Skip to content

Move deployment/deploy-openbao-kayobe-automation.yml to secret-store/…#2227

Draft
maxstack wants to merge 1 commit intostackhpc/2025.1from
update-secret-store-runners
Draft

Move deployment/deploy-openbao-kayobe-automation.yml to secret-store/…#2227
maxstack wants to merge 1 commit intostackhpc/2025.1from
update-secret-store-runners

Conversation

@maxstack
Copy link
Copy Markdown
Contributor

@maxstack maxstack commented Mar 25, 2026

Fixes openbao deployment issues on GitHub runner.
Also moves this deploy playbook into the secret-store ansible location alongside its unseal counterpart.

Chages made:

  • generally define all variables similarly to the seed and overcloud deploy playbooks
  • use docker0 network interface for GitHub as the kayobe automation containers can't contact the host's localhost
  • keep the network interface as lo for Gitlab deployments, which seems to be where this playbook was working
  • fix api_url adding missing protocol

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request integrates OpenBao as a secret store for GitHub and GitLab CI/CD workflows. It updates the documentation to guide users on deploying OpenBao, configuring workflows to retrieve secrets, and managing secrets/variables based on whether OpenBao is used. The Ansible playbooks for deploying and unsealing OpenBao on runners have been modified to dynamically configure network interfaces and standardize paths. Review feedback indicates that the vault_unseal_verify: false parameter is commented out in both the deploy and unseal playbooks, which could lead to failures with self-signed certificates. Additionally, a phrase in the documentation regarding 'add network IP' needs clarification, and the table for secrets when OpenBao is not used is incorrect, as it redundantly includes REGISTRY_PASSWORD and omits KAYOBE_VAULT_PASSWORD. Finally, the vault_unseal_token is unnecessarily included in the unseal playbook.

@maxstack maxstack force-pushed the update-secret-store-runners branch from cc3b6b0 to c3c71d3 Compare March 25, 2026 11:32
@maxstack maxstack self-assigned this Mar 25, 2026
@maxstack
Move deployment/deploy-openbao-kayobe-automation.yml to secret-store/…
fc5572d 
…secret-store-deploy-openbao-runners.yml

This is inline with the playbooks installing vault/openbao for the seed and overcloud.

Fix deployment issues with GitHub runners:
 * determine network interface to use, docker0 or lo
 * protocol missing from api_uri
 * general fixes so playbook's more inline with other secret-store-deploy playbooks
@maxstack maxstack force-pushed the update-secret-store-runners branch from c3c71d3 to fc5572d Compare March 25, 2026 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@maxstack maxstack

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maxstack