diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml new file mode 100644 index 00000000..7a22fa5d --- /dev/null +++ b/.github/workflows/commitlint.yml @@ -0,0 +1,15 @@ +name: Lint Commit Messages +on: + push: + branches: + - main + pull_request: + +jobs: + commitlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: wagoid/commitlint-github-action@v5 diff --git a/.github/workflows/monthly-snapshot.yml b/.github/workflows/monthly-snapshot.yml deleted file mode 100644 index b8bef663..00000000 --- a/.github/workflows/monthly-snapshot.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -name: Release Monthly Snapshot - -on: - schedule: - # Arbitrary time so we're not competing with all of the 0:00 jobs for compute - # Run at 03:42 on the 1st of every month. - - cron: "42 3 1 * *" - -jobs: - build: - name: Release Monthly Snapshot - runs-on: ubuntu-latest - steps: - - name: Get current date - id: date - run: echo "DATE=$(date +'%Y.%m.%d')" >> $GITHUB_ENV - - name: Checkout master Branch - uses: actions/checkout@v2 - with: - ref: 'master' - - name: Create Release - id: monthly-snapshot - uses: actions/create-release@latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ env.DATE }} - release_name: "Monthly snapshot for ${{ env.DATE }}" - draft: false - prerelease: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..cea990da --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,26 @@ +name: Semantic Releaser +on: + push: + branches: + - main + +permissions: + contents: write + packages: write + pull-requests: write + +jobs: + semrel: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Semantic Release + uses: cycjimmy/semantic-release-action@v4 + with: + extra_plugins: | + @semantic-release/changelog@6.0.0 + @semantic-release/git@10.0.0 + conventional-changelog-conventionalcommits@4.6.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..dedddd18 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,16 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-case-conflict + - id: check-symlinks + - id: check-json + - id: mixed-line-ending + args: ["--fix=lf"] + - id: no-commit-to-branch + args: [--branch, main] + - id: pretty-format-json + args: [--autofix, --no-sort-keys] diff --git a/.releaserc.json b/.releaserc.json new file mode 100644 index 00000000..66b3eefd --- /dev/null +++ b/.releaserc.json @@ -0,0 +1,45 @@ +{ + "branches": [ + "main", + "master" + ], + "ci": false, + "plugins": [ + [ + "@semantic-release/commit-analyzer", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/release-notes-generator", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/github", + { + "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", + "labels": false, + "releasedLabels": false + } + ], + [ + "@semantic-release/changelog", + { + "changelogFile": "CHANGELOG.md", + "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." + } + ], + [ + "@semantic-release/git", + { + "assets": [ + "CHANGELOG.md" + ], + "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } + ] + ] +} diff --git a/CHANGELOG.md b/CHANGELOG.md index d51465be..2c5fa247 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ ## v2.5.5 - become_user vault_user when modifying files in vault_home -## v2.5.4 +## v2.5.4 - New installation instructions ## v2.5.3 diff --git a/Makefile b/Makefile index 668d52cd..6ee7ae9f 100644 --- a/Makefile +++ b/Makefile @@ -6,4 +6,4 @@ help: ## list makefile targets .PHONY: lint lint: ## lint - ansible-lint -c .ansible-lint \ No newline at end of file + ansible-lint -c .ansible-lint diff --git a/README.md b/README.md index e8ff872e..79c8a3e1 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,10 @@ to load any new configuration deployed. ## [Role Variables](role_variables.md) +## Misc + +### [Vault Release Scheme](vault_releases.md) + ## License BSD-2-Clause diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 00000000..e2b685b1 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,5 @@ +// commitlint.config.js +module.exports = { + extends: ['@commitlint/config-conventional'], + ignores: [(message) => /^Bumps \[.+]\(.+\) from .+ to .+\.$/m.test(message)], + } diff --git a/defaults/main.yml b/defaults/main.yml index 35bfa16e..dc46b363 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,9 +6,12 @@ # --------------------------------------------------------------------------- # Package variables -vault_version_suffix: "{{ '.hsm' if vault_enterprise_hsm else '' }}" -vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}{{ vault_version_suffix }}" -vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}-1" +vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}" + +vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}" +vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}" +vault_version_debian_repo_suffix: "-1" + vault_architecture_map: # this first entry seems... redundant (but it's required for reasons) amd64: amd64 @@ -17,10 +20,13 @@ vault_architecture_map: aarch64: arm64 vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" vault_os: "{{ ansible_system | lower }}" -vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" -vault_shasums: "vault_{{ vault_version }}_SHA256SUMS" -vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" -vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_SHA256SUMS" + +vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}" +vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip" +vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS" +vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}" +vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}" +vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}" vault_repository_url: "{{ _vault_repository_url | default() }}" vault_repository_key_url: "{{ _vault_repository_key_url | default() }}" vault_rhsm_subscription_name: @@ -289,8 +295,8 @@ vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/ vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}" vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}" -vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(1, true) }}" -vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(0, true) }}" +vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}" +vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(false, true) }}" vault_tls_copy_keys: "{{ false if (vault_install_hashi_repo) else true }}" vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}" @@ -385,8 +391,6 @@ vault_entropy_seal: false # --------------------------------------------------------------------------- vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}" -vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip" -vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS" # Manage enterprise license file with this role vault_configure_enterprise_license: false diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md index 2c9a6495..4bc38719 100644 --- a/examples/README_VAGRANT.md +++ b/examples/README_VAGRANT.md @@ -82,4 +82,4 @@ If you notice an error like *vm: The '' provisioner could not be found.* make su 7. http://www.vagrantup.com/ 8. https://www.virtualbox.org/ 9. https://github.com/adrienthebo/vagrant-hosts -10. https://vagrant-libvirt.github.io/vagrant-libvirt \ No newline at end of file +10. https://vagrant-libvirt.github.io/vagrant-libvirt diff --git a/examples/bin/preinstall b/examples/bin/preinstall index 2752f83d..fdea71b2 100755 --- a/examples/bin/preinstall +++ b/examples/bin/preinstall @@ -50,4 +50,4 @@ function add_host { fi } -add_host \ No newline at end of file +add_host diff --git a/molecule/centos-stream-9-enterprise/molecule.yml b/molecule/centos-stream-9-enterprise/molecule.yml new file mode 100644 index 00000000..7d7df29c --- /dev/null +++ b/molecule/centos-stream-9-enterprise/molecule.yml @@ -0,0 +1,32 @@ +--- +platforms: + - name: centos-stream-9 + groups: + - vault_raft_servers + image: dokken/centos-stream-9 + pre_build_image: true + command: /lib/systemd/systemd + privileged: true + cgroup_parent: docker.slice + - name: centos-stream-9_repo + groups: + - vault_raft_servers + image: dokken/centos-stream-9 + pre_build_image: true + command: /lib/systemd/systemd + privileged: true + cgroup_parent: docker.slice + +provisioner: + inventory: + host_vars: + centos-stream-9: + vault_disable_api_health_check: true + vault_enterprise: true + vault_install_hashi_repo: false + centos-stream-9_repo: + vault_disable_api_health_check: true + vault_enterprise: true + vault_install_hashi_repo: true + vault_bin_path: /usr/bin + vault_group: vault diff --git a/molecule/debian-11-enterprise/molecule.yml b/molecule/debian-11-enterprise/molecule.yml new file mode 100644 index 00000000..f9506f57 --- /dev/null +++ b/molecule/debian-11-enterprise/molecule.yml @@ -0,0 +1,32 @@ +--- +platforms: + - name: debian-11 + groups: + - vault_raft_servers + image: dokken/debian-11 + pre_build_image: true + command: /lib/systemd/systemd + privileged: true + cgroup_parent: docker.slice + - name: debian-11_repo + groups: + - vault_raft_servers + image: dokken/debian-11 + pre_build_image: true + command: /lib/systemd/systemd + privileged: true + cgroup_parent: docker.slice + +provisioner: + inventory: + host_vars: + debian-11: + vault_disable_api_health_check: true + vault_enterprise: true + vault_install_hashi_repo: false + debian-11_repo: + vault_disable_api_health_check: true + vault_enterprise: true + vault_install_hashi_repo: true + vault_bin_path: /usr/bin + vault_group: vault diff --git a/molecule/verify.yml b/molecule/verify.yml index ca8226d6..be22d216 100644 --- a/molecule/verify.yml +++ b/molecule/verify.yml @@ -10,46 +10,54 @@ goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}" goss_test_directory: /tmp goss_format: tap + enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" tasks: - - name: Download and install Goss - get_url: - url: "{{ goss_url }}" - dest: "{{ goss_dst }}" - checksum: "sha256:{{ goss_sha256sum }}" - mode: 0755 - register: download_goss - until: download_goss is succeeded - retries: 3 + - name: Check if enterprise + ansible.builtin.debug: + msg: "Verification is skipped because vault enterprise does not start without license" + when: enterprise + - name: Verify tasks + when: not enterprise + block: + - name: Download and install Goss + get_url: + url: "{{ goss_url }}" + dest: "{{ goss_dst }}" + checksum: "sha256:{{ goss_sha256sum }}" + mode: 0755 + register: download_goss + until: download_goss is succeeded + retries: 3 - - name: Copy Goss tests to remote - template: - src: "{{ item }}" - dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}" - mode: 0644 - with_fileglob: - - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2" + - name: Copy Goss tests to remote + template: + src: "{{ item }}" + dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}" + mode: 0644 + with_fileglob: + - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2" - - name: Register test files - shell: "ls {{ goss_test_directory }}/test_*.yml" - changed_when: false - register: test_files + - name: Register test files + shell: "ls {{ goss_test_directory }}/test_*.yml" + changed_when: false + register: test_files - - name: Execute Goss tests - environment: - # yamllint disable-line rule:line-length - PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' - command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}" - changed_when: false - register: test_results - with_items: "{{ test_files.stdout_lines }}" + - name: Execute Goss tests + environment: + # yamllint disable-line rule:line-length + PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}" + changed_when: false + register: test_results + with_items: "{{ test_files.stdout_lines }}" - - name: Display details about the Goss results - debug: - msg: "{{ item.stdout_lines }}" - with_items: "{{ test_results.results }}" + - name: Display details about the Goss results + debug: + msg: "{{ item.stdout_lines }}" + with_items: "{{ test_results.results }}" - - name: Fail when tests fail - fail: - msg: "Goss failed to validate" - when: item.rc != 0 - with_items: "{{ test_results.results }}" + - name: Fail when tests fail + fail: + msg: "Goss failed to validate" + when: item.rc != 0 + with_items: "{{ test_results.results }}" diff --git a/role_variables.md b/role_variables.md index afcfbd87..e0f6630e 100644 --- a/role_variables.md +++ b/role_variables.md @@ -1120,7 +1120,7 @@ variable. Attempts to download the package from `vault_zip_url` if zip is not fo Since v2.5.9 of this role you can also install Vault Enterprise via the HashiCorp Repo. In order to install Vault Enterprise via the HashiCorp Repo, set `vault_install_hashi_repo: true*` as well as `vault_enterprise: true`. -**Warning:** Non-Enterprise Package will be removed if already installed and vault_enterprise is set to *true* and vice versa. +**Warning:** Non-Enterprise Package will be removed if already installed and vault_enterprise is set to *true* and vice versa. # Vault Enterprise with HSM diff --git a/tasks/install.yml b/tasks/install.yml index 3f8db106..6e3e2a7b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -33,7 +33,8 @@ get_url: url: "{{ vault_zip_url }}" dest: "{{ role_path }}/files/{{ vault_pkg }}" - checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}" + checksum: + "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + (vault_pkg | regex_escape()) + '$') | first).split()[0] }}" timeout: "42" mode: "0644" become: "{{ vault_privileged_install }}" diff --git a/tasks/install_enterprise.yml b/tasks/install_enterprise.yml deleted file mode 100644 index c15522e9..00000000 --- a/tasks/install_enterprise.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -# File: tasks/install_enterprise.yml -# Vault Enterprise package installation tasks - -- name: OS packages - package: - name: "{{ vault_os_packages }}" - state: present - update_cache: true - tags: installation - -- name: "[Enterprise] Check vault_enterprise_shasums (local)" - stat: - path: "{{ role_path }}/files/{{ vault_enterprise_shasums }}" - become: false - run_once: true - register: vault_checksum - delegate_to: 127.0.0.1 - -- name: "[Enterprise] Get SHA SUM from {{ role_path }}/files/{{ vault_enterprise_shasums }} (local)" - shell: | - set -o pipefail - grep "{{ vault_enterprise_pkg }}" "{{ role_path }}/files/{{ vault_enterprise_shasums }}" | awk '{print $1}' - args: - executable: /bin/bash - become: false - run_once: true - register: vault_sha256 - tags: - - installation - - skip_ansible_lint - delegate_to: 127.0.0.1 - -- name: "[Enterprise] Check vault_enterprise_pkg (local)" - stat: - path: "{{ role_path }}/files/{{ vault_enterprise_pkg }}" - become: false - run_once: true - register: vault_package - delegate_to: 127.0.0.1 - -- name: "[Enterprise] Download vault (local)" - get_url: - url: "{{ vault_zip_url }}/{{ vault_enterprise_pkg }}" - dest: "{{ role_path }}/files/{{ vault_enterprise_pkg }}" - checksum: sha256:{{ vault_sha256.stdout }} - timeout: 42 - mode: "0644" - become: false - run_once: true - tags: installation - when: not vault_package.stat.exists | bool - delegate_to: 127.0.0.1 - -- name: "[Enterprise] Unzip vault_enterprise_pkg (local)" - unarchive: - src: "{{ role_path }}/files/{{ vault_enterprise_pkg }}" - dest: "{{ role_path }}/files/" - creates: "{{ role_path }}/files/vault" - become: false - run_once: true - tags: installation - delegate_to: 127.0.0.1 - -- name: "[Enterprise] Install version {{ vault_version }}" - copy: - src: "{{ role_path }}/files/vault" - dest: "{{ vault_bin_path }}" - owner: "{{ vault_user }}" - group: "{{ vault_group }}" - mode: "0755" - notify: Restart vault - tags: installation - -- name: "[Enterprise] Remove temporary vault installer files from role path" - file: - path: "{{ item }}" - state: "absent" - become: false - with_fileglob: "{{ role_path }}/files/vault" - run_once: true - tags: installation diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml index 79b5c95b..ddbca5b8 100644 --- a/tasks/install_hashi_repo.yml +++ b/tasks/install_hashi_repo.yml @@ -71,18 +71,18 @@ state: absent become: true -- name: Install Vault package +- name: "Install Vault package {{ _vault_repo_pkg }}" package: name: "{{ _vault_repo_pkg }}" state: present become: true vars: _vault_repo_pkg: "{% if (ansible_pkg_mgr in ['yum', 'dnf']) %}\ - vault-{{ 'enterprise-' if (vault_enterprise | bool) else '' }}{{ vault_version }}{{ vault_version_repo_suffix }}\ + vault{{ '-enterprise' if vault_enterprise }}-{{ vault_version }}{{ vault_version_repo_suffix }}\ {% elif (ansible_pkg_mgr == 'apt') %}\ - vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\ + vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}{{ vault_version_debian_repo_suffix }}\ {% else %}\ - vault{{ '-enterprise' if (vault_enterprise | bool) else '' }}={{ vault_version }}{{ vault_version_repo_suffix }}\ + vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}\ {% endif %}" notify: Restart vault diff --git a/tasks/main.yml b/tasks/main.yml index 799e4d6b..aa3b2480 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,20 +51,11 @@ - name: Compute if installation is required set_fact: - installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version }}" - -- name: Install OS packages and Vault Enterprise via control host - include_tasks: install_enterprise.yml - when: - - vault_enterprise | bool - - not vault_install_remotely | bool - - not vault_install_hashi_repo | bool - - installation_required | bool + installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version~('+ent' if vault_enterprise) }}" - name: Install OS packages and Vault via control host include_tasks: install.yml when: - - not vault_enterprise | bool - not vault_install_remotely | bool - not vault_install_hashi_repo | bool - installation_required | bool @@ -130,11 +121,11 @@ - name: TLS configuration include_tasks: ../tasks/tls.yml - when: vault_tls_disable == 0 + when: not vault_tls_disable | bool - name: Backend storage TLS configuration include_tasks: ../tasks/backend_tls.yml - when: vault_tls_gossip == 1 + when: vault_tls_gossip | bool - name: "Get content of GCP Credentials from file" set_fact: diff --git a/templates/vault_backend_dynamodb.j2 b/templates/vault_backend_dynamodb.j2 index 62caf45d..3a67c0c1 100644 --- a/templates/vault_backend_dynamodb.j2 +++ b/templates/vault_backend_dynamodb.j2 @@ -30,4 +30,3 @@ backend "dynamodb" { session_token = "{{ vault_dynamodb_session_token }}" {% endif %} } - diff --git a/templates/vault_backend_etcd.j2 b/templates/vault_backend_etcd.j2 index 89e1e30b..3edfcf20 100644 --- a/templates/vault_backend_etcd.j2 +++ b/templates/vault_backend_etcd.j2 @@ -20,4 +20,3 @@ backend "etcd" { tls_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" {% endif -%} } - diff --git a/templates/vault_seal_gcpkms.j2 b/templates/vault_seal_gcpkms.j2 index c8a6ee3c..e6189a08 100644 --- a/templates/vault_seal_gcpkms.j2 +++ b/templates/vault_seal_gcpkms.j2 @@ -6,4 +6,4 @@ seal "gcpckms" { region = "{{ vault_gkms_region }}" key_ring = "{{ vault_gkms_key_ring }}" crypto_key = "{{ vault_gkms_crypto_key }}" -} \ No newline at end of file +} diff --git a/vault_releases.md b/vault_releases.md new file mode 100644 index 00000000..6af215b7 --- /dev/null +++ b/vault_releases.md @@ -0,0 +1,86 @@ +# Vault Releases + +From the [official release channels](https://www.hashicorp.com/official-release-channels), +this role supports [Linux Repositories](https://www.hashicorp.com/official-packaging-guide) +and the [Release Site](https://releases.hashicorp.com). + +The enterprise edition comes with optional support for +[HSM](https://developer.hashicorp.com/vault/docs/enterprise/hsm) +and/or [FIPS](https://developer.hashicorp.com/vault/docs/enterprise/fips). + +## Release Site + +The file format of the release site is as follows: +``` +https://releases.hashicorp.com/vault/1.18.2/vault_1.18.2_linux_amd64.zip +https://releases.hashicorp.com/vault/1.18.2+ent/vault_1.18.2+ent_linux_amd64.zip +https://releases.hashicorp.com/vault/1.18.2+ent.hsm/vault_1.18.2+ent.hsm_linux_amd64.zip +https://releases.hashicorp.com/vault/1.18.1+ent.hsm.fips1402/vault_1.18.1+ent.hsm.fips1402_linux_amd64.zip +``` + +The checksum files follow the same naming scheme: +``` +https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS +https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.sig +https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.72D7468F.sig +``` + +We see that the directory and filename of the enterprise edition +contains `+ent`, and HSM and FIPS are separated with `.hsm` and +`.fips1402`, respectively. + +## Linux Repositories + +### Debian + +``` +$ apt-cache show $(apt-cache search vault | awk '{print $1}') | grep -E 'Package|Maintainer' | grep HashiCorp -B1 | grep Package | sort -u +Package: consul-template +Package: envconsul +Package: vault +Package: vault-benchmark +Package: vault-enterprise +Package: vault-enterprise-fips1402 +Package: vault-enterprise-hsm +Package: vault-enterprise-hsm-fips1402 +Package: vault-radar +Package: vault-secrets-gateway +``` + +``` +$ apt-cache madison vault-enterprise +vault-enterprise | 1.18.2+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages +vault-enterprise | 1.18.1+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages +vault-enterprise | 1.18.0+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages +vault-enterprise | 1.17.9+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages +... +``` + +To install a specific version of a package, the version is added to the package name with a `=`, e.g.: +``` +$ apt-get install vault-enterprise=1.18.2+ent-1 +``` +The trailing `-1` is mandatory. + +### RPM + +The format of the package name and version for RPM is: +``` +$ dnf list available | grep hashicorp | grep vault +vault.x86_64 1.18.2-1 hashicorp +vault-benchmark.x86_64 0.3.0-1 hashicorp +vault-enterprise.i386 1.9.4+ent-1 hashicorp +vault-enterprise.armv7hl 1.11.2+ent-1 hashicorp +vault-enterprise.x86_64 1.18.2+ent-1 hashicorp +vault-enterprise-fips1402.x86_64 1.18.2+ent-1 hashicorp +vault-enterprise-hsm.x86_64 1.18.2+ent-1 hashicorp +vault-enterprise-hsm-fips1402.x86_64 1.18.2+ent-1 hashicorp +vault-radar.x86_64 0.19.0-1 hashicorp +vault-secrets-gateway.x86_64 0.1.5-1 hashicorp +``` + +To install a specific version of a package, the version is added to the package name with a `-`, e.g.: +``` +$ dnf install vault-enterprise-1.18.2+ent +``` +Notice that, different to the Debian package, the trailing `-1` is not required.