From 58c7b5be0f004268611b496530c56badc2068a07 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Fri, 19 Jun 2026 00:51:27 -0600
Subject: [PATCH] fix: make k3s issuer config readable

---
 cloud-init/k3s/cloud_init.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cloud-init/k3s/cloud_init.cfg b/cloud-init/k3s/cloud_init.cfg
index cc3f84a..a093907 100644
--- a/cloud-init/k3s/cloud_init.cfg
+++ b/cloud-init/k3s/cloud_init.cfg
@@ -26,7 +26,7 @@ write_files:
   # AWS STS will use the public static discovery/JWKS documents served by www
   # at https://makeitwork.cloud/oidc to validate sops-secrets-operator tokens.
   - path: /etc/rancher/k3s/config.yaml.d/service-account-issuer.yaml
-    permissions: '0600'
+    permissions: '0644'
     content: |
       kube-apiserver-arg:
         # First issuer signs new ServiceAccount tokens.