From fe33515bd869e71956245481ee5361b74841c88b Mon Sep 17 00:00:00 2001
From: Peter Pathirana <peter@latent.io>
Date: Mon, 16 Dec 2024 18:15:22 +0000
Subject: [PATCH] fix: secret should be readable by fs_group id

---
 templates/kubernetes/homelab-workspace/deployment.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/kubernetes/homelab-workspace/deployment.tf b/templates/kubernetes/homelab-workspace/deployment.tf
index a121f8fd..1653ec44 100644
--- a/templates/kubernetes/homelab-workspace/deployment.tf
+++ b/templates/kubernetes/homelab-workspace/deployment.tf
@@ -77,6 +77,7 @@ resource "kubernetes_deployment" "deployment" {
               name       = "workspace-secrets"
               mount_path = volume_mount.value
               sub_path   = volume_mount.key
+              read_only  = true
             }
           }
           volume_mount {
@@ -120,7 +121,7 @@ resource "kubernetes_deployment" "deployment" {
             secret {
               secret_name  = volume.key
               optional     = true
-              default_mode = "0400"
+              default_mode = "0440"
             }
           }
         }