From 80dba30de1f8dcaadff2bf8dec689840ab32b0c2 Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Tue, 22 Apr 2025 12:46:12 +0100
Subject: [PATCH] Add note on unsealing the Vault

---
 doc/source/configuration/vault.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
index 8754f0bd7..239ed64c6 100644
--- a/doc/source/configuration/vault.rst
+++ b/doc/source/configuration/vault.rst
@@ -167,6 +167,15 @@ cannot be unsealed with an expired certificate.
 Certificates generation
 =======================
 
+.. note::
+
+   Generating certificates will fail if the Vault on the overcloud is sealed. This will happen whenever the vault containers are restarted. To unseal the
+   overcloud Vault, run:
+
+   .. code-block::
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/vault-unseal-overcloud.yml
+
 Create the external TLS certificates (testing only)
 ---------------------------------------------------