From 2d0348db43d27a244a8c27e3b33e149bb9eac828 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 8 Feb 2026 14:45:48 +1100
Subject: [PATCH] feat: manage vault version

- add params for version and package name
- add param to cleanup openbao
- add version lock (if not latest)
---
 hieradata/roles/infra/storage/vault.yaml |  5 ++--
 site/profiles/manifests/vault/server.pp  | 29 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index fcce710..7dc7bd3 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -4,8 +4,9 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-vault::package_name: openbao
-vault::package_ensure: latest
+profiles::vault::server::package_name: openbao
+profiles::vault::server::package_ensure: 2.4.4
+profiles::vault::server::disable_openbao: false
 
 # additional altnames
 profiles::pki::vault::alt_names:
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index d73a4a3..205a7f2 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -6,6 +6,9 @@ class profiles::vault::server (
     Undef
   ]         $members_role   = undef,
   Array     $vault_servers  = [],
+  String        $package_name       = 'vault',
+  String        $package_ensure     = 'latest',
+  Boolean       $disable_openbao    = true,
   Boolean       $tls_disable        = false,
   Stdlib::Port  $client_port        = 8200,
   Stdlib::Port  $cluster_port       = 8201,
@@ -51,7 +54,33 @@ class profiles::vault::server (
       }
     }
 
+    # cleanup openbao?
+    if $disable_openbao {
+      package {'openbao':
+        ensure => absent,
+        before => Class['vault']
+      }
+      package {'openbao-vault-compat':
+        ensure => absent,
+        before => [
+          Class['vault'],
+          Package['openbao']
+        ]
+      }
+    }
+
+    # add versionlock for package_name?
+    if $package_ensure != 'latest' {
+      yum::versionlock{$package_name:
+        ensure  => present,
+        version => $package_ensure,
+        before  => Class['vault']
+      }
+    }
+
     class { 'vault':
+      package_name       => $package_name,
+      package_ensure     => $package_ensure,
       manage_service     => false,
       manage_storage_dir => $manage_storage_dir,
       enable_ui          => true,
-- 
2.47.3