Initial Vault Enterprise support and more

- Add initial Vault Enterprise variables
- Add initial Vault Enterprise installation tasks
- Update when statements to avoid warnings about template delimiters
- Update documentation

CHANGELOG.md

@@ -246,3 +246,10 @@
 - Update CONTRIBUTORS
 - Update CONTRIBUTING
 - Update documentation
+
+## v1.6.0
+
+- Add initial Vault Enterprise variables
+- Add initial Vault Enterprise installation tasks
+- Update when statements to avoid warnings about template delimiters
+- Update documentation

README.md

@@ -33,14 +33,27 @@ The role defines variables in `defaults/main.yml`:
 
 ### `vault_version`
 
-- version to install - can be overridden with `VAULT_VERSION` environment variable
+- version to install
+  - Can be overridden with `VAULT_VERSION` environment variable
 - Default value: *0.7.0*
 
+### `vault_enterprise`
+
+- Set this to true when installing Vault Enterprise; this is not currently
+  possible as a "remote only" install method
+  - Can be overridden with `VAULT_ENTERPRISE` environment variable
+- Default value: *false*
+
 ### `vault_pkg`
 
 - package filename
 - Default value: `"vault_{{ vault_version }}_linux_amd64.zip"`
 
+### `vault_enterprise_pkg`
+
+- package filename
+- Default value: `"vault-enterprise_{{ vault_version }}+ent_{{ vault_os }}_{{ vault_architecture }}.zip"`
+
 ### `vault_zip_url`
 
 - Package download URL
@@ -51,6 +64,16 @@ The role defines variables in `defaults/main.yml`:
 - SHA summaries URL
 - Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"`
 
+### `vault_shasums`
+
+- SHA summaries filename (included for convenience not for modification)
+- Default value: `"vault_{{ vault_version }}_SHA256SUMS"`
+
+### `vault_enterprise_shasums`
+
+- SHA summaries filename (included for convenience not for modification)
+- Default value: `"vault-enterprise_{{ vault_version }}+ent_SHA256SUMS"`
+
 ### `vault_bin_path`
 
 - Binary installation path
@@ -124,7 +147,8 @@ The role defines variables in `defaults/main.yml`:
 
 ### `vault_iface`
 
-- Network interface can be overridden with `VAULT_IFACE` environment variable
+- Network interface
+  - Can be overridden with `VAULT_IFACE` environment variable
 - Default value: `eth1`
 
 ### `vault_address`
@@ -180,6 +204,7 @@ The role defines variables in `defaults/main.yml`:
 ### `vault_tls_disable`
 
 - [Disable TLS](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable)
+  - Can be overridden with `VAULT_TLS_DISABLE` environment variable
 - Default value: *1*
 
 ### `vault_tls_cert_file`
@@ -204,7 +229,8 @@ The role defines variables in `defaults/main.yml`:
 
 ### `vault_tls_min_version`
 
-- [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) can be overridden with `VAULT_TLS_MIN_VERSION` environment variable
+- [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version)
+  - Can be overridden with `VAULT_TLS_MIN_VERSION` environment variable
 - Default value: *tls12*
 
 ### `vault_tls_cipher_suites`
@@ -214,7 +240,8 @@ The role defines variables in `defaults/main.yml`:
 
 ### `vault_tls_prefer_server_cipher_suites`
 
-- [Prefer server's cipher suite over client cipher suite](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_prefer_server_cipher_suites) can be overridden by `VAULT_TLS_PREFER_SERVER_CIPHER_SUITES` environment variable
+- [Prefer server's cipher suite over client cipher suite](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_prefer_server_cipher_suites)
+  - Can be overridden with `VAULT_TLS_PREFER_SERVER_CIPHER_SUITES` environment variable
 - Default value: *false*
 
 ## OS Distribution Variables
@@ -236,11 +263,6 @@ differences across distributions:
 - Vault package download URL
 - Default value: `{{ vault_zip_url }}`
 
-### `vault_sha256`
-
-- Vault download SHA256 summary
-- Default value: SHA256 SUM
-
 ### `vault_centos_os_packages`
 
 - List of OS packages to install
@@ -356,6 +378,14 @@ role directory for this to work.
 See `examples/README_VAGRANT.md` for details on quick Vagrant deployments
 under VirtualBox for testing, etc.
 
+## Vault Enterprise
+
+The role can install Vault Enterprise based instances.
+
+Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set
+`vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment
+variable.
+
 ## License
 
 BSD

defaults/main.yml

@@ -2,6 +2,7 @@
 # File: defaults/main.yml - Main default variables for Vault
 
 vault_version: "{{ lookup('env','VAULT_VERSION') | default('0.7.0', true) }}"
+vault_enterprise: "{{ lookup('env','VAULT_ENTERPRISE') | default(false, true) }}"
 vault_architecture_map:
   # this first entry seems... redundant (but it's required for reasons)
   amd64: amd64
@@ -58,6 +59,12 @@ vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER
 ### Vault
 
 vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_shasums: "vault_{{ vault_version }}_SHA256SUMS"
+
+### Vault Enterprise
+
+vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}+ent_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}+ent_SHA256SUMS"
 
 ### Install Method
 vault_install_remotely: false

examples/README_VAGRANT.md

@@ -85,6 +85,14 @@ the following:
 BOX_NAME="centos/7" vagrant up
 ```
 
+## Vault Enterprise
+
+The role can install Vault Enterprise based instances.
+
+Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set
+`vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment
+variable.
+
 ## Notes
 
 1. This project functions with the following software versions:

tasks/install.yml

@@ -9,21 +9,21 @@
   tags: installation
 
 - name: Check Vault package checksum file
-  local_action: stat path="{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS"
+  local_action: stat path="{{ role_path }}/files/{{ vault_shasums }}"
   become: no
   run_once: true
   register: vault_checksum
 
 - name: Get Vault package checksum file
   local_action: get_url url="{{ vault_checksum_file_url }}"
-    dest="{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS"
+    dest="{{ role_path }}/files/{{ vault_shasums }}"
   become: no
   run_once: true
   tags: installation
-  when: vault_checksum.stat.exists == False
+  when: not vault_checksum.stat.exists | bool
 
 - name: Get Vault package checksum
-  local_action: shell grep "{{ vault_pkg }}" "{{ role_path }}/files/vault_{{ vault_version }}_SHA256SUMS" | awk '{print $1}'
+  local_action: shell grep "{{ vault_pkg }}" "{{ role_path }}/files/{{ vault_shasums }}" | awk '{print $1}'
   become: no
   run_once: true
   register: vault_sha256
@@ -40,7 +40,7 @@
   become: no
   run_once: true
   tags: installation
-  when: vault_package.stat.exists == False
+  when: not vault_package.stat.exists | bool
 
 - name: Unarchive Vault
   local_action: unarchive src="{{ role_path }}/files/{{ vault_pkg }}" dest="{{ role_path }}/files/" creates="{{ role_path }}/files/vault"

tasks/install_enterprise.yml

@@ -0,0 +1,66 @@
+---
+# File: tasks/install_enterprise.yml
+#       Vault Enterprise package installation tasks
+
+- name: OS packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ vault_os_packages }}"
+  tags: installation
+
+- name: Check Vault Enterprise package checksum file
+  local_action: stat path="{{ role_path }}/files/{{ vault_enterprise_shasums }}"
+  become: no
+  run_once: true
+  register: vault_checksum
+
+- name: Get Vault Enterprise package checksum file
+  local_action: get_url url="{{ vault_checksum_file_url }}"
+    dest="{{ role_path }}/files/{{ vault_enterprise_shasums }}"
+  become: no
+  run_once: true
+  tags: installation
+  when: not vault_checksum.stat.exists | bool
+
+- name: Get Vault Enterprise package checksum
+  local_action: shell grep "{{ vault_enterprise_pkg }}" "{{ role_path }}/files/{{ vault_enterprise_shasums }}" | awk '{print $1}'
+  become: no
+  run_once: true
+  register: vault_sha256
+  tags: installation
+
+- name: Check Vault Enterprise package file
+  local_action: stat path="{{ role_path }}/files/{{ vault_enterprise_pkg }}"
+  become: no
+  run_once: true
+  register: vault_package
+
+- name: Download Vault Enterprise
+  local_action: get_url url="{{ vault_zip_url }}" dest="{{ role_path }}/files/{{ vault_enterprise_pkg }}" checksum="sha256:{{ vault_sha256.stdout }}" timeout="42"
+  become: no
+  run_once: true
+  tags: installation
+  when: not vault_package.stat.exists | bool
+
+- name: Unarchive Vault Enterprise
+  local_action: unarchive src="{{ role_path }}/files/{{ vault_enterprise_pkg }}" dest="{{ role_path }}/files/" creates="{{ role_path }}/files/vault"
+  become: no
+  run_once: true
+  tags: installation
+
+- name: Install Vault Enterprise
+  copy:
+    src: "{{ role_path }}/files/vault"
+    dest: "{{ vault_bin_path }}"
+    owner: "{{ vault_user }}"
+    group: "{{ vault_group }}"
+    mode: "0755"
+  tags: installation
+
+- name: Cleanup
+  local_action: file path="{{ item }}" state="absent"
+  become: no
+  with_fileglob: "{{ role_path }}/files/vault"
+  run_once: true
+  tags: installation

tasks/install_remote.yml

@@ -15,18 +15,18 @@
 
 - name: Check Vault package checksum file
   stat:
-    path: "/tmp/vault/vault_{{ vault_version }}_SHA256SUMS"
+    path: "/tmp/vault/{{ vault_shasums }}"
   register: vault_checksum
 
 - name: Get Vault package checksum file
   get_url:
     url: "{{ vault_checksum_file_url }}"
-    dest: "/tmp/vault/vault_{{ vault_version }}_SHA256SUMS"
+    dest: "/tmp/vault/{{ vault_shasums }}"
   tags: installation
-  when: vault_checksum.stat.exists == False
+  when: not vault_checksum.stat.exists | bool
 
 - name: Get Vault package checksum
-  shell: "grep {{ vault_pkg }} /tmp/vault/vault_{{ vault_version }}_SHA256SUMS"
+  shell: "grep {{ vault_pkg }} /tmp/vault/{{ vault_shasums }}"
   register: vault_sha256
   tags: installation
 
@@ -43,7 +43,7 @@
     checksum: "sha256:{{ vault_sha256.stdout.split(' ')|first }}"
     timeout: "42"
   tags: installation
-  when: vault_package.stat.exists == False
+  when: not vault_package.stat.exists | bool
 
 - name: Unarchive Vault and install binary
   unarchive:

tasks/main.yml

@@ -26,11 +26,11 @@
     msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role"
   when: ansible_distribution == "Ubuntu" and ansible_distribution_version|version_compare(13.04, '<')
 
-- name: Create cluster grouping
+- name: Create OS cluster grouping
   group_by:
     key: "os_{{ ansible_os_family }}"
 
-- name: Create cluster groupings
+- name: Create node role cluster groupings
   group_by:
     key: "{{ vault_node_role }}"
 
@@ -44,13 +44,23 @@
 - name: Include OS-specific variables
   include_vars: "{{ ansible_os_family }}.yml"
 
+- name: Install OS packages and Vault Enterprise
+  include: install.yml
+  when:
+    - vault_enterprise | bool
+    - not vault_install_remotely | bool
+
 - name: Install OS packages and vault - locally
   include: install.yml
-  when: not vault_install_remotely
+  when:
+    - not vault_enterprise | bool
+    - not vault_install_remotely | bool
 
 - name: Install OS packages and vault - remotely
   include: install_remote.yml
-  when: vault_install_remotely
+  when:
+    - not vault_enterprise | bool
+    - vault_install_remotely | bool
 
 - name: Enable non root mlock capability
   command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault"

templates/vault_listener.hcl.j2

@@ -2,6 +2,10 @@
 
 cluster_name = "{{ vault_cluster_name }}"
 
+{%if ( vault_enterprise )%}
+ui = true
+{% endif %}
+
 listener "tcp" {
  address = "{{ vault_address }}:{{ vault_port }}"
 {% if (

version.txt

@@ -1 +1 @@
-v1.5.7
+v1.6.0