Sync out keytab as secret

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2019-05-10 21:55:29 +02:00 · 2019-05-10 21:55:29 +02:00 · 3288e5fd8c
commit 3288e5fd8c
parent 266eecc0fe
4 changed files with 20 additions and 7 deletions
--- a/playbooks/openshift-apps/fas.yml
+++ b/playbooks/openshift-apps/fas.yml
@ -38,6 +38,14 @@
    app: fas
    template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml"
    objectname: configmap.yml
+  - role: openshift/secret-file
+    app: fas
+    privatefile: "keytabs/{{env}}/fas_sync"
+    key: fas_sync_keytab
+  - role: openshift/secret-file
+    app: fas
+    privatefile: "fas-gpg/pubring.gpg"
+    key: fas_gpg_pubring
  - role: openshift/object
    app: fas
    file: service-fas.yml
--- a/roles/fas_server/templates/configmap.yml
+++ b/roles/fas_server/templates/configmap.yml
@ -80,14 +80,10 @@ data:

    # FAS stuff
    {{ load_file('fas-app.conf.j2') | indent() }}
-  fas_sync_keytab: |-
-    {{ lookup('file', '{{ private }}/files/keytabs/{{env}}/fas_sync') | indent() }}
  fas_sync_cert.pem: |-
    {{ lookup('file', '{{ roles_path }}/fas_server/files/ipa.{{env}}.pem') | indent() }}
  fas-log.cfg: |-
    {{ lookup('file', '{{ roles_path }}/fas_server/files/fas-log.cfg') | indent() }}
-  pubring.gpg: |-
-    {{ lookup('file', '{{ private }}/files/fas-gpg/pubring.gpg') | indent() }}
  fas.cfg: |-
    {{ load_file('fas.cfg.j2') | indent() }}
  export-bugzilla.cfg: |-
--- a/roles/openshift-apps/fas/templates/buildconfig-fas.yml
+++ b/roles/openshift-apps/fas/templates/buildconfig-fas.yml
@ -29,15 +29,12 @@ spec:

      # Set up config symlinks
      RUN rm -f /etc/krb5.conf && \
-        rm -f /etc/fas-gpg/pubring.gpg && \
        rm -f /etc/fas.cfg && \
        rm -f /usr/sbin/export-bugzilla && \
        rm -f /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
        ln -sf /etc/fas/krb5.conf /etc/krb5.conf && \
-        ln -sf /etc/fas/pubring.gpg /etc/fas-gpg/pubring.gpg &&\
        ln -sf /etc/fas/fas.cfg /etc/fas.cfg && \
        ln -sf /etc/fas/fas-log.cfg /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
-        ln -sf /etc/fas/fas_sync_keytab /etc/fas_sync_keytab

      EXPOSE 8080
      ENTRYPOINT bash /etc/fas/start.sh
--- a/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
+++ b/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
@ -37,6 +37,12 @@ spec:
        - name: config-volume
          mountPath: /etc/fas
          readOnly: true
+        - name: secret-sync-keytab
+          mountPath: /etc/fas_sync_keytab
+          readOnly: true
+        - name: secret-pubring
+          mountPath: /etc/fas-gpg/pubring.gpg
+          readOnly: true
        - name: httpdir-volume
          mountPath: /httpdir
        readinessProbe:
@ -55,6 +61,12 @@ spec:
      - name: config-volume
        configMap:
          name: fas
+      - name: secret-sync-keytab
+        secret:
+          secretName: fas_sync_keytab
+      - name: secret-pubring
+        secret:
+          secretName: fas_gpg_pubring
      - name: httpdir-volume
        emptyDir: {}
  triggers: