From f671830ba2253bb1007410653b286c27d5b25c06 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Sat, 11 May 2019 17:48:51 +0200
Subject: [PATCH] fas: deploy totpcgi certs

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 playbooks/openshift-apps/fas.yml                 | 11 +++++++++++
 .../fas/templates/deploymentconfig-totpcgi.yml   | 16 ++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/playbooks/openshift-apps/fas.yml b/playbooks/openshift-apps/fas.yml
index c3105b36df..82336e5860 100644
--- a/playbooks/openshift-apps/fas.yml
+++ b/playbooks/openshift-apps/fas.yml
@@ -108,6 +108,17 @@
     app: fas
     template: deploymentconfig-totpcgi.yml
     objectname: deploymentconfig-totpcgi.yml
+  - role: openshift/secret-tls
+    app: fas
+    key: tls-cert-primary
+    private_cert: "2fa-certs/keys/fas-all{{ env_suffix }}.phx2.fedoraproject.org.crt"
+    private_key: "2fa-certs/keys/fas-all{{ env_suffix }}.phx2.fedoraproject.org.key"
+  - role: openshift/secret-tls
+    app: fas
+    key: tls-cert-vpn
+    private_cert: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.crt"
+    private_key: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.key"
+    when: env == "production"
   - role: openshift/rollout
     app: fas
     dcname: fas
diff --git a/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml b/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
index 2b6205b9a3..60af3871c4 100644
--- a/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
+++ b/roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
@@ -40,12 +40,28 @@ spec:
           readOnly: true
         - name: httpdir-volume
           mountPath: /httpdir
+        - name: secret-tls-primary
+          mountPath: /etc/pki/totp_primary
+          readOnly: true
+{% if env == "production" %}
+        - name: secret-tls-vpn
+          mountPath: /etc/pki/totp_vpn
+          readOnly: true
+{% endif %}
       volumes:
       - name: config-volume
         configMap:
           name: totpcgi
       - name: httpdir-volume
         emptyDir: {}
+      - name: secret-tls-primary
+        secret:
+          secretName: tls-cert-primary
+{% if env == "production" %}
+      - name: secret-tls-vpn
+        secret:
+          secretName: tls-cert-vpn
+{% endif %}
   triggers:
   - imageChangeParams:
       automatic: true