Support Vault to OpenBao migration #2095
Open
+537
−751
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
seunghun1ee
added
documentation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
The pull request introduces a comprehensive set of Ansible playbooks and updated documentation to support the migration from Hashicorp Vault to OpenBao. The new playbooks are well-structured to manage the migration process across seed and overcloud environments, including configuration updates. However, a critical issue exists in the migration playbooks where the stackhpc_ca_secret_store variable is used dynamically to include secret store keys. This can lead to incorrect key retrieval if the variable is already set to 'openbao' during a Vault migration, causing the migration to fail. Additionally, there are minor documentation formatting issues and some file permissions that could be more restrictive for sensitive configuration files.
etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Outdated
Show resolved
Hide resolved
seunghun1ee
force-pushed
the
vault-bao-migration
branch
from
3cc8df4 to
69ec42b
Compare
Member
Author
|
Linters are failing because missing playbook is not released from stackhpc.hashicorp collection yet |
MoteHue
requested changes
Jan 21, 2026
etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Outdated
Show resolved
Hide resolved
seunghun1ee
force-pushed
the
vault-bao-migration
branch
from
69ec42b to
314b1e1
Compare
seunghun1ee
force-pushed
the
vault-bao-migration
branch
from
314b1e1 to
a211eaa
Compare
Co-Authored-by: Alex Welsh <alex@stackhpc.com>
seunghun1ee
force-pushed
the
vault-bao-migration
branch
from
a211eaa to
3eac2af
Compare
bbezak
requested changes
Jan 26, 2026
etc/kayobe/ansible/secret-store/vault-bao-migration-overcloud.yml
Outdated
Show resolved
Hide resolved
mnasiadka
reviewed
Jan 26, 2026
etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Outdated
Show resolved
Hide resolved
etc/kayobe/ansible/secret-store/vault-bao-migration-change-config.yml
Outdated
Show resolved
Hide resolved
Previously rockylinux/rockylinux:9 was used. As soon as a new release was tagged in the docker hub it would be used
to fix multiple vulnerabilities
to see which sources are downloaded before docker build
to accomodate temporary errors from ark (was getting a 500 error)
control plane is trusted
CVE-2025-68428 is still present in opensearch-dashboards 2.19.4 because jspdf is still in version 3.0.1
This makes it easier to see the changes generated by the package-update-kayobe.yml workflow [1]. [1] https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-update-kayobe.yml
Documentation builds on Read the Docs have been failing following the release of myst-parser 5.0.0. Cap requirement to use myst-parser 4.x instead, which is not compatible with Sphinx 9.
Needed updating to rebase on rocky 9.7
03:00.0 3D controller [0302]: NVIDIA Corporation GH100 [H200 NVL] [10de:233b] (rev a1)
The new kernel version includes a fix for CVE-2025-68285 [1] in libceph. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-68285
We often see CI failures where the reboot playbook is successful, but the growroot playbook invoked immediately after it fails with a `Connection timed out` error. Add a small 5 seconds extra delay after the reboot to ensure hosts have finished booting successfully. The delay can be customised with the `post_reboot_delay_s` variable.
This brings updated versions of OpenSSL to address multiple vulnerabilities, including CVE-2025-15467.
Basic support for Dell SONiC switches for Arcus. Release note only since images were rebuilt for another reason. Patch: stackhpc/networking-generic-switch#136
This prevents the need to maintain the documentation in two separate places.
Fix colored output on errors. It is quite easy to miss the failures otherwise. Co-authored-by: pescobar.it@gmail.com
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds four playbooks used for migrating Vault to OpenBao.
The version of
stackhpc.hashicorpcollection needs to be bumped after stackhpc/ansible-collection-hashicorp#85 is merged and released.But as SKC's contents are ready, marked as ready.