Description of problem: vault_password_file defined in the "/etc/ansible/ansible.cfg" is not honored. Version-Release number of selected component (if applicable): 6.13 How reproducible: 100% Steps to Reproduce: 1. Upload an Ansible role where variable values are encrypted with Ansible Vault. 2. Define vault_password_file in the "/etc/ansible/ansible.cfg" 3 set permission of ansible_vault_password password file to foreman-proxy:foreman-proxy 4. Rerun the Ansible role from the Satellite GUI Actual results: TASK [Apply roles] ************************************************************* 197: ERROR! Attempting to decrypt but no vault secrets found =====================> Failed to execute the role due to missing secret key. 198: PLAY RECAP ********************************************************************* 199: client.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 200: Exit status: 2 Expected results: Should execute with out any error. Additional info: As I have upgraded from 6.12 to 6.13 so the below file exists:- /usr/share/foreman-proxy/.ansible.cfg ===> Updating the vault_password_file in this file works. For new installations, this file(/usr/share/foreman-proxy/.ansible.cfg) does not exist. Moreover as per the comment in the below bug, Satellite 6.13 and above versions use ansible.cfg present in path "/etc/ansible/ansible.cfg". as the config file. https://bugzilla.redhat.com/show_bug.cgi?id=1786358#c16
> For new installations, this file(/usr/share/foreman-proxy/.ansible.cfg) does not exist I know I'm nitpicking, but I was under the impression that /usr/share/foreman-proxy/.ansible.cfg is a symlink to /etc/foreman-proxy/ansible.cfg . On new installations the file in /etc/foreman-proxy/ does not exist, but the (dangling) symlink is still kept it place, no matter if the installation is fresh or not. The dangling symlink shouldn't hurt, the combination of the symlink and the file in /etc/foreman-proxy/ansible.cfg does. Anyway, dropping the symlink (or whatever /usr/share/foreman-proxy/.ansible.cfg is) from packaging could do the trick? See https://github.com/theforeman/puppet-foreman_proxy/pull/777#issuecomment-1231619125 for details.
Despite mention of Regression, is this a supported scenario with Ansible Vault? ref : bug 2007388
If I recall correctly, we don't mention it anywhere in the documentation, but we have a KCS[1] describing how to set it up. Considering up until 6.13, people could make changes described in the KCS themselves, but the installer would undo them, I would say it is not officially supported yet. [1] - https://access.redhat.com/solutions/4088231
I have verified that this BZ is no longer occurring on two Sat-6.13 machines (snap 14 and 18) after implementing the solution recommended in this article: https://access.redhat.com/solutions/4088231. To apply the solution, I used the appropriate Ansible configuration files "/etc/foreman-proxy/ansible.cfg" for Sat-6.13 and "/etc/ansible/ansible.cfg" for Sat-6.13 snap 18. The changes made to these files are persistent, as indicated in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1786358#c16. Consequently, I am closing this BZ since the problem is not reproducible anymore. If there is anything I have missed, please let me know, or you can reopen the case.