40 lines
2 KiB
YAML
40 lines
2 KiB
YAML
---
|
|
- name: install vault binary
|
|
when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
|
|
notify:
|
|
- 'vault : restart vault service'
|
|
block:
|
|
- name: download archive
|
|
ansible.builtin.get_url:
|
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
|
dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
|
|
mode: '0600'
|
|
- name: download SHASUMs file signature
|
|
ansible.builtin.get_url:
|
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
|
|
dest: '{{ tmp_file.path }}/shasums.sig'
|
|
mode: '0600'
|
|
- name: download SHASUMs files for vault releases
|
|
ansible.builtin.get_url:
|
|
url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
|
|
dest: '{{ tmp_file.path }}/shasums.txt'
|
|
mode: '0600'
|
|
- name: Verify downloaded files integrity
|
|
block:
|
|
- name: check SHASUMs file integrity
|
|
ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
|
|
- name: check SHASUM of the downloaded archive
|
|
ansible.builtin.command:
|
|
cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
|
|
chdir: '{{ tmp_file.path }}'
|
|
register: shasum_check
|
|
failed_when: 'search_string not in shasum_check.stdout'
|
|
vars:
|
|
search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
|
|
- name: install vault package
|
|
become: true
|
|
ansible.builtin.shell: |
|
|
cd {{ tmp_file.path }}
|
|
unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
|
|
install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
|
|
{{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
|