docs: add suggested changes

jackhodgkiss · jackhodgkiss · commit ad1fead5b6c7 · 2025-11-25T12:56:43.000Z
- Clean up name of tasks
- Add OpenBao assertion
- Update release note

Signed-off-by: Jack Hodgkiss &lt;jack@stackhpc.com&gt;
diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst
@@ -466,6 +466,7 @@ Pulp TLS
 .. warning::
 
    For clouds in production consider the impact of enabling TLS on specific hosts as Docker daemon will be restarted and this will disrupt deployments of Ceph Reef and older.
+   As Vault is deprecated and will be removed in future releases this process only works for OpenBao
 
 To enable TLS for Pulp we first need to generate the certificates and the proceed to configure all hosts that use Pulp to add the root CA to their truststore.
 
@@ -481,9 +482,10 @@ To enable TLS for Pulp we first need to generate the certificates and the procee
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/deployment/copy-ca-to-hosts.yml
 
-3. Enable TLS for Pulp in pulp.yml
+3. Enable TLS for Pulp
 
    .. code-block::
+      :caption: $KAYOBE_CONFIG_PATH/pulp.yml
 
       # Whether to enable TLS for Pulp.
       pulp_enable_tls: true
diff --git a/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml b/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml
@@ -6,12 +6,18 @@
     openbao_api_addr: http://127.0.0.1:8200
     openbao_intermediate_ca_name: OS-TLS-INT
   tasks:
+    - name: Assert that stackhpc_ca_secret_store is 'openbao'
+      ansible.builtin.assert:
+        that:
+          - stackhpc_ca_secret_store == "openbao"
+        fail_msg: "stackhpc_ca_secret_store must be 'openbao'"
+
     - name: Include OpenBao keys
       ansible.builtin.include_vars:
         file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json"
         name: openbao_keys
 
-    - name: Issue a certificate Pulp
+    - name: Issue Pulp certificate
       hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ openbao_api_addr }}"
         ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
@@ -23,7 +29,7 @@
           ip_sans: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}"
       register: pulp_certificate
 
-    - name: Ensure pulp certificates directory exists
+    - name: Ensure Pulp certificates directory exists
       ansible.builtin.file:
         path: "{{ kayobe_env_config_path }}/pulp/certificates"
         state: directory
diff --git a/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml b/releasenotes/notes/pulp-tls-105e47f0da602a25.yaml
@@ -2,4 +2,4 @@
 features:
   - |
     Add playbooks and configuration to enable the easy deployment of Pulp with
-    TLS support.
+    TLS support in combination with certificates generated via OpenBao.
