From 69258fc28b3663a99e765dce49755feb52d44e29 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Wed, 16 May 2018 11:26:01 -0400
Subject: [PATCH] Change path of ansible vault password

The existing vault passwords will be deprecated.  ipmi.yml in
ceph-sepia-secrets and entitlements.yml in ceph-octo-secrets will be
rekeyed using one password which will be stored in
/etc/ansible/vault_pass.txt on the teuthology machines.

All other secrets will be rekeyed with a new password that infra admins
have.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 ansible.cfg | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible.cfg b/ansible.cfg
index ccd0bbc0..18ff152a 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,8 +1,8 @@
 [defaults]
 ansible_managed = This file is managed by ansible, don't make changes here - they will be overwritten.
-# this works when testing from my laptop, but will need to
-# be changed when it lives in a production environment
-vault_password_file = ~/.vault_pass.txt
+# This vault password is only used to encrypt downstream's entitlements.yml in secrets.
+# To decrypt any other yml in ceph-{octo,sepia}-secrets, use '--vault-id /path/to/infra-password-file'.
+vault_password_file = /etc/ansible/vault_pass.txt
 timeout = 120
 callback_whitelist = profile_tasks
 # default is 0.001, resulting in a storm of select(NULL, ..., 1ms) syscalls
-- 
2.47.3