upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-12-18 15:56:29 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

Backport license: add support for publishing artifacts to IBM PAO into ce/main (#9208)

Browse source 
* license: add support for publishing artifacts to IBM PAO (#8366)

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: brian shore <bshore@hashicorp.com>
Co-authored-by: Ethel Evans <ethel.evans@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Vault Automation 2025-09-11 11:25:15 -06:00 committed by GitHub
parent 9e20e6d936
commit a73eca5759
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 71 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/actions/build-vault/action.yml vendored
View file

@ -90,9 +90,11 @@ runs:
if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then
build_step_name='Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}'
package_version='${{ inputs.vault-version }}'
linux_package_license='BUSL-1.1'
else
build_step_name='Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
package_version='${{ inputs.vault-version }}+ent' # this should always be +ent here regardless of enterprise edition
linux_package_license='IPLA'
fi
# Generate a builder cache key that considers anything that might change
# our build container, including:
@ -110,7 +112,13 @@ runs:
echo "build-step-name=${build_step_name}"
echo "vault-builder-cache-key=${docker_sha}-${build_sha}-${tools_sha}-${github_sha}-$(cat .go-version)"
echo "package-version=${package_version}"
echo "linux_package_license=${linux_package_license}"
} | tee -a "$GITHUB_OUTPUT"
- if: inputs.vault-edition != 'ce'
id: build-vault-select-license
uses: hashicorp-forge/actions-pao-tool/select-license@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3
with:
arch: ${{ matrix.goarch }}
- if: inputs.cgo-enabled == '0'
name: ${{ steps.metadata.outputs.build-step-name }}
env:
@ -200,6 +208,8 @@ runs:
- if: inputs.vault-edition != 'ce'
shell: bash
run: make ci-prepare-ent-legal
env:
LICENSE_DIR: "${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy"
- if: inputs.vault-edition == 'ce'
shell: bash
run: make ci-prepare-ce-legal
@ -222,7 +232,7 @@ runs:
version: ${{ steps.metadata.outputs.package-version }}
maintainer: HashiCorp
homepage: https://github.com/hashicorp/vault
license: BUSL-1.1
license: ${{ steps.metadata.outputs.linux_package_license }}
binary: ${{ steps.metadata.outputs.binary-path }}
deb_depends: openssl
rpm_depends: openssl

23
.github/actions/containerize/action.yml vendored
View file

@ -38,6 +38,11 @@ outputs:
runs:
using: composite
steps:
- if: inputs.vault-edition != 'ce' && (inputs.docker == 'true' || inputs.redhat == 'true')
uses: hashicorp-forge/actions-pao-tool/select-license@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3
id: build-vault-select-license
with:
arch: ${{ matrix.goarch }}
- id: vars
shell: bash
run: |
@ -48,6 +53,8 @@ runs:
docker_container_target='default'
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
redhat_container_target='ubi'
license_source='LICENSE'
license_dest='/usr/share/doc/vault/LICENSE.txt'
;;
"ent")
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
@ -55,6 +62,8 @@ runs:
docker_container_target='default'
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
redhat_container_target='ubi'
license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy'
license_dest='/usr/share/doc/vault/Softcopy/'
;;
"ent.hsm")
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
@ -62,6 +71,8 @@ runs:
docker_container_target='ubi-hsm'
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
redhat_container_target='ubi-hsm'
license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy'
license_dest='/usr/share/doc/vault/Softcopy/'
;;
"ent.hsm.fips1403")
container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
@ -69,6 +80,8 @@ runs:
docker_container_target='ubi-hsm-fips'
redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
redhat_container_target='ubi-hsm-fips'
license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy'
license_dest='/usr/share/doc/vault/Softcopy/'
;;
"ent.fips1403")
# NOTE: For compatibility we still publish the ent.fips1403 containers to different
@ -81,6 +94,8 @@ runs:
docker_container_target='ubi-fips'
redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
redhat_container_target='ubi-fips'
license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy'
license_dest='/usr/share/doc/vault/Softcopy/'
;;
*)
echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1
@ -93,6 +108,8 @@ runs:
echo "docker-container-target=${docker_container_target}"
echo "redhat-container-tags=${redhat_container_tags}"
echo "redhat-container-target=${redhat_container_target}"
echo "license_source=${license_source}"
echo "license_dest=${license_dest}"
echo "revision=$(make ci-get-revision)"
} | tee -a "$GITHUB_OUTPUT"
- if: inputs.docker == 'true' || inputs.redhat == 'true'
@ -108,6 +125,9 @@ runs:
with:
arch: ${{ inputs.goarch }}
do_zip_extract_step: 'false' # Don't download and extract an already present binary
extra_build_args: |
LICENSE_SOURCE=${{ steps.vars.outputs.license_source }}
LICENSE_DEST=${{ steps.vars.outputs.license_dest }}
repo_name: ${{ inputs.vault-edition == 'ce' && 'vault' || 'vault-enterprise' }}
revision: ${{ steps.vars.outputs.revision }}
tags: ${{ steps.vars.outputs.docker-container-tags }}
@ -118,6 +138,9 @@ runs:
with:
arch: ${{ inputs.goarch }}
do_zip_extract_step: 'false' # Don't download and extract an already present binary
extra_build_args: |
LICENSE_SOURCE=${{ steps.vars.outputs.license_source }}
LICENSE_DEST=${{ steps.vars.outputs.license_dest }}
redhat_tag: ${{ steps.vars.outputs.redhat-container-tags }}
repo_name: ${{ inputs.vault-edition == 'ce' && 'vault' || 'vault-enterprise' }}
revision: ${{ steps.vars.outputs.revision }}

3
.github/workflows/build.yml vendored
View file

@ -163,6 +163,9 @@ jobs:
# Don't download them on a cache hit during setup, just make sure they're cached before
# subsequent workflows are run.
no-restore: true
- if: steps.metadata.outputs.is-ent-branch == 'true'
name: Generate PAO metadata
uses: hashicorp-forge/actions-pao-tool/collect@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3
ui:
# The Web UI workflow is a prerequisite workflow for building our artifacts. If the application

2
.yamllint
View file

@ -7,4 +7,4 @@ rules:
comments-indentation: disable
line-length: disable
commas:
max-spaces-after: -1
max-spaces-after: -1

26
Dockerfile
View file

@ -12,6 +12,10 @@ ARG PRODUCT_VERSION
ARG PRODUCT_REVISION
# TARGETARCH and TARGETOS are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
ARG LICENSE_SOURCE
# LICENSE_DEST is the path where license files are installed in the container
ARG LICENSE_DEST
# Additional metadata labels used by container registries, platforms
# and certification scanners.
@ -25,7 +29,7 @@ LABEL name="Vault" \
description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
# Copy the license file as per Legal requirement
COPY LICENSE /usr/share/doc/$NAME/LICENSE.txt
COPY ${LICENSE_SOURCE} ${LICENSE_DEST}
# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
ENV NAME=$NAME
@ -34,11 +38,7 @@ ENV VERSION=$VERSION
# Create a non-root user to run the software.
RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
RUN apk add --no-cache libcap su-exec dumb-init tzdata curl && \
mkdir -p /usr/share/doc/vault && \
curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \
curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt && \
apk del curl
RUN apk add --no-cache libcap su-exec dumb-init tzdata
COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
@ -89,6 +89,10 @@ ARG PRODUCT_VERSION
ARG PRODUCT_REVISION
# TARGETARCH and TARGETOS are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific.
ARG LICENSE_SOURCE
# LICENSE_DEST is the path where license files are installed in the container
ARG LICENSE_DEST
# Additional metadata labels used by container registries, platforms
# and certification scanners.
@ -106,10 +110,11 @@ ENV NAME=$NAME
ENV VERSION=$VERSION
# Copy the license file as per Legal requirement
COPY LICENSE /usr/share/doc/$NAME/LICENSE.txt
COPY ${LICENSE_SOURCE} ${LICENSE_DEST}/
# We must have a copy of the license in this directory to comply with the HasLicense Redhat requirement
COPY LICENSE /licenses/LICENSE.txt
# Note the trailing slash on the first argument -- plain files meet the requirement but directories do not.
COPY ${LICENSE_SOURCE}/ /licenses/
# Set up certificates, our base tools, and Vault. Unlike the other version of
# this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
@ -140,11 +145,6 @@ RUN mkdir -p /vault/logs && \
chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
chgrp -R 0 /vault && chmod -R g+rwX /vault
# Include EULA and Terms of Eval
RUN mkdir -p /usr/share/doc/vault && \
curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \
curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt
# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /vault/logs

11
scripts/ci-helper.sh
View file

@ -133,13 +133,16 @@ function build() {
function prepare_ent_legal() {
: "${PKG_NAME:="vault"}"
if [ -z "${LICENSE_DIR:-}" ]; then
echo "You must set LICENSE_DIR; example: export LICENSE_DIR=.release/ibm-pao/license/default" 1>&2
return 1
fi
pushd "$(repo_root)"
mkdir -p dist
curl -o dist/EULA.txt https://eula.hashicorp.com/EULA.txt
curl -o dist/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt
cp -R "$LICENSE_DIR" dist/
mkdir -p ".release/linux/package/usr/share/doc/$PKG_NAME"
cp dist/EULA.txt ".release/linux/package/usr/share/doc/$PKG_NAME/EULA.txt"
cp dist/TermsOfEvaluation.txt ".release/linux/package/usr/share/doc/$PKG_NAME/TermsOfEvaluation.txt"
cp -R "$LICENSE_DIR" ".release/linux/package/usr/share/doc/$PKG_NAME/"
popd
}

3
tools/pipeline/internal/pkg/changed/checkers.go
View file

@ -160,7 +160,8 @@ func FileGroupCheckerEnterprise(ctx context.Context, file *File) FileGroups {
hasBaseDir(name, "vault_ent"),
hasBaseDir(name, filepath.Join("scripts", "dev", "hsm")),
hasBaseDir(name, filepath.Join("scripts", "testing")),
hasBaseDir(name, filepath.Join("specs")):
hasBaseDir(name, filepath.Join("specs")),
hasBaseDir(name, filepath.Join(".release", "ibm-pao")):
return FileGroups{FileGroupEnterprise}
}

21
tools/pipeline/internal/pkg/changed/checkers_test.go
View file

@ -15,16 +15,17 @@ func TestFileGroupDefaultCheckers(t *testing.T) {
t.Parallel()
for filename, groups := range map[string]FileGroups{
".build/entrypoint.sh": {FileGroupPipeline},
".github/actions/changed-files/actions.yml": {FileGroupPipeline},
".github/workflows/build.yml": {FileGroupPipeline},
".github/workflows/build-artifacts-ce.yml": {FileGroupCommunity, FileGroupPipeline},
".github/workflows/build-artifacts-ent.yml": {FileGroupEnterprise, FileGroupPipeline},
".github/workflows/backport-ce-ent.yml": {FileGroupCommunity, FileGroupPipeline},
".go-version": {FileGroupGoToolchain},
"audit/backend_ce.go": {FileGroupGoApp, FileGroupCommunity},
"audit/backend_config_ent.go": {FileGroupGoApp, FileGroupEnterprise},
"builtin/logical/transit/something_ent.go": {FileGroupGoApp, FileGroupEnterprise},
".build/entrypoint.sh": {FileGroupPipeline},
".github/actions/changed-files/actions.yml": {FileGroupPipeline},
".github/workflows/build.yml": {FileGroupPipeline},
".github/workflows/build-artifacts-ce.yml": {FileGroupCommunity, FileGroupPipeline},
".github/workflows/build-artifacts-ent.yml": {FileGroupEnterprise, FileGroupPipeline},
".github/workflows/backport-ce-ent.yml": {FileGroupCommunity, FileGroupPipeline},
".go-version": {FileGroupGoToolchain},
".release/ibm-pao/eboms/5900-BJ8.essentials.csv": {FileGroupEnterprise},
"audit/backend_ce.go": {FileGroupGoApp, FileGroupCommunity},
"audit/backend_config_ent.go": {FileGroupGoApp, FileGroupEnterprise},
"builtin/logical/transit/something_ent.go": {FileGroupGoApp, FileGroupEnterprise},
"buf.yml": {FileGroupProto},
"changelog/1726.txt": {FileGroupChangelog},
"changelog/_1726.txt": {FileGroupChangelog},