hieradata/roles/infra/storage/vault.yaml

@@ -4,8 +4,9 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-vault::package_name: openbao
+profiles::vault::server::package_name: openbao
-vault::package_ensure: latest
+profiles::vault::server::package_ensure: 2.4.4
+profiles::vault::server::disable_openbao: false
 
 # additional altnames
 profiles::pki::vault::alt_names:

site/profiles/manifests/vault/server.pp

@@ -6,6 +6,9 @@ class profiles::vault::server (
     Undef
   ]         $members_role   = undef,
   Array     $vault_servers  = [],
+  String        $package_name       = 'vault',
+  String        $package_ensure     = 'latest',
+  Boolean       $disable_openbao    = true,
   Boolean       $tls_disable        = false,
   Stdlib::Port  $client_port        = 8200,
   Stdlib::Port  $cluster_port       = 8201,
@@ -51,7 +54,33 @@ class profiles::vault::server (
       }
     }
 
+    # cleanup openbao?
+    if $disable_openbao {
+      package {'openbao':
+        ensure => absent,
+        before => Class['vault']
+      }
+      package {'openbao-vault-compat':
+        ensure => absent,
+        before => [
+          Class['vault'],
+          Package['openbao']
+        ]
+      }
+    }
+
+    # add versionlock for package_name?
+    if $package_ensure != 'latest' {
+      yum::versionlock{$package_name:
+        ensure  => present,
+        version => $package_ensure,
+        before  => Class['vault']
+      }
+    }
+
     class { 'vault':
+      package_name       => $package_name,
+      package_ensure     => $package_ensure,
       manage_service     => false,
       manage_storage_dir => $manage_storage_dir,
       enable_ui          => true,