FMN: add a keytab for FASJSON access

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2022-11-21 10:56:42 +01:00 · 2022-11-21 10:56:42 +01:00 · a060cef52e
commit a060cef52e
parent 2b53f7bd03
2 changed files with 25 additions and 0 deletions
--- a/playbooks/openshift-apps/fmn.yml
+++ b/playbooks/openshift-apps/fmn.yml
@ -139,6 +139,7 @@
      file: service.yml
      objectname: service.yml

+    # Routes
    - role: openshift/route
      app: fmn
      routename: frontend
@ -166,6 +167,7 @@
      annotations:
        haproxy.router.openshift.io/timeout: 5m

+    # Secrets
    - role: openshift/object
      app: fmn
      template: secrets.yml
@ -198,3 +200,10 @@
      app: fmn
      template: deploymentconfig.yml
      objectname: deploymentconfig.yml
+
+    # Keytab for FASJSON access
+    - role: openshift/keytab
+      app: fmn
+      key: service.keytab
+      secret_name: keytab
+      service: fmn
--- a/roles/openshift-apps/fmn/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/fmn/templates/deploymentconfig.yml
@ -87,6 +87,9 @@ spec:
            - name: etc-fmn
              mountPath: "/etc/fmn"
              readOnly: true
+            - name: keytab-volume
+              mountPath: /etc/keytabs
+              readOnly: true
            - name: rabbitmq-ca-volume
              mountPath: /etc/pki/rabbitmq/ca
              readOnly: true
@ -105,11 +108,16 @@ spec:
                secretKeyRef:
                  name: fmn
                  key: oidc-client-secret
+            - name: KRB5_CLIENT_KTNAME
+              value: /etc/keytabs/service.keytab

      volumes:
        - name: etc-fmn
          configMap:
            name: fmn
+        - name: keytab-volume
+          secret:
+            secretName: keytab
        - name: rabbitmq-ca-volume
          mountPath: /etc/pki/rabbitmq/ca
          readOnly: true
@ -159,6 +167,9 @@ spec:
            - name: etc-fmn
              mountPath: "/etc/fmn"
              readOnly: true
+            - name: keytab-volume
+              mountPath: /etc/keytabs
+              readOnly: true
            - name: fedora-messaging-ca-volume
              mountPath: /etc/pki/fedora-messaging/ca
              readOnly: true
@ -171,10 +182,15 @@ spec:
          env:
            - name: APP_SCRIPT
              value: ".s2i/run-consumer.sh"
+            - name: KRB5_CLIENT_KTNAME
+              value: /etc/keytabs/service.keytab
      volumes:
        - name: etc-fmn
          configMap:
            name: fmn
+        - name: keytab-volume
+          secret:
+            secretName: keytab
        - name: fedora-messaging-ca-volume
          secret:
            secretName: fedora-messaging-ca