Change path of ansible vault password

The existing vault passwords will be deprecated.  ipmi.yml in
ceph-sepia-secrets and entitlements.yml in ceph-octo-secrets will be
rekeyed using one password which will be stored in
/etc/ansible/vault_pass.txt on the teuthology machines.

All other secrets will be rekeyed with a new password that infra admins
have.

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/ansible.cfg b/ansible.cfg
index ccd0bbc02d6e9bb0398c2161a7db45b688a659dd..18ff152a2d36a1a114792fcbc2001dd1ed540d63 100644 (file)
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,8 +1,8 @@
 [defaults]
 ansible_managed = This file is managed by ansible, don't make changes here - they will be overwritten.
-# this works when testing from my laptop, but will need to
-# be changed when it lives in a production environment
-vault_password_file = ~/.vault_pass.txt
+# This vault password is only used to encrypt downstream's entitlements.yml in secrets.
+# To decrypt any other yml in ceph-{octo,sepia}-secrets, use '--vault-id /path/to/infra-password-file'.
+vault_password_file = /etc/ansible/vault_pass.txt
 timeout = 120
 callback_whitelist = profile_tasks
 # default is 0.001, resulting in a storm of select(NULL, ..., 1ms) syscalls