diff --git a/playbooks/openshift-apps/fas.yml b/playbooks/openshift-apps/fas.yml
index 01337d9738..1a31122255 100644
--- a/playbooks/openshift-apps/fas.yml
+++ b/playbooks/openshift-apps/fas.yml
@@ -38,6 +38,14 @@
     app: fas
     template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml"
     objectname: configmap.yml
+  - role: openshift/secret-file
+    app: fas
+    privatefile: "keytabs/{{env}}/fas_sync"
+    key: fas_sync_keytab
+  - role: openshift/secret-file
+    app: fas
+    privatefile: "fas-gpg/pubring.gpg"
+    key: fas_gpg_pubring
   - role: openshift/object
     app: fas
     file: service-fas.yml
diff --git a/roles/fas_server/templates/configmap.yml b/roles/fas_server/templates/configmap.yml
index d8f2a4d8e0..41bb01d239 100644
--- a/roles/fas_server/templates/configmap.yml
+++ b/roles/fas_server/templates/configmap.yml
@@ -80,14 +80,10 @@ data:
 
     # FAS stuff
     {{ load_file('fas-app.conf.j2') | indent() }}
-  fas_sync_keytab: |-
-    {{ lookup('file', '{{ private }}/files/keytabs/{{env}}/fas_sync') | indent() }}
   fas_sync_cert.pem: |-
     {{ lookup('file', '{{ roles_path }}/fas_server/files/ipa.{{env}}.pem') | indent() }}
   fas-log.cfg: |-
     {{ lookup('file', '{{ roles_path }}/fas_server/files/fas-log.cfg') | indent() }}
-  pubring.gpg: |-
-    {{ lookup('file', '{{ private }}/files/fas-gpg/pubring.gpg') | indent() }}
   fas.cfg: |-
     {{ load_file('fas.cfg.j2') | indent() }}
   export-bugzilla.cfg: |-
diff --git a/roles/openshift-apps/fas/templates/buildconfig-fas.yml b/roles/openshift-apps/fas/templates/buildconfig-fas.yml
index ce7bc4d82c..8f84af72a3 100644
--- a/roles/openshift-apps/fas/templates/buildconfig-fas.yml
+++ b/roles/openshift-apps/fas/templates/buildconfig-fas.yml
@@ -29,15 +29,12 @@ spec:
 
       # Set up config symlinks
       RUN rm -f /etc/krb5.conf && \
-        rm -f /etc/fas-gpg/pubring.gpg && \
         rm -f /etc/fas.cfg && \
         rm -f /usr/sbin/export-bugzilla && \
         rm -f /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
         ln -sf /etc/fas/krb5.conf /etc/krb5.conf && \
-        ln -sf /etc/fas/pubring.gpg /etc/fas-gpg/pubring.gpg &&\
         ln -sf /etc/fas/fas.cfg /etc/fas.cfg && \
         ln -sf /etc/fas/fas-log.cfg /usr/lib/python2.6/site-packages/fas/config/log.cfg && \
-        ln -sf /etc/fas/fas_sync_keytab /etc/fas_sync_keytab
 
       EXPOSE 8080
       ENTRYPOINT bash /etc/fas/start.sh
diff --git a/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml b/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
index d400a8d56e..ebdb701b4b 100644
--- a/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
+++ b/roles/openshift-apps/fas/templates/deploymentconfig-fas.yml
@@ -37,6 +37,12 @@ spec:
         - name: config-volume
           mountPath: /etc/fas
           readOnly: true
+        - name: secret-sync-keytab
+          mountPath: /etc/fas_sync_keytab
+          readOnly: true
+        - name: secret-pubring
+          mountPath: /etc/fas-gpg/pubring.gpg
+          readOnly: true
         - name: httpdir-volume
           mountPath: /httpdir
         readinessProbe:
@@ -55,6 +61,12 @@ spec:
       - name: config-volume
         configMap:
           name: fas
+      - name: secret-sync-keytab
+        secret:
+          secretName: fas_sync_keytab
+      - name: secret-pubring
+        secret:
+          secretName: fas_gpg_pubring
       - name: httpdir-volume
         emptyDir: {}
   triggers: