From e004e53ef007488f0836647dec1ca644437f3518 Mon Sep 17 00:00:00 2001
From: Nikolas De Giorgis <nikolas.de-giorgis@10gen.com>
Date: Fri, 18 Sep 2020 09:10:41 +0100
Subject: [PATCH 1/3] Change default permissions for volumes created from
 secret

---
 pkg/kube/statefulset/statefulset.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/kube/statefulset/statefulset.go b/pkg/kube/statefulset/statefulset.go
index 3a1cad1f0..fdfd95031 100644
--- a/pkg/kube/statefulset/statefulset.go
+++ b/pkg/kube/statefulset/statefulset.go
@@ -100,11 +100,13 @@ func CreateVolumeFromConfigMap(name, sourceName string) corev1.Volume {
 }
 
 func CreateVolumeFromSecret(name, sourceName string, options ...func(v *corev1.Volume)) corev1.Volume {
+	permission := int32(416)
 	volumeMount := &corev1.Volume{
 		Name: name,
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: sourceName,
+				SecretName:  sourceName,
+				DefaultMode: &permission,
 			},
 		},
 	}

From 15b7472f175896ae9f4409f9e08fa9ab83a2c142 Mon Sep 17 00:00:00 2001
From: Nikolas De Giorgis <nikolas.de-giorgis@10gen.com>
Date: Fri, 18 Sep 2020 09:43:17 +0100
Subject: [PATCH 2/3] Added unit test

---
 pkg/kube/statefulset/statefulset_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/kube/statefulset/statefulset_test.go b/pkg/kube/statefulset/statefulset_test.go
index d194e5775..be7ae9d18 100644
--- a/pkg/kube/statefulset/statefulset_test.go
+++ b/pkg/kube/statefulset/statefulset_test.go
@@ -98,7 +98,8 @@ func TestAddVolumeAndMount(t *testing.T) {
 	assert.Equal(t, sts.Spec.Template.Spec.Containers[1].VolumeMounts[0].MountPath, "mount-path-secret")
 
 	assert.Len(t, sts.Spec.Template.Spec.Volumes, 2)
-	assert.Equal(t, sts.Spec.Template.Spec.Volumes[1].Name, "mount-name-secret")
+	assert.Equal(t, "mount-name-secret", sts.Spec.Template.Spec.Volumes[1].Name)
+	assert.Equal(t, int32(416), *sts.Spec.Template.Spec.Volumes[1].Secret.DefaultMode)
 	assert.Nil(t, sts.Spec.Template.Spec.Volumes[1].VolumeSource.ConfigMap, "volume should not have been configured from a config map source")
 	assert.NotNil(t, sts.Spec.Template.Spec.Volumes[1].VolumeSource.Secret, "volume should have been configured from a secret source")
 

From f0d342cfa06b23eb360c2da456ba136fccfd4c0e Mon Sep 17 00:00:00 2001
From: Nikolas De Giorgis <nikolas.de-giorgis@10gen.com>
Date: Fri, 18 Sep 2020 10:03:54 +0100
Subject: [PATCH 3/3] fixed broken e2e test

---
 pkg/controller/mongodb/mongodb_tls_test.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/mongodb/mongodb_tls_test.go b/pkg/controller/mongodb/mongodb_tls_test.go
index 95ffa67f2..6a32fdd65 100644
--- a/pkg/controller/mongodb/mongodb_tls_test.go
+++ b/pkg/controller/mongodb/mongodb_tls_test.go
@@ -46,11 +46,13 @@ func TestStatefulSet_IsCorrectlyConfiguredWithTLS(t *testing.T) {
 			},
 		},
 	})
+	permission := int32(416)
 	assert.Contains(t, sts.Spec.Template.Spec.Volumes, corev1.Volume{
 		Name: "tls-secret",
 		VolumeSource: corev1.VolumeSource{
 			Secret: &corev1.SecretVolumeSource{
-				SecretName: mdb.TLSOperatorSecretNamespacedName().Name,
+				SecretName:  mdb.TLSOperatorSecretNamespacedName().Name,
+				DefaultMode: &permission,
 			},
 		},
 	})