fas: deploy totpcgi certs

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2019-05-11 17:48:51 +02:00 · 2019-05-11 17:48:51 +02:00 · f671830ba2
commit f671830ba2
parent 21b3c9a2b3
2 changed files with 27 additions and 0 deletions
--- a/playbooks/openshift-apps/fas.yml
+++ b/playbooks/openshift-apps/fas.yml
@ -108,6 +108,17 @@
    app: fas
    template: deploymentconfig-totpcgi.yml
    objectname: deploymentconfig-totpcgi.yml
+  - role: openshift/secret-tls
+    app: fas
+    key: tls-cert-primary
+    private_cert: "2fa-certs/keys/fas-all{{ env_suffix }}.phx2.fedoraproject.org.crt"
+    private_key: "2fa-certs/keys/fas-all{{ env_suffix }}.phx2.fedoraproject.org.key"
+  - role: openshift/secret-tls
+    app: fas
+    key: tls-cert-vpn
+    private_cert: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.crt"
+    private_key: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.key"
+    when: env == "production"
  - role: openshift/rollout
    app: fas
    dcname: fas
--- a/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
+++ b/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
@ -40,12 +40,28 @@ spec:
          readOnly: true
        - name: httpdir-volume
          mountPath: /httpdir
+        - name: secret-tls-primary
+          mountPath: /etc/pki/totp_primary
+          readOnly: true
+{% if env == "production" %}
+        - name: secret-tls-vpn
+          mountPath: /etc/pki/totp_vpn
+          readOnly: true
+{% endif %}
      volumes:
      - name: config-volume
        configMap:
          name: totpcgi
      - name: httpdir-volume
        emptyDir: {}
+      - name: secret-tls-primary
+        secret:
+          secretName: tls-cert-primary
+{% if env == "production" %}
+      - name: secret-tls-vpn
+        secret:
+          secretName: tls-cert-vpn
+{% endif %}
  triggers:
  - imageChangeParams:
      automatic: true