Skip to content

Support Vault to OpenBao migration#2095

Open
seunghun1ee wants to merge 10 commits intostackhpc/2025.1from
vault-bao-migration
Open

Support Vault to OpenBao migration#2095
seunghun1ee wants to merge 10 commits intostackhpc/2025.1from
vault-bao-migration

Conversation

@seunghun1ee
Copy link
Copy Markdown
Member

@seunghun1ee seunghun1ee commented Jan 20, 2026

Adds four playbooks used for migrating Vault to OpenBao.

The version of stackhpc.hashicorp collection needs to be bumped after stackhpc/ansible-collection-hashicorp#85 is merged and released.

But as SKC's contents are ready, marked as ready.

@seunghun1ee seunghun1ee self-assigned this Jan 20, 2026
@seunghun1ee seunghun1ee requested a review from a team as a code owner January 20, 2026 16:21
@seunghun1ee seunghun1ee added documentation Improvements or additions to documentation ansible Ansible playbooks Epoxy labels Jan 20, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jan 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request introduces a comprehensive set of Ansible playbooks and updated documentation to support the migration from Hashicorp Vault to OpenBao. The new playbooks are well-structured to manage the migration process across seed and overcloud environments, including configuration updates. However, a critical issue exists in the migration playbooks where the stackhpc_ca_secret_store variable is used dynamically to include secret store keys. This can lead to incorrect key retrieval if the variable is already set to 'openbao' during a Vault migration, causing the migration to fail. Additionally, there are minor documentation formatting issues and some file permissions that could be more restrictive for sensitive configuration files.

Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-overcloud.yml
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-seed.yml
Comment thread doc/source/configuration/openbao.rst Outdated
Comment thread doc/source/configuration/openbao.rst Outdated
Comment thread doc/source/configuration/openbao.rst Outdated
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml Outdated
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-overcloud.yml
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-seed.yml
@seunghun1ee
Copy link
Copy Markdown
Member Author

seunghun1ee commented Jan 20, 2026

Linters are failing because missing playbook is not released from stackhpc.hashicorp collection yet

MoteHue
MoteHue requested changes Jan 21, 2026
View reviewed changes
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml Outdated
@seunghun1ee seunghun1ee requested a review from MoteHue January 21, 2026 15:47
@seunghun1ee seunghun1ee force-pushed the vault-bao-migration branch 2 times, most recently from a211eaa to 3eac2af Compare January 26, 2026 10:26
bbezak
bbezak requested changes Jan 26, 2026
View reviewed changes
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-overcloud.yml Outdated
@seunghun1ee seunghun1ee requested a review from bbezak January 26, 2026 13:39
mnasiadka
mnasiadka reviewed Jan 26, 2026
View reviewed changes
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml Outdated
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml Outdated
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Comment thread etc/kayobe/ansible/secret-store/vault-bao-migration-seed.yml Outdated
@seunghun1ee seunghun1ee requested a review from mnasiadka January 29, 2026 13:15
@seunghun1ee seunghun1ee force-pushed the vault-bao-migration branch 2 times, most recently from 9fe21f3 to 8a5dde7 Compare March 19, 2026 14:47
@seunghun1ee seunghun1ee force-pushed the vault-bao-migration branch 3 times, most recently from 2794b86 to 7e9d23e Compare April 27, 2026 08:55
@seunghun1ee seunghun1ee force-pushed the vault-bao-migration branch from 7de4277 to 880ce60 Compare April 28, 2026 08:08
@seunghun1ee seunghun1ee reopened this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoteHue MoteHue Awaiting requested review from MoteHue

@bbezak bbezak Awaiting requested review from bbezak

@mnasiadka mnasiadka Awaiting requested review from mnasiadka

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@seunghun1ee seunghun1ee

Labels

ansible Ansible playbooks documentation Improvements or additions to documentation Epoxy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seunghun1ee @mnasiadka @bbezak @MoteHue