Fixes for installation of openbao for automation #1886
Conversation
Some variables needed updating in the move to openbao from Vault.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @m-bull, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request addresses necessary variable updates to facilitate the migration from HashiCorp Vault to OpenBao within the Kayobe automation setup. It primarily involves adjusting configuration paths and API endpoint references to correctly point to the OpenBao service, ensuring the automation processes can interact with the new secrets management system. The changes aim to fix installation issues related to this transition.
Highlights
- Configuration Path Updates: The configuration directory for OpenBao and the path for its keys file have been updated from
vaulttoopenbaospecific locations to align with the migration. - OpenBao API Address Definition: The
openbao_api_addrvariable is now explicitly defined within the playbook, setting the API endpoint tohttp://127.0.0.1:8200. - API Address Referencing: References to the API address in tasks like
vault_unseal,hashivault_secret_engine, andvault_writehave been updated to use the newly definedopenbao_api_addrvariable. A potential issue has been introduced wherehttp://is prepended toopenbao_api_addreven thoughopenbao_api_addralready containshttp://, resulting in a doublehttp://prefix (e.g.,http://http://127.0.0.1:8200).
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request updates an Ansible playbook to support OpenBao for automation, primarily by renaming paths from vault to openbao and adjusting variable definitions. While the variable updates are a good step, some related parts of the playbook were missed. I've identified a critical issue with URL formation that will cause playbook failure. Additionally, some directory creation tasks still use the old vault paths and need to be updated to openbao to match the changes in this PR. I've provided comments on the relevant changes with suggestions for fixes.
| name: stackhpc.hashicorp.openbao | ||
| vars: | ||
| openbao_config_dir: "/opt/kayobe/vault" | ||
| openbao_api_addr: "http://127.0.0.1:8200" |
There was a problem hiding this comment.
The openbao_api_addr variable is defined with the http:// protocol prefix. However, later in the file (lines 56, 67, and 72), the http:// prefix is added again when using this variable. This results in an invalid URL like http://http://127.0.0.1:8200, which will cause tasks to fail. To fix this, the protocol prefix should be removed from this variable definition. This will make the variable contain only the address, and the protocol can be prepended where needed, as is done in the rest of the file.
openbao_api_addr: "127.0.0.1:8200"| vars: | ||
| openbao_config_dir: "/opt/kayobe/vault" | ||
| openbao_api_addr: "http://127.0.0.1:8200" | ||
| openbao_config_dir: "/opt/kayobe/openbao" |
There was a problem hiding this comment.
This path has been correctly updated for OpenBao. However, a related task on lines 24-27, named Ensure /opt/kayobe/vault exists, still creates the old /opt/kayobe/vault directory. This task should be updated to create /opt/kayobe/openbao to ensure consistency and prevent potential failures.
| copy_self_signed_ca: false | ||
| openbao_write_keys_file: true | ||
| openbao_write_keys_file_path: "{{ kayobe_env_config_path }}/vault/kayobe-automation-keys.json" | ||
| openbao_write_keys_file_path: "{{ kayobe_env_config_path }}/openbao/kayobe-automation-keys.json" |
There was a problem hiding this comment.
This file path has been correctly updated for OpenBao. However, a related task on lines 30-33, named Ensure vault directory exists in environment, still creates the old .../vault directory in the environment path. This task should be updated to create the .../openbao directory to prevent failures when writing the keys file specified here.
Some variables needed updating in the move to openbao from Vault.