Give the clean packagers groups toddler access to the corresponding service's keytab

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/poddlers.yml

@@ -46,11 +46,17 @@
       tags:
         - appowners
 
+    # Keytabs
     - role: openshift/keytab
       keytab_app: poddlers
       keytab_key: service.keytab
       keytab_secret_name: keytab
       keytab_service: toddlers
+    - role: openshift/keytab
+      keytab_app: poddlers
+      keytab_key: sync-group.keytab
+      keytab_secret_name: sync-group-keytab
+      keytab_service: toddlers-sync-group
 
     - role: openshift/ipa-client
       ipa_client_app: poddlers

roles/ipa/server/tasks/toddlers.yml

@@ -2,7 +2,7 @@
 
 - name: Create toddlers toddlers-sync-groups service
   ansible.builtin.include_role:
-    name: "keytab/service" # noqa role-name[path]
+    name: "ipa/service" # noqa role-name[path]
   vars:
     host: os-control01{{ env_suffix }}.fedoraproject.org # noqa: var-naming[no-role-prefix]
     service: toddlers-sync-group # noqa: var-naming[no-role-prefix]

roles/openshift-apps/poddlers/templates/deploymentconfig.yml.j2

@@ -30,9 +30,19 @@ spec:
 
           volumeMounts:
             {{ common_volume_mounts() }}
+	    {% if toddler.name == "clean-packagers-groups" %}
+            - name: sync-group-keytab-volume
+              mountPath: /etc/sync-group-keytabs
+              readOnly: true
+	    {% endif %}
 
       volumes:
         {{ common_volumes() }}
+	{% if toddler.name == "clean-packagers-groups" %}
+        - name: sync-group-keytab-volume
+          secret:
+            secretName: sync-group-keytab
+	{% endif %}
 
   triggers:
     - type: ConfigChange