Merge pull request #20 from Roblox/update_license_installation

Enable enterprise Vault upgrades

.kitchen.yml

@@ -32,6 +32,27 @@ suites:
       <<: *default-provisioner
       attributes:
         hashicorp-vault:
-          version: 1.8.4
           config:
             unauthenticated_metrics_access: true
+  - name: test_license
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          license_content: <%= ENV['VAULT_LICENSE'] %>
+  - name: test_license_external_ent
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          enterprise: true
+          license_content: <%= ENV['VAULT_LICENSE'] %>
+  - name: test_license_internal_ent
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          archive_url_root: "cdn.aws.robloxlabs.com"
+          enterprise: true
+          use_internal_repos: true
+          license_content: <%= ENV['VAULT_LICENSE'] %>

attributes/default.rb

@@ -12,13 +12,15 @@
 default['hashicorp-vault']['service_user'] = 'vault'
 default['hashicorp-vault']['service_group'] = 'vault'
 
-default['hashicorp-vault']['version'] = '1.6.1'
+default['hashicorp-vault']['version'] = '1.8.5'
 
 default['hashicorp-vault']['archive_url_root'] = 'releases.hashicorp.com'
 
 default['hashicorp-vault']['enterprise'] = false
+default['hashicorp-vault']['use_internal_repos'] = false
 
 default['hashicorp-vault']['config']['path'] = '/etc/vault/vault.json'
+default['hashicorp-vault']['config']['license_path'] = '/etc/vault/vault_license.hclic'
 default['hashicorp-vault']['config']['address'] = '127.0.0.1:8200'
 default['hashicorp-vault']['config']['log_level'] = 'info'
 default['hashicorp-vault']['config']['tls_cert_file'] = '/etc/vault/ssl/certs/vault.crt'

libraries/vault_installation.rb

@@ -37,6 +37,11 @@ class VaultInstallation < Chef::Resource
       # @return [boolean]
       attribute(:enterprise, equal_to: [true, false])
 
+      # @!attribute use_internal_repos
+      # Install using internal repos or not
+      # @return [boolean]
+      attribute(:use_internal_repos, equal_to: [true, false])
+
       def vault_program
         @program ||= provider_for_action(:vault_program).vault_program
       end

libraries/vault_installation_binary.rb

@@ -33,7 +33,13 @@ def self.default_inversion_options(node, new_resource)
         archive_basename = binary_basename(node, new_resource)
         super.merge(
           version: new_resource.version,
-          archive_url: format(default_archive_url, archive_url_root: node['hashicorp-vault']['archive_url_root'], version: new_resource.version, basename: archive_basename),
+          archive_url: format(
+              default_archive_url,
+              archive_url_root: node['hashicorp-vault']['archive_url_root'],
+              version: new_resource.version,
+              ent_terminal: new_resource.enterprise ? !new_resource.use_internal_repos ? "%%2bent": "" : "",
+              basename: archive_basename
+          ),
           archive_basename: archive_basename,
           archive_checksum: binary_checksum(node, new_resource),
           extract_to: '/opt/vault'
@@ -82,13 +88,21 @@ def vault_program
       end
 
       def self.default_archive_url
-        "https://%{archive_url_root}/vault/%{version}/%{basename}" # rubocop:disable Style/StringLiterals
+        "https://%{archive_url_root}/vault/%{version}%{ent_terminal}/%{basename}" # rubocop:disable Style/StringLiterals
       end
 
       def self.binary_basename(node, resource)
-        filename = resource.enterprise ? 'vault-enterprise' : 'vault'
-        # %2b is +, and %% is required because of call to format()
-        version = resource.enterprise ? "#{resource.version}%%2bprem" : resource.version
+        filename = 'vault'
+        version = resource.version
+        if resource.enterprise
+          if resource.use_internal_repos
+            filename = 'vault-enterprise'
+            # %2b is +, and %% is required because of call to format()
+            version = "#{resource.version}%%2bprem"
+          else
+            version = "#{resource.version}%%2bent"
+          end
+        end
 
         case node['kernel']['machine']
         when 'x86_64', 'amd64' then [filename, version, node['os'], 'amd64'].join('_')

recipes/default.rb

@@ -14,18 +14,37 @@
     node['hashicorp-vault']['installation'].each_pair { |k, v| r.send(k, v) }
   end
   r.send('enterprise', node['hashicorp-vault']['enterprise'])
+  r.send('use_internal_repos', node['hashicorp-vault']['use_internal_repos'])
 end
 
 config = vault_config node['hashicorp-vault']['config']['path'] do |r|
   owner node['hashicorp-vault']['service_user']
   group node['hashicorp-vault']['service_group']
 
   if node['hashicorp-vault']['config']
-    node['hashicorp-vault']['config'].each_pair { |k, v| r.send(k, v) }
+    node['hashicorp-vault']['config'].each_pair do |k, v|
+      if k == "license_path" and !node['hashicorp-vault']['license_content']
+        next
+      end
+      r.send(k, v)
+    end
   end
+
   notifies :reload, "vault_service[#{node['hashicorp-vault']['service_name']}]", :delayed
 end
 
+if node['hashicorp-vault']['license_content']
+  file node['hashicorp-vault']['config']['license_path'] do
+    content node['hashicorp-vault']['license_content']
+    owner node['hashicorp-vault']['service_user']
+    group node['hashicorp-vault']['service_group']
+    sensitive true
+    notifies :reload, "vault_service[#{node['hashicorp-vault']['service_name']}]", :delayed
+  end
+else
+  node.default['hashicorp-vault']['config'].delete('license_path')
+end
+
 vault_service node['hashicorp-vault']['service_name'] do |r|
   user node['hashicorp-vault']['service_user']
   group node['hashicorp-vault']['service_group']

test/integration/default/inspec/default_spec.rb

@@ -1,4 +1,4 @@
-describe file('/opt/vault/1.6.1/vault') do
+describe file('/opt/vault/1.8.5/vault') do
   it { should be_file }
   it { should be_executable }
 end

test/integration/test_license/inspec/default_spec.rb

@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end

test/integration/test_license_external_ent/inspec/default_spec.rb

@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end

test/integration/test_license_internal_ent/inspec/default_spec.rb

@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end

test/integration/test_unauthenticated_metrics/inspec/default_spec.rb

@@ -1,4 +1,4 @@
-describe file('/opt/vault/1.8.4/vault') do
+describe file('/opt/vault/1.8.5/vault') do
   it { should be_file }
   it { should be_executable }
 end