Skip to content

Add support for upgrading vault when installed with archive #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+49 −17
Open

Add support for upgrading vault when installed with archive #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f98a330
Support upgrades
rgevaert Sep 7, 2020
97dd794
Trigger restart of vault when config changes
rgevaert Dec 9, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions manifests/config.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
owner => $::vault::user,
group => $::vault::group,
mode => $::vault::config_mode,
notify => Class['vault::service'],
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please split this out into its own commit as it addresses a different issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really understand why it should be a different commit. As when you update the binary you need to restart the service. I can do it, just want to understand why :)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’d be good to have this in its own commit b/c it addresses a different new/changed functionality. Just in case it needs to be reverted separately from the addition of versioned installs.

}

# If using the file storage then the path must exist and be readable
Expand Down
49 changes: 33 additions & 16 deletions manifests/install.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,46 @@
# == Class vault::install
#
class vault::install {

$vault_bin = "${::vault::bin_dir}/vault"

case $::vault::install_method {
'archive': {
if $::vault::manage_download_dir {
file { $::vault::download_dir:
ensure => directory,
}
'archive': {
if $::vault::manage_download_dir {
file { $::vault::download_dir:
ensure => directory,
}
}

archive { "${::vault::download_dir}/${::vault::download_filename}":
ensure => present,
extract => true,
extract_path => $::vault::bin_dir,
source => $::vault::real_download_url,
cleanup => true,
creates => $vault_bin,
before => File['vault_binary'],
}
$_manage_file_capabilities = true
$_vault_versioned_bin = "/opt/vault-${::vault::version}/vault"

file { "/opt/vault-${::vault::version}":
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}

$_manage_file_capabilities = true
archive { "${::vault::download_dir}/${::vault::download_filename}":
ensure => present,
extract => true,
extract_path => "/opt/vault-${::vault::version}",
source => $::vault::real_download_url,
cleanup => true,
creates => $_vault_versioned_bin,
before => File['vault_binary'],
notify => Exec['install_versioned_vault'],
}

exec { 'install_versioned_vault':
command => "/bin/cp -f ${_vault_versioned_bin} ${vault_bin}",
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to do a cp instead of a symlink? This approach was discussed in #63 but I can't recall the specifics of if it was/wasn't feasible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried with a symlink. But the issue is that you can't set the file_capabilities on a symlink. Keeping to the symlink path meant changing the code in other places. This was the easiest way to introduce this functionality.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rgevaert symlinks are pass-through, so whatever they link to is the mode in play.

E.g., if you symlink ${_vault_versioned_bin}${vault_bin}, whatever mode is assigned to ${vault_bin} will be the mode used.

So this is probably cleaner done as a symlink:

file { $vault_bin:
  ensure => link,
  target => $vault_versioned_bin,
  notify => Class['vault::service'],
}

And let whatever mode the actual bin has be the mode in play. If it needs to be set, I believe you’ll want to do that in the Archive["${::vault::download_dir}/${::vault::download_filename}"] resource above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH I tried that first but had issues like mentioned before. If someone else has time to pick it up, please do.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a symlink will throw an error when setting mlock on the $vault_bin, which is done at

puppet-vault/manifests/install.pp

Line 66 in 97dd794

file => $vault_bin,
. A way to fix this would be to reference $_vault_versioned_bin instead.

refreshonly => true,
notify => Class['vault::service'],
}

}

'repo': {
package { $::vault::package_name:
ensure => $::vault::package_ensure,
Expand All @@ -37,7 +54,7 @@
}

file { 'vault_binary':
path => $vault_bin,
path => $vault_bin,
owner => 'root',
group => 'root',
mode => '0755',
Expand Down
16 changes: 15 additions & 1 deletion spec/classes/vault_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,16 +147,29 @@
it {
is_expected.to contain_archive('/tmp/vault.zip').
that_comes_before('File[vault_binary]')
is_expected.to contain_file('/opt/vault-1.4.2').
with_ensure('directory').
with_owner('root').
with_group('root').
with_mode('0755')
}

context 'when installed with default download options' do
let(:params) do
super().merge(version: '0.7.0')
super().merge(
version: '0.7.0',
)
end

it {
is_expected.to contain_file('/opt/vault-0.7.0')
is_expected.to contain_archive('/tmp/vault.zip').
with_source('https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip')
# A regex is used to validate the command because vault bin_dir is OS specific
is_expected.to contain_exec('install_versioned_vault').
with_command(%r{/bin/cp -f /opt/vault-0.7.0/vault /[\w/]+/vault}).
with_refreshonly(true).
that_notifies(['Class[vault::service]'])
}
end

Expand All @@ -171,6 +184,7 @@
end

it {
is_expected.to contain_file('/opt/vault-0.6.0')
is_expected.to contain_archive('/tmp/vault.zip').
with_source('http://my_site.example.com/vault/0.6.0/vaultbinary_0.6.0_linux_amd64.tar.gz')
}
Expand Down