From b69f2bdaa36a5423ae488514909be44cb96e2c83 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Thu, 12 Dec 2024 22:53:21 +0000 Subject: [PATCH 01/11] INFRA-839 Add config for pulp TLS Add playbooks, config & docs for enabling pulp tls with vault --- doc/source/configuration/vault.rst | 25 +++++++++ etc/kayobe/ansible/copy-ca-to-hosts.yml | 29 ++++++++++ .../ansible/vault-generate-pulp-tls.yml | 53 +++++++++++++++++++ etc/kayobe/pulp.yml | 4 +- .../notes/pulp-tls-105e47f0da602a25.yaml | 6 +++ 5 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 etc/kayobe/ansible/copy-ca-to-hosts.yml create mode 100644 etc/kayobe/ansible/vault-generate-pulp-tls.yml create mode 100644 releasenotes/notes/pulp-tls-105e47f0da602a25.yaml diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 893af246c..660e8a48d 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -298,6 +298,31 @@ Enable the required TLS variables in kayobe and kolla kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute +Pulp TLS with Vault +=================== +To enable tls for pulp using vault generated certificates, we first need to generate the certificates using vault and then configure the seed + seed-hypervisor + overcloud nodes to add the root CA to their trust. + +1. Run the playbook which will generate the certificates and add the root CA to the seed + seed-hypervisor + overcloud nodes + + .. code-block:: + + kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-generate-pulp-tls.yml + +2. Next, enable tls for pulp in pulp.yml + + .. code-block:: + + # Whether to enable TLS for Pulp. + pulp_enable_tls: true + +3. Redeploy pulp + + .. code-block:: + + kayobe seed service reconfigure -t seed-deploy-containers + +You should now have pulp running with tls enabled using the certificates generated by vault. + Barbican integration ==================== diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml new file mode 100644 index 000000000..eaf1e272c --- /dev/null +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -0,0 +1,29 @@ +--- +- name: Copy CA certificate and update trust + hosts: overcloud:seed:seed-hypervisor + become: true + vars: + cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" + + tasks: + - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) + copy: + src: "{{ cert_path }}" + dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" + mode: "0644" + when: ansible_facts.os_family == 'RedHat' + + - name: Update CA trust on RedHat family systems + command: "update-ca-trust" + when: ansible_facts.os_family == 'RedHat' + + - name: Copy certificate on Debian family systems (Ubuntu, Debian) + copy: + src: "{{ cert_path }}" + dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" + mode: "0644" + when: ansible_facts.os_family == 'Debian' + + - name: Update CA trust on Debian family systems + command: "update-ca-certificates" + when: ansible_facts.os_family == 'Debian' diff --git a/etc/kayobe/ansible/vault-generate-pulp-tls.yml b/etc/kayobe/ansible/vault-generate-pulp-tls.yml new file mode 100644 index 000000000..855639053 --- /dev/null +++ b/etc/kayobe/ansible/vault-generate-pulp-tls.yml @@ -0,0 +1,53 @@ +--- +- name: Generate TLS certificate for pulp + hosts: controllers + run_once: true + vars: + vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200" + vault_intermediate_ca_name: "OS-TLS-INT" + tasks: + - name: Include Vault keys + include_vars: + file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json" + name: vault_keys + + - name: Issue a certificate for pulp TLS + hashivault_pki_cert_issue: + url: "{{ vault_api_addr }}" + ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + token: "{{ vault_keys.root_token }}" + mount_point: "{{ vault_intermediate_ca_name }}" + role: "{{ overcloud_vault_pki_internal_tls_role_name }}" + common_name: "" + verify: false + extra_params: + ip_sans: "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}" + register: pulp_cert + environment: + https_proxy: '' + + - name: Ensure pulp certificates directory exists + file: + path: "{{ kayobe_env_config_path }}/pulp/certificates" + state: directory + delegate_to: localhost + + - name: Copy pulp TLS certificate (including intermediate) + no_log: true + copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" + content: | + {{ pulp_cert.data.certificate }} + {{ pulp_cert.data.issuing_ca }} + mode: 0600 + delegate_to: localhost + + - name: Copy pulp private key + no_log: true + copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" + content: "{{ pulp_cert.data.private_key }}" + mode: 0600 + delegate_to: localhost + +- import_playbook: copy-ca-to-hosts.yml diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index aa3c63d01..4b353ed1a 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -14,10 +14,10 @@ pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}" pulp_enable_tls: false # Path to a TLS certificate to use when TLS is enabled. -#pulp_cert_path: +pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}" # Path to a TLS key to use when TLS is enabled. -#pulp_key_path: +pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}" ############################################################################### # Local Pulp access credentials diff --git a/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml b/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml new file mode 100644 index 000000000..ed34e0f8b --- /dev/null +++ b/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Playbooks have been added to allow for the configuration of Pulp with TLS + using certificates generated from vault. Instructions have been added to + the docs. From c23938700a0991b4dce0992675a7a9aae59211a5 Mon Sep 17 00:00:00 2001 From: Dawud <7688823+technowhizz@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:06:40 +0000 Subject: [PATCH 02/11] Update doc/source/configuration/vault.rst Dont start bifrost playbooks when deploying pulp tls Co-authored-by: Matt Crees --- doc/source/configuration/vault.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 660e8a48d..12fcbef50 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -319,7 +319,7 @@ To enable tls for pulp using vault generated certificates, we first need to gene .. code-block:: - kayobe seed service reconfigure -t seed-deploy-containers + kayobe seed service reconfigure -t seed-deploy-containers -kt none You should now have pulp running with tls enabled using the certificates generated by vault. From 1a64fe4308a0d1dc39dc48658a63f32c0ad3d25d Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:38:37 +0000 Subject: [PATCH 03/11] Add message about pulp tls and new ddeployments --- doc/source/configuration/vault.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 12fcbef50..398e0c360 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -300,6 +300,10 @@ Enable the required TLS variables in kayobe and kolla Pulp TLS with Vault =================== +.. warning:: + + These steps are intended for enabling tls for pulp on an existing deployment as on a new deployment the overcloud vaults may not be up at this point. + To enable tls for pulp using vault generated certificates, we first need to generate the certificates using vault and then configure the seed + seed-hypervisor + overcloud nodes to add the root CA to their trust. 1. Run the playbook which will generate the certificates and add the root CA to the seed + seed-hypervisor + overcloud nodes From 59fcd1acb190fbd0915dc9069c29a0b28d027008 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Mon, 24 Feb 2025 13:13:23 +0000 Subject: [PATCH 04/11] Add FQCNs --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 8 ++++---- etc/kayobe/ansible/vault-generate-pulp-tls.yml | 13 +++++++------ 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index eaf1e272c..ab0f3eaed 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -7,23 +7,23 @@ tasks: - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) - copy: + ansible.builtin.copy: src: "{{ cert_path }}" dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" mode: "0644" when: ansible_facts.os_family == 'RedHat' - name: Update CA trust on RedHat family systems - command: "update-ca-trust" + ansible.builtin.command: "update-ca-trust" when: ansible_facts.os_family == 'RedHat' - name: Copy certificate on Debian family systems (Ubuntu, Debian) - copy: + ansible.builtin.copy: src: "{{ cert_path }}" dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" mode: "0644" when: ansible_facts.os_family == 'Debian' - name: Update CA trust on Debian family systems - command: "update-ca-certificates" + ansible.builtin.command: "update-ca-certificates" when: ansible_facts.os_family == 'Debian' diff --git a/etc/kayobe/ansible/vault-generate-pulp-tls.yml b/etc/kayobe/ansible/vault-generate-pulp-tls.yml index 855639053..74d8ce675 100644 --- a/etc/kayobe/ansible/vault-generate-pulp-tls.yml +++ b/etc/kayobe/ansible/vault-generate-pulp-tls.yml @@ -7,11 +7,11 @@ vault_intermediate_ca_name: "OS-TLS-INT" tasks: - name: Include Vault keys - include_vars: + ansible.builtin.include_vars: file: "{{ kayobe_env_config_path }}/vault/overcloud-vault-keys.json" name: vault_keys - - name: Issue a certificate for pulp TLS + - name: Issue a certificate for pulp TLS # noqa: fqcn hashivault_pki_cert_issue: url: "{{ vault_api_addr }}" ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" @@ -27,14 +27,14 @@ https_proxy: '' - name: Ensure pulp certificates directory exists - file: + ansible.builtin.file: path: "{{ kayobe_env_config_path }}/pulp/certificates" state: directory delegate_to: localhost - name: Copy pulp TLS certificate (including intermediate) no_log: true - copy: + ansible.builtin.copy: dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" content: | {{ pulp_cert.data.certificate }} @@ -44,10 +44,11 @@ - name: Copy pulp private key no_log: true - copy: + ansible.builtin.copy: dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" content: "{{ pulp_cert.data.private_key }}" mode: 0600 delegate_to: localhost -- import_playbook: copy-ca-to-hosts.yml +- name: Copy CA to hosts playbook + import_playbook: copy-ca-to-hosts.yml From 27410af43195622060235acf9c40bfc166db09c6 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 14:57:03 +0100 Subject: [PATCH 05/11] feat: add playbook for generating `pulp` cert with `OpenBao` --- .../openbao-generate-pulp-certificate.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 etc/kayobe/ansible/openbao-generate-pulp-certificate.yml diff --git a/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml new file mode 100644 index 000000000..ba7fecb9f --- /dev/null +++ b/etc/kayobe/ansible/openbao-generate-pulp-certificate.yml @@ -0,0 +1,49 @@ +--- +- name: Generate certificates + hosts: seed + run_once: true + vars: + openbao_api_addr: http://127.0.0.1:8200 + openbao_intermediate_ca_name: OS-TLS-INT + tasks: + - name: Include OpenBao keys + ansible.builtin.include_vars: + file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json" + name: openbao_keys + + - name: Issue a certificate Pulp + hashivault_pki_cert_issue: # noqa: fqcn + url: "{{ openbao_api_addr }}" + ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}" + token: "{{ openbao_keys.root_token }}" + mount_point: "{{ openbao_intermediate_ca_name }}" + role: "{{ overcloud_openbao_pki_default_role_name }}" + common_name: "{{ inventory_hostname }}" + extra_params: + ip_sans: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}" + register: pulp_certificate + + - name: Ensure pulp certificates directory exists + ansible.builtin.file: + path: "{{ kayobe_env_config_path }}/pulp/certificates" + state: directory + delegate_to: localhost + + - name: Write certificate to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.crt" + content: | + {{ pulp_certificate.data.certificate }} + {{ pulp_certificate.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Write key to file + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/pulp/certificates/pulp.key" + content: | + {{ pulp_certificate.data.private_key }} + mode: "0600" + delegate_to: localhost From 464cca2dfd27ca47e8311b6dfb8af126f2f7a3ca Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 14:57:39 +0100 Subject: [PATCH 06/11] feat: refactor `copy-ca-to-hosts` playbook The playbook `copy-ca-to-hosts` has been refactored in a couple ways. Firstly, the tasks for installing in either `RHEL` or `Debian` based systems are placed in `blocks`. Secondly both the root and intermediate certificate authority have added here to ensure the full chain is available if required. --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 45 ++++++++++++++----------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index ab0f3eaed..e7135486a 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -1,29 +1,34 @@ --- -- name: Copy CA certificate and update trust +- name: Install certificate authorities and update trust hosts: overcloud:seed:seed-hypervisor become: true - vars: - cert_path: "{{ kayobe_env_config_path }}/vault/OS-TLS-ROOT.pem" - tasks: - - name: Copy certificate on RedHat family systems (Rocky, RHEL, CentOS) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/etc/pki/ca-trust/source/anchors/OS-TLS-ROOT.pem" - mode: "0644" + - name: Install certificate authorities on RedHat based distributions when: ansible_facts.os_family == 'RedHat' + block: + - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/etc/pki/ca-trust/source/anchors/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" + - "OS-TLS-INT" - - name: Update CA trust on RedHat family systems - ansible.builtin.command: "update-ca-trust" - when: ansible_facts.os_family == 'RedHat' + - name: Update CA trust on RedHat family systems + ansible.builtin.command: "update-ca-trust" - - name: Copy certificate on Debian family systems (Ubuntu, Debian) - ansible.builtin.copy: - src: "{{ cert_path }}" - dest: "/usr/local/share/ca-certificates/OS-TLS-ROOT.crt" - mode: "0644" + - name: Install certificate authorities on Debian based distributions when: ansible_facts.os_family == 'Debian' + block: + - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian) + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/openbao/{{ item }}.pem" + dest: "/usr/local/share/ca-certificates/{{ item }}.crt" + mode: "0644" + loop: + - "OS-TLS-ROOT" + - "OS-TLS-INT" - - name: Update CA trust on Debian family systems - ansible.builtin.command: "update-ca-certificates" - when: ansible_facts.os_family == 'Debian' + - name: Update CA trust on Debian family systems + ansible.builtin.command: "update-ca-certificates" From e42ad318e9cbe15b6e31157c0df3b104110aa411 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 15:16:59 +0100 Subject: [PATCH 07/11] fix: add missing `EOL` --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index 91fd635ba..e7135486a 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -31,4 +31,4 @@ - "OS-TLS-INT" - name: Update CA trust on Debian family systems - ansible.builtin.command: "update-ca-certificates" \ No newline at end of file + ansible.builtin.command: "update-ca-certificates" From 3d1c0a352ef69d3308e00fcbfdda38188ea5076b Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 16:29:53 +0100 Subject: [PATCH 08/11] feat: do not copy `OS-TLS-INT` This is not required as the pulp certificate can be verified with just `OS-TLS-INT` as the intermediate is provided by the `Pulp` server. Also the `OS-TLS-INT.pem` includes the private key. --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index e7135486a..9e3958c33 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -13,7 +13,6 @@ mode: "0644" loop: - "OS-TLS-ROOT" - - "OS-TLS-INT" - name: Update CA trust on RedHat family systems ansible.builtin.command: "update-ca-trust" @@ -28,7 +27,6 @@ mode: "0644" loop: - "OS-TLS-ROOT" - - "OS-TLS-INT" - name: Update CA trust on Debian family systems ansible.builtin.command: "update-ca-certificates" From 9c234ad28792eccd607e0ef9708e82bf79ad9472 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 16:37:57 +0100 Subject: [PATCH 09/11] feat: set docker `CA` if `Pulp` TLS is enabled --- etc/kayobe/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/docker.yml b/etc/kayobe/docker.yml index 26fac1346..008754201 100644 --- a/etc/kayobe/docker.yml +++ b/etc/kayobe/docker.yml @@ -30,7 +30,7 @@ docker_registry: "{{ stackhpc_docker_registry }}" docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}" # CA of docker registry -#docker_registry_ca: +docker_registry_ca: "{{ kayobe_env_config_path ~ '/openbao/OS-TLS-INT.crt' if pulp_enable_tls | bool else '' }}" # List of Docker registry mirrors. #docker_registry_mirrors: From 854d6ff3353f036b73658b99697937554799a3cf Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Mon, 7 Jul 2025 21:06:49 +0100 Subject: [PATCH 10/11] feat: support using `copy-ca-to-hosts` as hook --- etc/kayobe/ansible/copy-ca-to-hosts.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/copy-ca-to-hosts.yml b/etc/kayobe/ansible/copy-ca-to-hosts.yml index 9e3958c33..e0a03c95e 100644 --- a/etc/kayobe/ansible/copy-ca-to-hosts.yml +++ b/etc/kayobe/ansible/copy-ca-to-hosts.yml @@ -1,10 +1,25 @@ --- - name: Install certificate authorities and update trust hosts: overcloud:seed:seed-hypervisor + # Avoid using facts because this may be used as a pre overcloud host + # configure hook, and we don't want to populate the fact cache (if one is in + # use) with the bootstrap user's context. + gather_facts: false + tags: + - install-ca + vars: + ansible_user: "{{ bootstrap_user }}" + # We can't assume that a virtualenv exists at this point, so use the system + # python interpreter. + ansible_python_interpreter: /usr/bin/python3 + # Work around no known_hosts entry on first boot. + ansible_ssh_common_args: -o StrictHostKeyChecking=no + # Don't assume facts are present. + os_family: "{{ ansible_facts.os_family | default('Debian' if os_distribution == 'ubuntu' else 'RedHat') }}" become: true tasks: - name: Install certificate authorities on RedHat based distributions - when: ansible_facts.os_family == 'RedHat' + when: os_family == 'RedHat' block: - name: Copy certificate authorities on RedHat family systems (Rocky, RHEL, CentOS) ansible.builtin.copy: @@ -18,7 +33,7 @@ ansible.builtin.command: "update-ca-trust" - name: Install certificate authorities on Debian based distributions - when: ansible_facts.os_family == 'Debian' + when: os_family == 'Debian' block: - name: Copy certificate authorities on Debian family systems (Ubuntu, Debian) ansible.builtin.copy: From e1ac068679709c5a1cbc78fac8ace6e3eae493de Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Thu, 24 Jul 2025 13:14:25 +0100 Subject: [PATCH 11/11] fix: use correct path for `docker_registry_ca` --- etc/kayobe/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/docker.yml b/etc/kayobe/docker.yml index 008754201..5bbc15f87 100644 --- a/etc/kayobe/docker.yml +++ b/etc/kayobe/docker.yml @@ -30,7 +30,7 @@ docker_registry: "{{ stackhpc_docker_registry }}" docker_registry_insecure: "{{ 'https' not in stackhpc_repo_mirror_url }}" # CA of docker registry -docker_registry_ca: "{{ kayobe_env_config_path ~ '/openbao/OS-TLS-INT.crt' if pulp_enable_tls | bool else '' }}" +docker_registry_ca: "{{ kayobe_env_config_path ~ '/vault/OS-TLS-INT.crt' if pulp_enable_tls | bool else none }}" # List of Docker registry mirrors. #docker_registry_mirrors: