diff --git a/playbooks/openshift-apps/cloud-image-uploader.yml b/playbooks/openshift-apps/cloud-image-uploader.yml index 432a4d2459..3682a2269b 100644 --- a/playbooks/openshift-apps/cloud-image-uploader.yml +++ b/playbooks/openshift-apps/cloud-image-uploader.yml @@ -142,6 +142,12 @@ secret_file_key: registry-fedoraproject.key secret_file_privatefile: "docker-registry/{{env}}/pki/private/containerstable.key" + - role: openshift/secret-file + secret_file_app: cloud-image-uploader + secret_file_secret_name: cloud-image-uploader-azure-key + secret_file_key: azure_client.key + secret_file_privatefile: "cloud-image-uploader/fedora-image-uploader{{env_suffix}}.key.pem" + - role: openshift/secret-file secret_file_app: cloud-image-uploader secret_file_secret_name: cloud-image-uploader-google-cloud-key diff --git a/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml.j2 b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml.j2 index 14c8c2785c..c98e99a3c1 100644 --- a/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml.j2 +++ b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml.j2 @@ -43,6 +43,9 @@ spec: - name: google-cloud-key-volume secret: secretName: cloud-image-uploader-google-cloud-key + - name: azure-key-volume + secret: + secretName: cloud-image-uploader-azure-key # skopeo wants the cert and key in the same directory - name: registry-fedoraproject projected: @@ -57,17 +60,12 @@ spec: imagePullPolicy: Always workingDir: /srv/cloud-uploader/ env: - - name: AZURE_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: secret - name: AZURE_CLIENT_ID valueFrom: secretKeyRef: name: azure-credentials key: client_id - - name: AZURE_TENANT + - name: AZURE_TENANT_ID valueFrom: secretKeyRef: name: azure-credentials @@ -77,6 +75,8 @@ spec: secretKeyRef: name: azure-credentials key: subscription_id + - name: AZURE_CLIENT_CERTIFICATE_PATH + value: "/etc/pki/azure/azure_client.key" - name: FEDORA_MESSAGING_CONF value: "/etc/fedora-messaging/azure-config.toml" volumeMounts: @@ -92,22 +92,20 @@ spec: - name: fedora-messaging-cert-volume mountPath: /etc/pki/rabbitmq/cert readOnly: true + - name: azure-key-volume + mountPath: /etc/pki/azure/ + readOnly: true - name: azure-image-tester image: image-registry.openshift-image-registry.svc:5000/cloud-image-uploader/fedora-image-tester:latest imagePullPolicy: Always workingDir: /srv/fedora-image-tester/ env: - - name: AZURE_SECRET - valueFrom: - secretKeyRef: - name: azure-credentials - key: secret - name: AZURE_CLIENT_ID valueFrom: secretKeyRef: name: azure-credentials key: client_id - - name: AZURE_TENANT + - name: AZURE_TENANT_ID valueFrom: secretKeyRef: name: azure-credentials @@ -117,6 +115,8 @@ spec: secretKeyRef: name: azure-credentials key: subscription_id + - name: AZURE_CLIENT_CERTIFICATE_PATH + value: "/etc/pki/azure/azure_client.key" - name: FEDORA_MESSAGING_CONF value: "/etc/fedora-messaging/azure-tester-config.toml" volumeMounts: @@ -132,6 +132,9 @@ spec: - name: fedora-messaging-cert-volume mountPath: /etc/pki/rabbitmq/cert readOnly: true + - name: azure-key-volume + mountPath: /etc/pki/azure/ + readOnly: true - name: aws-image-uploader image: image-registry.openshift-image-registry.svc:5000/cloud-image-uploader/cloud-image-uploader:latest imagePullPolicy: Always diff --git a/roles/openshift-apps/cloud-image-uploader/templates/secret.yml.j2 b/roles/openshift-apps/cloud-image-uploader/templates/secret.yml.j2 index fe32a5a9bf..e36fcec9d0 100644 --- a/roles/openshift-apps/cloud-image-uploader/templates/secret.yml.j2 +++ b/roles/openshift-apps/cloud-image-uploader/templates/secret.yml.j2 @@ -7,11 +7,9 @@ metadata: app: "cloud-image-uploader" stringData: {% if env == 'staging' %} - secret: "{{stg_azure_secret}}" client_id: "{{stg_azure_client_id}}" tenant_id: "{{stg_azure_tenant_id}}" {% else %} - secret: "{{prod_azure_secret}}" client_id: "{{prod_azure_client_id}}" tenant_id: "{{prod_azure_tenant_id}}" {% endif %}