INFRA-839 Add playbooks, config & docs for enabling Pulp tls with vault #1427
Conversation
Add playbooks, config & docs for enabling pulp tls with vault
technowhizz
force-pushed
the
update-vault-docs-dec-2024
branch
from
0281769 to
b69f2bd
Compare
technowhizz
changed the title
Dont start bifrost playbooks when deploying pulp tls Co-authored-by: Matt Crees <[email protected]>
| hosts: controllers | ||
| run_once: true | ||
| vars: | ||
| vault_api_addr: "https://{{ internal_net_name | net_ip(groups['controllers'][0]) }}:8200" |
There was a problem hiding this comment.
Only thing to point out here is that we have a bootstrapping issue where we have to bring the controllers up and deploy vault before generating the certs. You could use the vault on the seed to generate the certificate for pulp instead, but is it better to always use the overcloud vault? What do people think?
There was a problem hiding this comment.
If we want to use vault from the seed (which might make more sense, since this is being deployed on the seed) then we'll need a second intermediate CA?
There was a problem hiding this comment.
It would make sense to have TLS for Pulp before we need to use Pulp at all, so even before Bifrost. So +1 to not relying on the overcloud vault
There was a problem hiding this comment.
Should we do that as a part 2? and perhaps call this 'Deploying pulp with TLS on an existing cloud?'
Yeah, so I think docker will use the system CA trust but you might be right about needing to restart docker for that. Also if we did need to add the CA cert to docker I realised @seunghun1ee that we have a variable in kayobe for that |
No description provided.