adjust perms for tls fixtures at test runtime

certstrap checks perms, can't exceed r--r--r--

bass/bass.bass

@@ -135,7 +135,7 @@
                       "search dns.bass\n")]
       (from (buildkit:image os arch buildkit:test-config)
         ($ cp $cert /etc/ssl/certs/bass.crt)
-        ($ chmod "0600" /etc/ssl/certs/bass.crt)
+        ($ chmod "0400" /etc/ssl/certs/bass.crt)
         (-> ($ buildkitd --addr "tcp://0.0.0.0:6107")
             (with-mount (cache-dir "bass buildkitd") /var/lib/buildkit/)
             (with-mount (mkfile ./resolv.conf resolv) /etc/resolv.conf)

pkg/runtimes/buildkit.go

@@ -664,17 +664,17 @@ func (b *builder) llb(ctx context.Context, thunk bass.Thunk, extraOpts ...llb.Ru
 	if thunk.TLS != nil {
 		crt, key, err := basstls.Generate(b.runtime.Config.CertsDir, id)
 		if err != nil {
-			return llb.ExecState{}, "", false, fmt.Errorf("init tls: %w", err)
+			return llb.ExecState{}, "", false, fmt.Errorf("tls: generate: %w", err)
 		}
 
 		crtContent, err := crt.Export()
 		if err != nil {
-			return llb.ExecState{}, "", false, fmt.Errorf("init tls: %w", err)
+			return llb.ExecState{}, "", false, fmt.Errorf("export crt: %w", err)
 		}
 
 		keyContent, err := key.ExportPrivate()
 		if err != nil {
-			return llb.ExecState{}, "", false, fmt.Errorf("init tls: %w", err)
+			return llb.ExecState{}, "", false, fmt.Errorf("export key: %w", err)
 		}
 
 		runOpt = append(runOpt,

pkg/runtimes/buildkit_test.go

@@ -2,6 +2,7 @@ package runtimes_test
 
 import (
 	"context"
+	"os"
 	"testing"
 
 	_ "github.com/moby/buildkit/client"
@@ -20,6 +21,9 @@ func TestBuildkitRuntime(t *testing.T) {
 
 	ctx := context.Background()
 
+	is.NoErr(os.Chmod("./testdata/tls/bass.crt", 0400))
+	is.NoErr(os.Chmod("./testdata/tls/bass.key", 0400))
+
 	pool, err := runtimes.NewPool(ctx, &bass.Config{
 		Runtimes: []bass.RuntimeConfig{
 			{