Merge pull request #725 from stackhpc/correct-stackhpc_write_barbican_role_id_to_file-check

markgoddard · web-flow · commit 110953189e4d · 2023-10-30T13:24:48.000Z
Fixes for Barbican with Vault plugin
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -296,6 +296,7 @@ Configure Barbican
       [vault_plugin]
       vault_url = https://{{ kolla_internal_vip_address }}:8200
       use_ssl = True
+      ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %}
       approle_role_id = {{ secrets_barbican_approle_role_id }}
       approle_secret_id = {{ secrets_barbican_approle_secret_id }}
       kv_mountpoint = barbican
diff --git a/etc/kayobe/ansible/vault-deploy-barbican.yml b/etc/kayobe/ansible/vault-deploy-barbican.yml
@@ -82,15 +82,16 @@
       copy:
         content: "{{ barbican_role_id.id }}"
         dest: "{{ stackhpc_barbican_role_id_file_path | default('~/barbican-role-id') }}"
-      when: stackhpc_write_barbican_role_id_to_file | bool | default(false)
+      when: stackhpc_write_barbican_role_id_to_file | default(false) | bool
 
     - name: Check if barbican Approle Secret ID is defined
-      hashivault_approle_role_secret_list:
+      hashivault_approle_role_secret_get:
         url: "{{ vault_api_addr }}"
         ca_cert: "{{ vault_ca_cert }}"
         token: "{{ vault_keys.root_token }}"
+        secret: "{{ secrets_barbican_approle_secret_id }}"
         name: barbican
-      register: barbican_approle_secret_list
+      register: barbican_approle_secret_get
 
     - name: Ensure barbican AppRole Secret ID is defined
       hashivault_approle_role_secret:
@@ -99,4 +100,4 @@
         token: "{{ vault_keys.root_token }}"
         secret: "{{ secrets_barbican_approle_secret_id }}"
         name: barbican
-      when: barbican_approle_secret_list.secrets is match(secrets_barbican_approle_secret_id)
+      when: barbican_approle_secret_get.status == "absent"
diff --git a/etc/kayobe/environments/ci-multinode/kolla/config/barbican.conf b/etc/kayobe/environments/ci-multinode/kolla/config/barbican.conf
@@ -7,6 +7,7 @@ enabled_secretstore_plugins=vault_plugin
 [vault_plugin]
 vault_url = https://{{ kolla_internal_vip_address }}:8200
 use_ssl = True
+ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %}
 approle_role_id = {{ secrets_barbican_approle_role_id }}
 approle_secret_id = {{ secrets_barbican_approle_secret_id }}
 kv_mountpoint = barbican
