode: 0444
 {{- end }}
diff --git a/ceph/templates/statefulset-mon.yaml b/ceph/templates/statefulset-mon.yaml
index 7ab91e8b..cd67f457 100644
--- a/ceph/templates/statefulset-mon.yaml
+++ b/ceph/templates/statefulset-mon.yaml
@@ -133,6 +133,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-client-admin-keyring
           secret:
             secretName: {{ .Values.secrets.keyrings.admin }}
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
index 9c412583..b6a31323 100644
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@@ -85,4 +85,5 @@ spec:
         - name: cinder-etc
           configMap:
             name: cinder-etc
+            defaultMode: 0444
 {{- if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml
index a95dd686..113e9a0f 100644
--- a/cinder/templates/deployment-backup.yaml
+++ b/cinder/templates/deployment-backup.yaml
@@ -88,6 +88,7 @@ spec:
         - name: cinder-etc
           configMap:
             name: cinder-etc
+            defaultMode: 0444
         - name: cinder-bin
           configMap:
             name: cinder-bin
@@ -98,6 +99,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-keyring
           secret:
             secretName: pvc-ceph-client-key
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
index 7449f4de..18a8bc0b 100644
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@@ -71,4 +71,5 @@ spec:
         - name: cinder-etc
           configMap:
             name: cinder-etc
+            defaultMode: 0444
 {{- if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
index 85a3f449..770eadb4 100644
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@@ -102,6 +102,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-keyring
           secret:
             secretName: pvc-ceph-client-key
diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml
index 34cd1d4e..0eaf6258 100644
--- a/cinder/templates/job-bootstrap.yaml
+++ b/cinder/templates/job-bootstrap.yaml
@@ -43,13 +43,16 @@ spec:
             - name: cinder-etc
               mountPath: /etc/cinder/cinder.conf
               subPath: cinder.conf
+              readOnly: true
             - name: cinder-bin
               mountPath: /tmp/bootstrap.sh
               subPath: bootstrap.sh
+              readOnly: true
       volumes:
         - name: cinder-etc
           configMap:
             name: cinder-etc
+            defaultMode: 0444
         - name: cinder-bin
           configMap:
             name: cinder-bin
diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml
index b51bc929..54397b0d 100644
--- a/cinder/templates/job-db-init.yaml
+++ b/cinder/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: cinder-etc
           configMap:
             name: cinder-etc
+            defaultMode: 0444
         - name: cinder-bin
           configMap:
             name: cinder-bin
diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml
index ac0989cd..2549adbf 100644
--- a/cinder/templates/pod-rally-test.yaml
+++ b/cinder/templates/pod-rally-test.yaml
@@ -56,6 +56,7 @@ spec:
     - name: cinder-etc
       configMap:
         name: cinder-etc
+        defaultMode: 0444
     - name: cinder-bin
       configMap:
         name: cinder-bin
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 5e0ffa72..c4d7f1e7 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -67,6 +67,7 @@ spec:
             - name: glance-bin
               mountPath: /tmp/ceph-keyring.sh
               subPath: ceph-keyring.sh
+              readOnly: true
             - name: ceph-keyring
               mountPath: /tmp/client-keyring
               subPath: key
@@ -136,6 +137,7 @@ spec:
         - name: glance-etc
           configMap:
             name: glance-etc
+            defaultMode: 0444
 {{- if eq .Values.storage "pvc" }}
         - name: glance-images
           persistentVolumeClaim:
@@ -146,6 +148,7 @@ spec:
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-keyring
           secret:
             secretName: pvc-ceph-client-key
diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
index d32016c1..95494e6b 100644
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@@ -88,4 +88,5 @@ spec:
         - name: glance-etc
           configMap:
             name: glance-etc
+            defaultMode: 0444
 {{- if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index 5a70663b..ea42a9c2 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -59,3 +59,4 @@ spec:
         - name: glance-etc
           configMap:
             name: glance-etc
+            defaultMode: 0444
diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml
index 88426e58..84c7de15 100644
--- a/glance/templates/job-db-init.yaml
+++ b/glance/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: glance-etc
           configMap:
             name: glance-etc
+            defaultMode: 0444
         - name: glance-bin
           configMap:
             name: glance-bin
diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml
index c94ba6e2..7efa6a29 100644
--- a/glance/templates/job-db-sync.yaml
+++ b/glance/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: glance-etc
           configMap:
             name: glance-etc
+            defaultMode: 0444
         - name: glance-bin
           configMap:
             name: glance-bin
diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml
index ce344aaf..d01139a3 100644
--- a/glance/templates/pod-rally-test.yaml
+++ b/glance/templates/pod-rally-test.yaml
@@ -56,6 +56,7 @@ spec:
     - name: glance-etc
       configMap:
         name: glance-etc
+        defaultMode: 0444
     - name: glance-bin
       configMap:
         name: glance-bin
diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml
index 9120e95e..5fed9bdf 100644
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@@ -92,4 +92,5 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
 {{- if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml
index 69907d42..a102ac91 100644
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@@ -92,4 +92,5 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
 {{- if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml
index 9ff4b65f..267c7dc9 100644
--- a/heat/templates/deployment-cloudwatch.yaml
+++ b/heat/templates/deployment-cloudwatch.yaml
@@ -92,4 +92,5 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
 {{- if $mounts_heat_cloudwatch.volumes }}{{ toYaml $mounts_heat_cloudwatch.volumes | indent 8 }}{{ end }}
diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml
index 4d4b0754..dc082e70 100644
--- a/heat/templates/job-db-init.yaml
+++ b/heat/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
         - name: heat-bin
           configMap:
             name: heat-bin
diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml
index c3939235..54780fb4 100644
--- a/heat/templates/job-db-sync.yaml
+++ b/heat/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
         - name: heat-bin
           configMap:
             name: heat-bin
diff --git a/heat/templates/statefulset-engine.yaml b/heat/templates/statefulset-engine.yaml
index ecb3b5ea..f3eb51de 100644
--- a/heat/templates/statefulset-engine.yaml
+++ b/heat/templates/statefulset-engine.yaml
@@ -72,4 +72,5 @@ spec:
         - name: heat-etc
           configMap:
             name: heat-etc
+            defaultMode: 0444
 {{- if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index a70b26a5..64745166 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -82,4 +82,5 @@ spec:
         - name: horizon-etc
           configMap:
             name: horizon-etc
+            defaultMode: 0444
 {{- if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml
index 7189296a..dd51e740 100644
--- a/ingress/templates/deployment-ingress.yaml
+++ b/ingress/templates/deployment-ingress.yaml
@@ -74,8 +74,10 @@ spec:
             - name: ingress-etc
               mountPath: /etc/resolv.conf
               subPath: resolv.conf
+              readOnly: true
       volumes:
         - name: ingress-etc
           configMap:
             name: ingress-etc
+            defaultMode: 0444
 {{- end }}
diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml
index e8661f26..217a02f1 100644
--- a/keystone/templates/deployment.yaml
+++ b/keystone/templates/deployment.yaml
@@ -103,6 +103,7 @@ spec:
       - name: keystone-etc
         configMap:
           name: keystone-etc
+          defaultMode: 0444
       - name: keystone-bin
         configMap:
           name: keystone-bin
diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml
index 4cde8c92..a4cc0ac3 100644
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@@ -45,6 +45,7 @@ spec:
             - name: keystone-bin
               mountPath: /tmp/bootstrap.sh
               subPath: bootstrap.sh
+              readOnly: true
 {{- if $mounts_keystone_bootstrap.volumeMounts }}{{ toYaml $mounts_keystone_bootstrap.volumeMounts | indent 10 }}{{ end }}
       volumes:
         - name: keystone-bin
diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml
index 19fafa6f..195c91d7 100644
--- a/keystone/templates/job-db-init.yaml
+++ b/keystone/templates/job-db-init.yaml
@@ -67,6 +67,7 @@ spec:
       - name: keystone-etc
         configMap:
           name: keystone-etc
+          defaultMode: 0444
       - name: keystone-bin
         configMap:
           name: keystone-bin
diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml
index fb64370f..50af2a8c 100644
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@@ -66,6 +66,7 @@ spec:
       - name: keystone-etc
         configMap:
           name: keystone-etc
+          defaultMode: 0444
       - name: keystone-bin
         configMap:
           name: keystone-bin
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
index b66ac731..543ce195 100644
--- a/keystone/templates/pod-rally-test.yaml
+++ b/keystone/templates/pod-rally-test.yaml
@@ -56,6 +56,7 @@ spec:
     - name: keystone-etc
       configMap:
         name: keystone-etc
+        defaultMode: 0444
     - name: keystone-bin
       configMap:
         name: keystone-bin
diff --git a/magnum/templates/deployment-api.yaml b/magnum/templates/deployment-api.yaml
index be40df78..039e23ad 100644
--- a/magnum/templates/deployment-api.yaml
+++ b/magnum/templates/deployment-api.yaml
@@ -92,4 +92,5 @@ spec:
         - name: magnum-etc
           configMap:
             name: magnum-etc
+            defaultMode: 0444
 {{- if $mounts_magnum_api.volumes }}{{ toYaml $mounts_magnum_api.volumes | indent 8 }}{{ end }}
diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml
index 9add5dc2..ed86f05b 100644
--- a/magnum/templates/job-db-init.yaml
+++ b/magnum/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: magnum-etc
           configMap:
             name: magnum-etc
+            defaultMode: 0444
         - name: magnum-bin
           configMap:
             name: magnum-bin
diff --git a/magnum/templates/job-db-sync.yaml b/magnum/templates/job-db-sync.yaml
index 2fcc44d8..9a80aee3 100644
--- a/magnum/templates/job-db-sync.yaml
+++ b/magnum/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: magnum-etc
           configMap:
             name: magnum-etc
+            defaultMode: 0444
         - name: magnum-bin
           configMap:
             name: magnum-bin
diff --git a/magnum/templates/statefulset-conductor.yaml b/magnum/templates/statefulset-conductor.yaml
index 6089ca9c..fa1b7812 100644
--- a/magnum/templates/statefulset-conductor.yaml
+++ b/magnum/templates/statefulset-conductor.yaml
@@ -72,4 +72,5 @@ spec:
         - name: magnum-etc
           configMap:
             name: magnum-etc
+            defaultMode: 0444
 {{- if $mounts_magnum_conductor.volumes }}{{ toYaml $mounts_magnum_conductor.volumes | indent 8 }}{{ end }}
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 3b318acd..fd117a5f 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -100,6 +100,7 @@ spec:
         - name: mariadb-etc
           configMap:
             name: mariadb-etc
+            defaultMode: 0444
         {{- if not .Values.volume.enabled }}
         - name: mysql-data
           emptyDir: {}
diff --git a/mistral/templates/deployment-api.yaml b/mistral/templates/deployment-api.yaml
index 8abaa7f7..0bffe51f 100644
--- a/mistral/templates/deployment-api.yaml
+++ b/mistral/templates/deployment-api.yaml
@@ -85,4 +85,5 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
 {{- if $mounts_mistral_api.volumes }}{{ toYaml $mounts_mistral_api.volumes | indent 8 }}{{ end }}
diff --git a/mistral/templates/deployment-executor.yaml b/mistral/templates/deployment-executor.yaml
index c10fb14c..adfc3e43 100644
--- a/mistral/templates/deployment-executor.yaml
+++ b/mistral/templates/deployment-executor.yaml
@@ -67,4 +67,5 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
 {{- if $mounts_mistral_executor.volumes }}{{ toYaml $mounts_mistral_executor.volumes | indent 8 }}{{ end }}
diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml
index 0352c8e9..cbfbfbb2 100644
--- a/mistral/templates/job-db-init.yaml
+++ b/mistral/templates/job-db-init.yaml
@@ -67,3 +67,4 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
diff --git a/mistral/templates/job-db-sync.yaml b/mistral/templates/job-db-sync.yaml
index c09e5bd5..25b45ef2 100644
--- a/mistral/templates/job-db-sync.yaml
+++ b/mistral/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
         - name: mistral-bin
           configMap:
             name: mistral-bin
diff --git a/mistral/templates/statefulset-engine.yaml b/mistral/templates/statefulset-engine.yaml
index 76a853f5..b5eceac7 100644
--- a/mistral/templates/statefulset-engine.yaml
+++ b/mistral/templates/statefulset-engine.yaml
@@ -62,4 +62,5 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
 {{- if $mounts_mistral_engine.volumes }}{{ toYaml $mounts_mistral_engine.volumes | indent 8 }}{{ end }}
diff --git a/mistral/templates/statefulset-event-engine.yaml b/mistral/templates/statefulset-event-engine.yaml
index 09e41d0f..33e0c743 100644
--- a/mistral/templates/statefulset-event-engine.yaml
+++ b/mistral/templates/statefulset-event-engine.yaml
@@ -64,4 +64,5 @@ spec:
         - name: mistral-etc
           configMap:
             name: mistral-etc
+            defaultMode: 0444
 {{- if $mounts_mistral_event_engine.volumes }}{{ toYaml $mounts_mistral_event_engine.volumes | indent 8 }}{{ end }}
diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml
index e29adcc4..372cd7c9 100644
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@@ -90,6 +90,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: runopenvswitch
           hostPath:
             path: /run/openvswitch
diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml
index 9832cc6f..fba00ec2 100644
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@@ -89,6 +89,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: runopenvswitch
           hostPath:
             path: /run/openvswitch
diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml
index d29cac25..24450417 100644
--- a/neutron/templates/daemonset-metadata-agent.yaml
+++ b/neutron/templates/daemonset-metadata-agent.yaml
@@ -88,6 +88,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: runopenvswitch
           hostPath:
             path: /run/openvswitch
diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml
index cb0fd4f9..54eaf5f4 100644
--- a/neutron/templates/daemonset-ovs-agent.yaml
+++ b/neutron/templates/daemonset-ovs-agent.yaml
@@ -131,6 +131,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: libmodules
           hostPath:
             path: /lib/modules
diff --git a/neutron/templates/daemonset-ovs-db.yaml b/neutron/templates/daemonset-ovs-db.yaml
index e3764fe6..d337dce6 100644
--- a/neutron/templates/daemonset-ovs-db.yaml
+++ b/neutron/templates/daemonset-ovs-db.yaml
@@ -66,6 +66,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: libmodules
           hostPath:
             path: /lib/modules
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
index ccdc33a7..6109c9b9 100644
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@@ -88,4 +88,5 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
 {{- if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml
index cbc4cb4c..e8e97e6d 100644
--- a/neutron/templates/job-db-init.yaml
+++ b/neutron/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: neutron-bin
           configMap:
             name: neutron-bin
diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml
index 7ea65a69..8b30f16b 100644
--- a/neutron/templates/job-db-sync.yaml
+++ b/neutron/templates/job-db-sync.yaml
@@ -64,6 +64,7 @@ spec:
         - name: neutron-etc
           configMap:
             name: neutron-etc
+            defaultMode: 0444
         - name: neutron-bin
           configMap:
             name: neutron-bin
diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml
index 7316ed26..7990a11d 100644
--- a/neutron/templates/pod-rally-test.yaml
+++ b/neutron/templates/pod-rally-test.yaml
@@ -56,6 +56,7 @@ spec:
     - name: neutron-etc
       configMap:
         name: neutron-etc
+        defaultMode: 0444
     - name: neutron-bin
       configMap:
         name: neutron-bin
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 12407884..cdb5a6bb 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -167,12 +167,14 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
         {{- if .Values.ceph.enabled }}
         - name: etcceph
           emptyDir: {}
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-keyring
           secret:
             secretName: pvc-ceph-client-key
diff --git a/nova/templates/daemonset-libvirt.yaml b/nova/templates/daemonset-libvirt.yaml
index eb93cbc5..2f323593 100644
--- a/nova/templates/daemonset-libvirt.yaml
+++ b/nova/templates/daemonset-libvirt.yaml
@@ -52,6 +52,7 @@ spec:
             - name: nova-bin
               mountPath: /tmp/ceph-keyring.sh
               subPath: ceph-keyring.sh
+              readOnly: true
             - name: ceph-keyring
               mountPath: /tmp/client-keyring
               subPath: key
@@ -136,12 +137,14 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
         {{- if .Values.ceph.enabled }}
         - name: etcceph
           emptyDir: {}
         - name: ceph-etc
           configMap:
             name: ceph-etc
+            defaultMode: 0444
         - name: ceph-keyring
           secret:
             secretName: pvc-ceph-client-key
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
index 9c0779bf..ba9f9055 100644
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -96,4 +96,5 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
 {{- if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml
index 99f1c647..6a9df393 100644
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@@ -84,4 +84,5 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
 {{- if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml
index 2c344e61..99c596c9 100644
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@@ -67,4 +67,5 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
 {{- if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml
index ed2f72a6..c2b8ff2a 100644
--- a/nova/templates/deployment-consoleauth.yaml
+++ b/nova/templates/deployment-consoleauth.yaml
@@ -67,4 +67,5 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
 {{- if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml
index 4fc7c0de..82faabf6 100644
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@@ -67,4 +67,5 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
 {{- if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
index 71859809..5b44e905 100644
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@@ -54,6 +54,7 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
         - name: nova-bin
           configMap:
             name: nova-bin
diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml
index eb648cce..d53e7efe 100644
--- a/nova/templates/job-db-init.yaml
+++ b/nova/templates/job-db-init.yaml
@@ -92,6 +92,7 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
         - name: nova-bin
           configMap:
             name: nova-bin
diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml
index c00fef5b..5f86f7c4 100644
--- a/nova/templates/job-db-sync.yaml
+++ b/nova/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: nova-etc
           configMap:
             name: nova-etc
+            defaultMode: 0444
         - name: nova-bin
           configMap:
             name: nova-bin
diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml
index 13e10088..feba24ef 100644
--- a/nova/templates/pod-rally-test.yaml
+++ b/nova/templates/pod-rally-test.yaml
@@ -54,6 +54,7 @@ spec:
     - name: nova-etc
       configMap:
         name: nova-etc
+        defaultMode: 0444
     - name: nova-bin
       configMap:
         name: nova-bin
diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml
index d5e92ce3..1b67d794 100644
--- a/rabbitmq/templates/deployment.yaml
+++ b/rabbitmq/templates/deployment.yaml
@@ -40,15 +40,6 @@ spec:
 {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
-      volumes:
-        - name: rabbitmq-emptydir
-          emptyDir: {}
-        - name: rabbitmq-bin
-          configMap:
-            name: rabbitmq-bin
-        - name: rabbitmq-etc
-          configMap:
-            name: rabbitmq-etc
       initContainers:
 {{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 9 }}
       containers:
@@ -105,3 +96,14 @@ spec:
               mountPath: /etc/rabbitmq/rabbitmq.config
               subPath: rabbitmq.config
               readOnly: true
+      volumes:
+        - name: rabbitmq-emptydir
+          emptyDir: {}
+        - name: rabbitmq-bin
+          configMap:
+            name: rabbitmq-bin
+            defaultMode: 0555
+        - name: rabbitmq-etc
+          configMap:
+            name: rabbitmq-etc
+            defaultMode: 0444
diff --git a/senlin/templates/deployment-api.yaml b/senlin/templates/deployment-api.yaml
index dfac5c59..e7785349 100644
--- a/senlin/templates/deployment-api.yaml
+++ b/senlin/templates/deployment-api.yaml
@@ -92,4 +92,5 @@ spec:
         - name: senlin-etc
           configMap:
             name: senlin-etc
+            defaultMode: 0444
 {{- if $mounts_senlin_api.volumes }}{{ toYaml $mounts_senlin_api.volumes | indent 8 }}{{ end }}
diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml
index c35d5c5a..5f9c882d 100644
--- a/senlin/templates/job-db-init.yaml
+++ b/senlin/templates/job-db-init.yaml
@@ -63,6 +63,7 @@ spec:
         - name: senlin-etc
           configMap:
             name: senlin-etc
+            defaultMode: 0444
         - name: senlin-bin
           configMap:
             name: senlin-bin
diff --git a/senlin/templates/job-db-sync.yaml b/senlin/templates/job-db-sync.yaml
index c6b6d961..49b2b7f6 100644
--- a/senlin/templates/job-db-sync.yaml
+++ b/senlin/templates/job-db-sync.yaml
@@ -51,6 +51,7 @@ spec:
         - name: senlin-etc
           configMap:
             name: senlin-etc
+            defaultMode: 0444
         - name: senlin-bin
           configMap:
             name: senlin-bin
diff --git a/senlin/templates/statefulset-engine.yaml b/senlin/templates/statefulset-engine.yaml
index 144cce0c..f1d5def7 100644
--- a/senlin/templates/statefulset-engine.yaml
+++ b/senlin/templates/statefulset-engine.yaml
@@ -72,4 +72,5 @@ spec:
         - name: senlin-etc
           configMap:
             name: senlin-etc
+            defaultMode: 0444
 {{- if $mounts_senlin_engine.volumes }}{{ toYaml $mounts_senlin_engine.volumes | indent 8 }}{{ end }}