From d20b9ec534deb61fb1cff0941842f4a02d9d1fd8 Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <jack@stackhpc.com>
Date: Wed, 20 Aug 2025 14:22:35 +0100
Subject: [PATCH 1/3] fix (docs): add space before language in `code-block`

---
 doc/source/configuration/openbao.rst | 63 ++++++++++++----------------
 1 file changed, 27 insertions(+), 36 deletions(-)

diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst
index 2be67338b..05ced874b 100644
--- a/doc/source/configuration/openbao.rst
+++ b/doc/source/configuration/openbao.rst
@@ -78,13 +78,13 @@ Setup OpenBao on the seed node
 
 1. Run secret-store-deploy-seed.yml custom playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-seed.yml
 
 2. Encrypt generated certs/keys with ansible-vault (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/OS-TLS-INT.pem
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/seed-openbao-keys.json
@@ -97,7 +97,7 @@ Setup OpenBao on the seed node
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/OS-TLS-INT.pem
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/seed-openbao-keys.json
@@ -113,28 +113,19 @@ Setup OpenBao HA on the overcloud hosts
 
 1. Run secret-store-deploy-overcloud.yml custom playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-overcloud.yml
 
 2. Encrypt overcloud openbao keys (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/overcloud-openbao-keys.json
 
       # For Hashicorp Vault
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/vault/overcloud-vault-keys.json
 
-   Or if environments are being used
-
-   .. code-block::bash
-
-      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud-openbao-keys.json
-
-      # For Hashicorp Vault
-      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
-
 Rotating OpenBao certificate on the overcloud hosts
 ---------------------------------------------------
 
@@ -145,7 +136,7 @@ cannot be unsealed with an expired certificate.
 
 1. Delete the old certificate:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       rm $KAYOBE_CONFIG_PATH/openbao/overcloud.crt
 
@@ -154,7 +145,7 @@ cannot be unsealed with an expired certificate.
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       rm $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud.crt
 
@@ -163,13 +154,13 @@ cannot be unsealed with an expired certificate.
 
 2. Generate a new certificate (and key):
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-seed.yml
 
 3. Encrypt generated key with ansible-vault (use proper location of vault password file)
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/openbao/overcloud.key
 
@@ -178,7 +169,7 @@ cannot be unsealed with an expired certificate.
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud.key
 
@@ -188,13 +179,13 @@ cannot be unsealed with an expired certificate.
 4. Copy the new certificate to the overcloud hosts. Note, if the old
    certificate has expired this will fail on the unseal step.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-overcloud.yml
 
 5. Restart the containers to use the new certificate:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud host command run --command "docker restart openbao" -l controllers
 
@@ -203,7 +194,7 @@ cannot be unsealed with an expired certificate.
 
 6. If sealed, unseal OpenBao:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-unseal-overcloud.yml
 
@@ -230,19 +221,19 @@ For test and development purposes it is possible to use OpenBao as a CA for the
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-generate-test-external-tls.yml
 
 2. Use ansible-vault to encrypt the PEM bundle in $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem. Commit the PEM bundle to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy.pem
 
@@ -251,19 +242,19 @@ Create the internal TLS certificates
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-generate-internal-tls.yml
 
 2. Use ansible-vault to encrypt the PEM bundle in $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy-internal.pem. Commit the PEM bundle and root CA to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/haproxy-internal.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/haproxy-internal.pem
 
@@ -272,19 +263,19 @@ Create the backend TLS and RabbitMQ TLS certificates
 
 1. Run the playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-generate-backend-tls.yml
 
 2. Use ansible-vault to encrypt the keys in $KAYOBE_CONFIG_PATH/kolla/certificates/<controller>-key.pem. Commit the certificates and keys to the kayobe configuration.
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/kolla/certificates/<controller>-key.pem
 
    Or if environments are being used
 
-   .. code-block::bash
+   .. code-block:: bash
 
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/kolla/certificates/<controller>-key.pem
 
@@ -425,12 +416,12 @@ Enable the required TLS variables in kayobe and kolla
       It is important that you are only using admin endpoints for keystone. If
       any admin endpoints exist for other services, they must be deleted e.g.
 
-      .. code-block::bash
+      .. code-block:: bash
 
          openstack endpoint list --interface admin -f value | \
          awk '!/keystone/ {print $1}' | xargs openstack endpoint delete
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud service deploy
 
@@ -442,7 +433,7 @@ Enable the required TLS variables in kayobe and kolla
 
    Restart the nova-compute container on all hypervisors:
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud host command run --command "systemctl restart kolla-nova_compute-container.service" --become --show-output -l compute
 
@@ -475,7 +466,7 @@ Create required configuration in OpenBao
 
 1. Run secret-store-deploy-barbican.yml custom playbook
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-barbican.yml
 
@@ -513,6 +504,6 @@ Configure Barbican
 Deploy Barbican
 ---------------
 
-   .. code-block::bash
+   .. code-block:: bash
 
       kayobe overcloud service deploy -kt barbican

From 692399de5b01a207294f3ab075bafaf4d900d783 Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <jack@stackhpc.com>
Date: Wed, 20 Aug 2025 14:23:10 +0100
Subject: [PATCH 2/3] feat (docs): update `no_proxy` for `openbao`

OpenBao requires that `no_proxy` is configured to include the IP address
of the first controller to allow for successful deployment.
---
 doc/source/configuration/walled-garden.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/source/configuration/walled-garden.rst b/doc/source/configuration/walled-garden.rst
index 937619a5a..c9dbb9aad 100644
--- a/doc/source/configuration/walled-garden.rst
+++ b/doc/source/configuration/walled-garden.rst
@@ -79,6 +79,7 @@ proxy:
      - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
      - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
      - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[inventory_hostname] }}"
+     - "{{ lookup('vars', internal_net_name ~ '_ips')[groups.controllers.0] }}"
      - "{{ kolla_external_fqdn }}"
      - "{{ kolla_internal_fqdn }}"
 

From f6e747bc9ecf5e4c5bcb960c9f47276c6c69da6c Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <jack@stackhpc.com>
Date: Wed, 20 Aug 2025 14:26:52 +0100
Subject: [PATCH 3/3] feat: add step about `no_proxy` for `openbao`

---
 doc/source/configuration/openbao.rst | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst
index 05ced874b..369e847f5 100644
--- a/doc/source/configuration/openbao.rst
+++ b/doc/source/configuration/openbao.rst
@@ -111,13 +111,26 @@ Setup OpenBao on the seed node
 Setup OpenBao HA on the overcloud hosts
 ---------------------------------------
 
-1. Run secret-store-deploy-overcloud.yml custom playbook
+1. If using a walled garden, ensure ``no_proxy`` is configured to include the first controller's internal network IP. Append it to the list if necessary.
+
+   .. code-block:: yaml
+      :caption: ``inventory/group_vars/overcloud/proxy.yml``
+
+      ---
+      no_proxy:
+        - "{{ lookup('vars', internal_net_name ~ '_ips')[groups.controllers.0] }}"
+
+   .. code-block:: bash
+
+      kayobe overcloud host configure -t proxy
+
+2. Run secret-store-deploy-overcloud.yml custom playbook
 
    .. code-block:: bash
 
       kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/secret-store-deploy-overcloud.yml
 
-2. Encrypt overcloud openbao keys (use proper location of vault password file)
+3. Encrypt overcloud openbao keys (use proper location of vault password file)
 
    .. code-block:: bash
 
@@ -126,6 +139,16 @@ Setup OpenBao HA on the overcloud hosts
       # For Hashicorp Vault
       ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/vault/overcloud-vault-keys.json
 
+
+   Or if environments are being used
+
+   .. code-block:: bash
+
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/openbao/overcloud-openbao-keys.json
+
+      # For Hashicorp Vault
+      ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/vault/overcloud-vault-keys.json
+
 Rotating OpenBao certificate on the overcloud hosts
 ---------------------------------------------------