From 8c24c6582f0ebd8b5d635839df6ee1640c9a4f56 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 8 Feb 2026 22:26:22 +1100
Subject: [PATCH] feat: manage vault version (#446)

- add params for version and package name
- add param to cleanup openbao
- add version lock (if not latest)

Reviewed-on: https://git.unkin.net/unkin/puppet-prod/pulls/446
---
 hieradata/roles/infra/storage/vault.yaml |  5 ++--
 site/profiles/manifests/vault/server.pp  | 29 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index af0f104..b489d04 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -5,8 +5,9 @@ profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::plugin_dir: /opt/openbao-plugins
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-vault::package_name: openbao
-vault::package_ensure: latest
+profiles::vault::server::package_name: openbao
+profiles::vault::server::package_ensure: 2.4.4
+profiles::vault::server::disable_openbao: false
 
 # additional altnames
 profiles::pki::vault::alt_names:
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index de37771..1e3a7cd 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -6,6 +6,9 @@ class profiles::vault::server (
     Undef
   ]         $members_role   = undef,
   Array     $vault_servers  = [],
+  String        $package_name       = 'vault',
+  String        $package_ensure     = 'latest',
+  Boolean       $disable_openbao    = true,
   Boolean       $tls_disable        = false,
   Stdlib::Port  $client_port        = 8200,
   Stdlib::Port  $cluster_port       = 8201,
@@ -52,7 +55,33 @@ class profiles::vault::server (
       }
     }
 
+    # cleanup openbao?
+    if $disable_openbao {
+      package {'openbao':
+        ensure => absent,
+        before => Class['vault']
+      }
+      package {'openbao-vault-compat':
+        ensure => absent,
+        before => [
+          Class['vault'],
+          Package['openbao']
+        ]
+      }
+    }
+
+    # add versionlock for package_name?
+    if $package_ensure != 'latest' {
+      yum::versionlock{$package_name:
+        ensure  => present,
+        version => $package_ensure,
+        before  => Class['vault']
+      }
+    }
+
     class { 'vault':
+      package_name       => $package_name,
+      package_ensure     => $package_ensure,
       manage_service     => false,
       manage_storage_dir => $manage_storage_dir,
       enable_ui          => true,