oraculum: Secrets

roles/openshift-apps/oraculum/templates/client_secrets.json

@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ oraculum_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ oraculum_oidc_client_secret_stg }}",
+{% else %}
+        "client_secret": "{{ oraculum_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://oraculum{{env_suffix}}.fedoraproject.org/oidc_callback"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}

roles/openshift-apps/oraculum/templates/deploymentconfig.yml

@@ -22,6 +22,8 @@ spec:
           # init_db isn't dropping anything, so it's safe to call every time the pod starts
           command: ["python", "/opt/app-root/src/oraculum/cli.py", "init_db"]
           # and then just the gunicorn for the frontend part of the backend :)
+          volumes:
+           - oraculum-secret-volume
   template:
     metadata:
       labels:
@@ -65,6 +67,14 @@ spec:
           value: False
         - name: SMTP_CONFIG
           value: "{{ oraculum_smtp_confline }}"
+      volumeMounts:
+      - name: oraculum-secret-volume
+        mountPath: /opt/app-root/secret/
+        readOnly: true
+      volumes:
+      - name: oraculum-secret-volume
+        secret:
+          secretName: oraculum-secret
         readinessProbe:
           timeoutSeconds: 1
           initialDelaySeconds: 5
@@ -112,6 +122,8 @@ spec:
           # init_db isn't dropping anything, so it's safe to call every time the pod starts
           command: ["/bin/sh","-c"]
           args: ["python /opt/app-root/src/oraculum/cli.py init_db && /usr/bin/celery -A oraculum.celery_app worker -c 2 --loglevel=INFO"]
+          volumes:
+           - oraculum-secret-volume
   template:
     metadata:
       labels:
@@ -153,6 +165,14 @@ spec:
           value: False
         - name: SMTP_CONFIG
           value: "{{ oraculum_smtp_confline }}"
+      volumeMounts:
+      - name: oraculum-secret-volume
+        mountPath: /opt/app-root/secret/
+        readOnly: true
+      volumes:
+      - name: oraculum-secret-volume
+        secret:
+          secretName: oraculum-secret
 
   triggers:
   - type: ConfigChange
@@ -188,6 +208,8 @@ spec:
           # init_db isn't dropping anything, so it's safe to call every time the pod starts
           command: ["/bin/sh","-c"]
           args: ["python /opt/app-root/src/oraculum/cli.py init_db && /usr/bin/celery -A oraculum.celery_app beat --loglevel=INFO"]
+          volumes:
+           - oraculum-secret-volume
   template:
     metadata:
       labels:
@@ -229,6 +251,14 @@ spec:
           value: False
         - name: SMTP_CONFIG
           value: "{{ oraculum_smtp_confline }}"
+      volumeMounts:
+      - name: oraculum-secret-volume
+        mountPath: /opt/app-root/secret/
+        readOnly: true
+      volumes:
+      - name: oraculum-secret-volume
+        secret:
+          secretName: oraculum-secret
 
   triggers:
   - type: ConfigChange

roles/openshift-apps/oraculum/templates/secret.yml

@@ -0,0 +1,11 @@
+---
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oraculum-secret
+  labels:
+    app: oraculum
+stringData:
+  client_secrets.json: |-
+    {{ load_file('client_secrets.json') | indent }}