Merge branch 'master' into enhanced-production-hardening

.github/workflows/commitlint.yml

@@ -0,0 +1,15 @@
+name: Lint Commit Messages
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@v5

.github/workflows/release.yml

@@ -0,0 +1,26 @@
+name: Semantic Releaser
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+
+jobs:
+  semrel:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v4
+        with:
+          extra_plugins: |
+            @semantic-release/[email protected]
+            @semantic-release/[email protected]
+            [email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-case-conflict
+      - id: check-symlinks
+      - id: check-json
+      - id: mixed-line-ending
+        args: ["--fix=lf"]
+      - id: no-commit-to-branch
+        args: [--branch, main]
+      - id: pretty-format-json
+        args: [--autofix, --no-sort-keys]

.releaserc.json

@@ -0,0 +1,45 @@
+{
+  "branches": [
+    "main",
+    "master"
+  ],
+  "ci": false,
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
+        "labels": false,
+        "releasedLabels": false
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md",
+        "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md"
+        ],
+        "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+      }
+    ]
+  ]
+}

CHANGELOG.md

@@ -22,7 +22,7 @@
 ## v2.5.5
 - become_user vault_user when modifying files in vault_home
 
-## v2.5.4 
+## v2.5.4
 - New installation instructions
 
 ## v2.5.3

Makefile

@@ -6,4 +6,4 @@ help: ## list makefile targets
 
 .PHONY: lint
 lint: ## lint
-	ansible-lint -c .ansible-lint
+	ansible-lint -c .ansible-lint

README.md

@@ -75,6 +75,10 @@ to load any new configuration deployed.
 
 ## [Role Variables](role_variables.md)
 
+## Misc
+
+### [Vault Release Scheme](vault_releases.md)
+
 ## License
 
 BSD-2-Clause

commitlint.config.js

@@ -0,0 +1,5 @@
+// commitlint.config.js
+module.exports = {
+    extends: ['@commitlint/config-conventional'],
+    ignores: [(message) => /^Bumps \[.+]\(.+\) from .+ to .+\.$/m.test(message)],
+  }

defaults/main.yml

@@ -6,9 +6,12 @@
 # ---------------------------------------------------------------------------
 
 # Package variables
-vault_version_suffix: "{{ '.hsm' if vault_enterprise_hsm else '' }}"
-vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}{{ vault_version_suffix }}"
-vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}-1"
+vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}"
+
+vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}"
+vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}"
+vault_version_debian_repo_suffix: "-1"
+
 vault_architecture_map:
   # this first entry seems... redundant (but it's required for reasons)
   amd64: amd64
@@ -17,10 +20,13 @@ vault_architecture_map:
   aarch64: arm64
 vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
 vault_os: "{{ ansible_system | lower }}"
-vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_shasums: "vault_{{ vault_version }}_SHA256SUMS"
-vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_SHA256SUMS"
+
+vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}"
+vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS"
+vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}"
+vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}"
+vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}"
 vault_repository_url: "{{ _vault_repository_url | default() }}"
 vault_repository_key_url: "{{ _vault_repository_key_url | default() }}"
 vault_rhsm_subscription_name:
@@ -290,8 +296,8 @@ _vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vau
 vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}"
 vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}"
 
-vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(1, true) }}"
-vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(0, true) }}"
+vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}"
+vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(false, true) }}"
 
 vault_tls_copy_keys: "{{ false if (vault_install_hashi_repo) else true }}"
 vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}"
@@ -386,8 +392,6 @@ vault_entropy_seal: false
 # ---------------------------------------------------------------------------
 
 vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}"
-vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS"
 
 # Manage enterprise license file with this role
 vault_configure_enterprise_license: false

examples/README_VAGRANT.md

@@ -82,4 +82,4 @@ If you notice an error like *vm: The '' provisioner could not be found.* make su
 7. http://www.vagrantup.com/
 8. https://www.virtualbox.org/
 9. https://github.com/adrienthebo/vagrant-hosts
-10. https://vagrant-libvirt.github.io/vagrant-libvirt
+10. https://vagrant-libvirt.github.io/vagrant-libvirt

examples/bin/preinstall

@@ -50,4 +50,4 @@ function add_host {
   fi
 }
 
-add_host
+add_host

molecule/centos-stream-9-enterprise/molecule.yml

@@ -0,0 +1,32 @@
+---
+platforms:
+  - name: centos-stream-9
+    groups:
+      - vault_raft_servers
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+  - name: centos-stream-9_repo
+    groups:
+      - vault_raft_servers
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+
+provisioner:
+  inventory:
+    host_vars:
+      centos-stream-9:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: false
+      centos-stream-9_repo:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: true
+        vault_bin_path: /usr/bin
+        vault_group: vault

molecule/debian-11-enterprise/molecule.yml

@@ -0,0 +1,32 @@
+---
+platforms:
+  - name: debian-11
+    groups:
+      - vault_raft_servers
+    image: dokken/debian-11
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+  - name: debian-11_repo
+    groups:
+      - vault_raft_servers
+    image: dokken/debian-11
+    pre_build_image: true
+    command: /lib/systemd/systemd
+    privileged: true
+    cgroup_parent: docker.slice
+
+provisioner:
+  inventory:
+    host_vars:
+      debian-11:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: false
+      debian-11_repo:
+        vault_disable_api_health_check: true
+        vault_enterprise: true
+        vault_install_hashi_repo: true
+        vault_bin_path: /usr/bin
+        vault_group: vault

molecule/verify.yml

@@ -10,46 +10,54 @@
     goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
     goss_test_directory: /tmp
     goss_format: tap
+    enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}"
   tasks:
-    - name: Download and install Goss
-      get_url:
-        url: "{{ goss_url }}"
-        dest: "{{ goss_dst }}"
-        checksum: "sha256:{{ goss_sha256sum }}"
-        mode: 0755
-      register: download_goss
-      until: download_goss is succeeded
-      retries: 3
+    - name: Check if enterprise
+      ansible.builtin.debug:
+        msg: "Verification is skipped because vault enterprise does not start without license"
+      when: enterprise
+    - name: Verify tasks
+      when: not enterprise
+      block:
+      - name: Download and install Goss
+        get_url:
+          url: "{{ goss_url }}"
+          dest: "{{ goss_dst }}"
+          checksum: "sha256:{{ goss_sha256sum }}"
+          mode: 0755
+        register: download_goss
+        until: download_goss is succeeded
+        retries: 3
 
-    - name: Copy Goss tests to remote
-      template:
-        src: "{{ item }}"
-        dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
-        mode: 0644
-      with_fileglob:
-        - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"
+      - name: Copy Goss tests to remote
+        template:
+          src: "{{ item }}"
+          dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}"
+          mode: 0644
+        with_fileglob:
+          - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2"
 
-    - name: Register test files
-      shell: "ls {{ goss_test_directory }}/test_*.yml"
-      changed_when: false
-      register: test_files
+      - name: Register test files
+        shell: "ls {{ goss_test_directory }}/test_*.yml"
+        changed_when: false
+        register: test_files
 
-    - name: Execute Goss tests
-      environment:
-        # yamllint disable-line rule:line-length
-        PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
-      command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
-      changed_when: false
-      register: test_results
-      with_items: "{{ test_files.stdout_lines }}"
+      - name: Execute Goss tests
+        environment:
+          # yamllint disable-line rule:line-length
+          PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+        command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
+        changed_when: false
+        register: test_results
+        with_items: "{{ test_files.stdout_lines }}"
 
-    - name: Display details about the Goss results
-      debug:
-        msg: "{{ item.stdout_lines }}"
-      with_items: "{{ test_results.results }}"
+      - name: Display details about the Goss results
+        debug:
+          msg: "{{ item.stdout_lines }}"
+        with_items: "{{ test_results.results }}"
 
-    - name: Fail when tests fail
-      fail:
-        msg: "Goss failed to validate"
-      when: item.rc != 0
-      with_items: "{{ test_results.results }}"
+      - name: Fail when tests fail
+        fail:
+          msg: "Goss failed to validate"
+        when: item.rc != 0
+        with_items: "{{ test_results.results }}"