diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index af0f104..b489d04 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -5,8 +5,9 @@ profiles::vault::server::data_dir: /data/vault profiles::vault::server::plugin_dir: /opt/openbao-plugins profiles::vault::server::manage_storage_dir: true profiles::vault::server::tls_disable: false -vault::package_name: openbao -vault::package_ensure: latest +profiles::vault::server::package_name: openbao +profiles::vault::server::package_ensure: 2.4.4 +profiles::vault::server::disable_openbao: false # additional altnames profiles::pki::vault::alt_names: diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index de37771..1e3a7cd 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -6,6 +6,9 @@ class profiles::vault::server ( Undef ] $members_role = undef, Array $vault_servers = [], + String $package_name = 'vault', + String $package_ensure = 'latest', + Boolean $disable_openbao = true, Boolean $tls_disable = false, Stdlib::Port $client_port = 8200, Stdlib::Port $cluster_port = 8201, @@ -52,7 +55,33 @@ class profiles::vault::server ( } } + # cleanup openbao? + if $disable_openbao { + package {'openbao': + ensure => absent, + before => Class['vault'] + } + package {'openbao-vault-compat': + ensure => absent, + before => [ + Class['vault'], + Package['openbao'] + ] + } + } + + # add versionlock for package_name? + if $package_ensure != 'latest' { + yum::versionlock{$package_name: + ensure => present, + version => $package_ensure, + before => Class['vault'] + } + } + class { 'vault': + package_name => $package_name, + package_ensure => $package_ensure, manage_service => false, manage_storage_dir => $manage_storage_dir, enable_ui => true,