From 44fd499aa04903f8c71a1d053d97166546dd628e Mon Sep 17 00:00:00 2001
From: Seunghun Lee <seunghun@stackhpc.com>
Date: Thu, 14 Nov 2024 15:11:29 +0000
Subject: [PATCH] Prevent seal-status check fails when TLS is expired

If certificate of Vault API is expired, user needs to set
``vault_unseal_verify`` to False to avoid tasks failing.

However, checking seal-status after unsealing still tries
to verify the certificate.

This fixes the issue by setting ``validate_certs`` option
to also follow ``vault_unseal_verify``.
---
 roles/vault_unseal/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/vault_unseal/tasks/main.yml b/roles/vault_unseal/tasks/main.yml
index 08de441..52958d8 100644
--- a/roles/vault_unseal/tasks/main.yml
+++ b/roles/vault_unseal/tasks/main.yml
@@ -24,6 +24,7 @@
 - name: Check if vault is sealed
   uri:
     url: "{{ vault_api_addr }}/v1/sys/seal-status"
+    validate_certs: "{{ vault_unseal_verify | default(omit) }}"
   register: vault_seal_status
 
 - name: Fail when vault is still sealed