fix: Remove unnecessary container registry step

2026-03-20 16:17:10 -04:00
parent d31b14cd72
commit 1862f20074
13 changed files with 642 additions and 7 deletions
--- a/roles/vault_setup/tasks/unseal.yml
+++ b/roles/vault_setup/tasks/unseal.yml
@@ -0,0 +1,37 @@
+---
+# Unseal Vault using keys from vault_unseal_keys list.
+# Submits keys one at a time until Vault reports unsealed.
+# Requires vault_init_key_threshold keys in vault_unseal_keys.
+
+- name: Submit unseal keys
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/unseal"
+    method: POST
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      key: "{{ item }}"
+    status_code: 200
+  loop: "{{ vault_unseal_keys[:vault_init_key_threshold] }}"
+  register: __vault_unseal_result
+  no_log: true
+
+- name: Check unseal status
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/health"
+    method: GET
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: [200, 429]
+  register: __vault_health
+
+- name: Assert Vault unsealed successfully
+  ansible.builtin.assert:
+    that:
+      - not __vault_health.json.sealed | bool
+    fail_msg: >-
+      Vault is still sealed after submitting {{ vault_init_key_threshold }} keys.
+      Check that vault_unseal_keys contains the correct keys and try again.
+
+- name: Register unseal success
+  ansible.builtin.set_fact:
+    __vault_unsealed: true