From a060cef52e124a3f2e2b542df849c97e1aead979 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Mon, 21 Nov 2022 10:56:42 +0100
Subject: [PATCH] FMN: add a keytab for FASJSON access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 playbooks/openshift-apps/fmn.yml                 |  9 +++++++++
 .../fmn/templates/deploymentconfig.yml           | 16 ++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/playbooks/openshift-apps/fmn.yml b/playbooks/openshift-apps/fmn.yml
index cd48dcdd51..6527d705eb 100644
--- a/playbooks/openshift-apps/fmn.yml
+++ b/playbooks/openshift-apps/fmn.yml
@@ -139,6 +139,7 @@
       file: service.yml
       objectname: service.yml
 
+    # Routes
     - role: openshift/route
       app: fmn
       routename: frontend
@@ -166,6 +167,7 @@
       annotations:
         haproxy.router.openshift.io/timeout: 5m
 
+    # Secrets
     - role: openshift/object
       app: fmn
       template: secrets.yml
@@ -198,3 +200,10 @@
       app: fmn
       template: deploymentconfig.yml
       objectname: deploymentconfig.yml
+
+    # Keytab for FASJSON access
+    - role: openshift/keytab
+      app: fmn
+      key: service.keytab
+      secret_name: keytab
+      service: fmn
diff --git a/roles/openshift-apps/fmn/templates/deploymentconfig.yml b/roles/openshift-apps/fmn/templates/deploymentconfig.yml
index 2948726473..26dc407e7f 100644
--- a/roles/openshift-apps/fmn/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/fmn/templates/deploymentconfig.yml
@@ -87,6 +87,9 @@ spec:
             - name: etc-fmn
               mountPath: "/etc/fmn"
               readOnly: true
+            - name: keytab-volume
+              mountPath: /etc/keytabs
+              readOnly: true
             - name: rabbitmq-ca-volume
               mountPath: /etc/pki/rabbitmq/ca
               readOnly: true
@@ -105,11 +108,16 @@ spec:
                 secretKeyRef:
                   name: fmn
                   key: oidc-client-secret
+            - name: KRB5_CLIENT_KTNAME
+              value: /etc/keytabs/service.keytab
 
       volumes:
         - name: etc-fmn
           configMap:
             name: fmn
+        - name: keytab-volume
+          secret:
+            secretName: keytab
         - name: rabbitmq-ca-volume
           mountPath: /etc/pki/rabbitmq/ca
           readOnly: true
@@ -159,6 +167,9 @@ spec:
             - name: etc-fmn
               mountPath: "/etc/fmn"
               readOnly: true
+            - name: keytab-volume
+              mountPath: /etc/keytabs
+              readOnly: true
             - name: fedora-messaging-ca-volume
               mountPath: /etc/pki/fedora-messaging/ca
               readOnly: true
@@ -171,10 +182,15 @@ spec:
           env:
             - name: APP_SCRIPT
               value: ".s2i/run-consumer.sh"
+            - name: KRB5_CLIENT_KTNAME
+              value: /etc/keytabs/service.keytab
       volumes:
         - name: etc-fmn
           configMap:
             name: fmn
+        - name: keytab-volume
+          secret:
+            secretName: keytab
         - name: fedora-messaging-ca-volume
           secret:
             secretName: fedora-messaging-ca