From 325f70003f0806393e929289641d3d76c326e221 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Fri, 9 Jan 2026 18:20:03 +0000 Subject: [PATCH 1/2] Fix mistake in Pulp TLS docs --- doc/source/configuration/openbao.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst index f82f8b6b3..ec6f97898 100644 --- a/doc/source/configuration/openbao.rst +++ b/doc/source/configuration/openbao.rst @@ -494,7 +494,7 @@ To enable TLS for Pulp we first need to generate the certificates and the procee .. code-block:: - kayobe seed service reconfigure -t seed-deploy-containers -kt none + kayobe seed service deploy -t seed-deploy-containers -kt none 5. Set CA for docker registry From 0ae88abcda59b845ee6bb0e8c6298f1c9c32c8e2 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Fri, 9 Jan 2026 18:20:29 +0000 Subject: [PATCH 2/2] Add check to ensure vault is unsealed If vault is not unsealed, the task used to fail with `role not found or permission denied` which is confusing for users. This commit adds a check to ensure vault is unsealed before attempting to generate the certificate. --- etc/kayobe/ansible/pulp/pulp-generate-certificate.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml b/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml index 3c2f25889..f4bd7830d 100644 --- a/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml +++ b/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml @@ -17,6 +17,17 @@ file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json" name: openbao_keys + - name: Check OpenBao seal status + ansible.builtin.uri: + url: "{{ openbao_api_addr }}/v1/sys/seal-status" + return_content: true + register: openbao_seal_status + + - name: Assert that OpenBao is unsealed + ansible.builtin.assert: + that: not openbao_seal_status.json.sealed + fail_msg: "OpenBao is sealed. Please unseal it before continuing." + - name: Issue Pulp certificate hashivault_pki_cert_issue: # noqa: fqcn url: "{{ openbao_api_addr }}"