It seems like whenever I use a secret/config they are always group writable, even when I set the mode explicitly non-group writable. Example compose file:
version: "3.4"
services:
alpine:
image: alpine
entrypoint: ["stat", "/foo"]
secrets:
- source: foo
target: /foo
mode: 400
secrets:
foo:
file: foo
Permissions from stat:
Access: (0620/-rw--w----) Uid: ( 0/ root) Gid: ( 0/ root)
This seems a bit odd and is problematic for me as I want to use this for ssh authorized_keys, which will error by default if group writable. A short term fix could be just to disable that check, but it still seems weird that docker would change the mode like that.