From a75297b0a233a6b4efaf76016225f68d49aac1c5 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 28 Oct 2016 12:37:13 +0000
Subject: [PATCH] Switch to krb for staging builders

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/koji_builder/tasks/main.yml       | 6 ++++++
 roles/koji_builder/templates/kojid.conf | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 1d59c5b9bc..1126ddd8ec 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -1,6 +1,12 @@
 #
 # This is a base koji_builder role.
 #
+dependencies:
+  - role: keytab/service
+    kt_location: /etc/kojid/kojid.keytab
+    service: compile
+    when: env == "staging"
+
 - name: set hostname
   hostname: name="{{inventory_hostname}}"
   tags:
diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf
index 53b682521d..25837f4a59 100644
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@@ -66,8 +66,15 @@ from_addr=Fedora Koji Build System <buildsys@fedoraproject.org>
 
 ;configuration for SSL athentication
 
+{% if env == "staging" %}
+; Kerberos configuration
+host_principal_format = compile/%s@{{ ipa_realm }}
+keytab = /etc/kojid/kojid.keytab
+krbservice = host
+{% else %}
 ;client certificate - puppet generated
 cert = /etc/kojid/kojibuilder.pem
+{% endif %}
 
 ;certificate of the CA that issued the client certificate
 ca = /etc/kojid/cacert.pem