From: David Galloway <dgallowa@redhat.com>
Date: Wed, 16 May 2018 15:26:01 +0000 (-0400)
Subject: Change path of ansible vault password
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F400%2Fhead;p=ceph-cm-ansible.git

Change path of ansible vault password

The existing vault passwords will be deprecated.  ipmi.yml in
ceph-sepia-secrets and entitlements.yml in ceph-octo-secrets will be
rekeyed using one password which will be stored in
/etc/ansible/vault_pass.txt on the teuthology machines.

All other secrets will be rekeyed with a new password that infra admins
have.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/ansible.cfg b/ansible.cfg
index ccd0bbc0..18ff152a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,8 +1,8 @@
 [defaults]
 ansible_managed = This file is managed by ansible, don't make changes here - they will be overwritten.
-# this works when testing from my laptop, but will need to
-# be changed when it lives in a production environment
-vault_password_file = ~/.vault_pass.txt
+# This vault password is only used to encrypt downstream's entitlements.yml in secrets.
+# To decrypt any other yml in ceph-{octo,sepia}-secrets, use '--vault-id /path/to/infra-password-file'.
+vault_password_file = /etc/ansible/vault_pass.txt
 timeout = 120
 callback_whitelist = profile_tasks
 # default is 0.001, resulting in a storm of select(NULL, ..., 1ms) syscalls