fix: add # noqa: fqcn to avoid errors with hashivault modules

Author: jackhodgkiss

etc/kayobe/ansible/openbao-deploy-barbican.yml

@@ -30,15 +30,15 @@
         https_proxy: ""
       block:
         - name: Enable AppRole auth module
-          hashivault_auth_method:
+          hashivault_auth_method:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
             method_type: approle
             state: enabled
 
         - name: Enable barbican kv store
-          hashivault_secret_engine:
+          hashivault_secret_engine:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
@@ -47,7 +47,7 @@
             description: Barbican kv store
 
         - name: Ensure barbican policy is defined
-          hashivault_policy:
+          hashivault_policy:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
@@ -59,7 +59,7 @@
               }
 
         - name: Ensure barbican AppRole is defined
-          hashivault_approle_role:
+          hashivault_approle_role:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
@@ -70,7 +70,7 @@
             name: barbican
 
         - name: Get barbican Approle ID
-          hashivault_approle_role_id:
+          hashivault_approle_role_id:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
@@ -89,7 +89,7 @@
           when: stackhpc_write_barbican_role_id_to_file | default(false) | bool
 
         - name: Check if barbican Approle Secret ID is defined
-          hashivault_approle_role_secret_get:
+          hashivault_approle_role_secret_get:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"
@@ -98,7 +98,7 @@
           register: barbican_approle_secret_get
 
         - name: Ensure barbican AppRole Secret ID is defined
-          hashivault_approle_role_secret:
+          hashivault_approle_role_secret:  # noqa: fqcn
             url: "{{ openbao_api_addr }}"
             ca_cert: "{{ openbao_ca_cert }}"
             token: "{{ openbao_keys.root_token }}"

etc/kayobe/ansible/openbao-generate-backend-tls.yml

@@ -44,7 +44,7 @@
         name: openbao_keys
 
     - name: Issue a certificate for backend TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ openbao_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ openbao_keys.root_token }}"

etc/kayobe/ansible/openbao-generate-internal-tls.yml

@@ -12,7 +12,7 @@
         name: openbao_keys
 
     - name: Issue a certificate for internal TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ openbao_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ openbao_keys.root_token }}"

etc/kayobe/ansible/openbao-generate-test-external-tls.yml

@@ -13,7 +13,7 @@
         name: openbao_keys
 
     - name: Issue a certificate for external TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ openbao_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ openbao_keys.root_token }}"

etc/kayobe/ansible/vault-deploy-barbican.yml

@@ -30,15 +30,15 @@
         https_proxy: ""
       block:
         - name: Enable AppRole auth module
-          hashivault_auth_method:
+          hashivault_auth_method:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
             method_type: approle
             state: enabled
 
         - name: Enable barbican kv store
-          hashivault_secret_engine:
+          hashivault_secret_engine:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
@@ -47,7 +47,7 @@
             description: Barbican kv store
 
         - name: Ensure barbican policy is defined
-          hashivault_policy:
+          hashivault_policy:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
@@ -59,7 +59,7 @@
               }
 
         - name: Ensure barbican AppRole is defined
-          hashivault_approle_role:
+          hashivault_approle_role:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
@@ -70,7 +70,7 @@
             name: barbican
 
         - name: Get barbican Approle ID
-          hashivault_approle_role_id:
+          hashivault_approle_role_id:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
@@ -89,7 +89,7 @@
           when: stackhpc_write_barbican_role_id_to_file | default(false) | bool
 
         - name: Check if barbican Approle Secret ID is defined
-          hashivault_approle_role_secret_get:
+          hashivault_approle_role_secret_get:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"
@@ -98,7 +98,7 @@
           register: barbican_approle_secret_get
 
         - name: Ensure barbican AppRole Secret ID is defined
-          hashivault_approle_role_secret:
+          hashivault_approle_role_secret:  # noqa: fqcn
             url: "{{ vault_api_addr }}"
             ca_cert: "{{ vault_ca_cert }}"
             token: "{{ vault_keys.root_token }}"

etc/kayobe/ansible/vault-generate-backend-tls.yml

@@ -43,7 +43,7 @@
         name: vault_keys
 
     - name: Issue a certificate for backend TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ vault_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ vault_keys.root_token }}"

etc/kayobe/ansible/vault-generate-internal-tls.yml

@@ -12,7 +12,7 @@
         name: vault_keys
 
     - name: Issue a certificate for internal TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ vault_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ vault_keys.root_token }}"

etc/kayobe/ansible/vault-generate-test-external-tls.yml

@@ -13,7 +13,7 @@
         name: vault_keys
 
     - name: Issue a certificate for external TLS
-      hashivault_pki_cert_issue:
+      hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ vault_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
         token: "{{ vault_keys.root_token }}"

releasenotes/notes/add-openbao-for-tls-698ae3834ed5c67f.yaml

@@ -3,3 +3,10 @@ features:
   - |
     Add support for deploying ``OpenBao`` across the ``seed`` and ``overcloud`` hosts
     for the purpose of internal and backend TLS generation.
+deprecations:
+  - |
+    Hashicorp Vault for TLS generation is deprecated in favour of OpenBao.
+    The ``openbao`` role is now used to deploy OpenBao on the seed and overcloud hosts.
+    New deployments should use OpenBao for TLS generation.
+    Existing deployments using Hashicorp Vault for TLS generation should be migrated
+    to OpenBao once migration steps are available.