It seems like whenever I use a secret/config they are always group writable, even when I set the mode explicitly non-group writable. Example compose file:

version: "3.4"
services:
  alpine:
    image: alpine
    entrypoint: ["stat", "/foo"]
    secrets:
      - source: foo
        target: /foo
        mode: 400

secrets:
  foo:
    file: foo

Permissions from stat:

Access: (0620/-rw--w----)  Uid: (    0/    root)   Gid: (    0/    root)

This seems a bit odd and is problematic for me as I want to use this for ssh authorized_keys, which will error by default if group writable. A short term fix could be just to disable that check, but it still seems weird that docker would change the mode like that.

Ah, I need a 0 in front of the mode for it to interpret it as octal: https://stackoverflow.com/questions/53867901/docker-configs-secrets-are-always-user-group-writable