openpkg-packages/vault-unseal/vault-unseal.spec

##
##  vault-unseal.spec -- OpenPKG RPM Package Specification
##  Copyright (c) 2000-2020 OpenPKG Project <http://openpkg.org/>
##
##  Permission to use, copy, modify, and distribute this software for
##  any purpose with or without fee is hereby granted, provided that
##  the above copyright notice and this permission notice appear in all
##  copies.
##
##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
##  SUCH DAMAGE.
##

#   package version
%define       V_opkg  0.0.2
%define       V_dist  20200402

#   package information
Name:         vault-unseal
Summary:      Vault Auto-Unsealing
URL:          https://github.com/lrstanley/vault-unseal
Vendor:       Liam Stanley
Packager:     OpenPKG Project
Distribution: OpenPKG Community
Class:        EVAL
Group:        Database
License:      MIT
Version:      %{V_opkg}.%{V_dist}
Release:      20200402

#   list of sources
Source0:      http://download.openpkg.org/components/versioned/vault-unseal/vault-unseal-%{V_dist}.tar.xz
Source1:      vault-unseal.yaml
Source2:      rc.vault-unseal
Patch0:       vault-unseal.patch

#   build information
BuildPreReq:  OpenPKG, openpkg >= 20160101, go
PreReq:       OpenPKG, openpkg >= 20160101

%description
    The database of the Vault secret store is encrypted with a master
    key and hence still "sealed" on daemon startup. For Vaults
    own operation it has to be "unsealed" first. For this three
    approaches exist: (1) auto-unseal with a Cloud provider service,
    (2) auto-unseal with a second Vault "transit" store or (3) manually
    by at least N (of M) people via the "vault operator unseal"
    command (executed locally or remotely). In case (1) and (2) are
    not an option (or if the "transit" Vault of (2) has to be unsealed
    itself) (3) can be automated. For this you run M instances of the
    vault-unseal(8) daemon (for instance one on each node of a Vault
    cluster itself). Each instance of vault-unseal(8) is given a subset
    N of the M total number of unseal tokens.

%track
    prog vault-unseal:release = {
        version   = %{V_opkg}
        url       = https://github.com/lrstanley/vault-unseal/releases
        regex     = v(__VER__)\.tar\.gz
    }
    prog vault-unseal:snapshot = {
        version   = %{V_dist}
        url       = http://download.openpkg.org/components/versioned/vault-unseal/
        regex     = vault-unseal-(__VER__)\.tar\.xz
    }

%prep
    %setup -q -n vault-unseal
    %patch -p0

%build
    #   build program
    export GOPATH=`pwd`
    go build -v -o vault-unseal src/github.com/lrstanley/vault-unseal/*.go

%install
    #   create directory tree
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/sbin \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
        $RPM_BUILD_ROOT%{l_prefix}/etc/vault-unseal \
        $RPM_BUILD_ROOT%{l_prefix}/var/vault-unseal/log \
        $RPM_BUILD_ROOT%{l_prefix}/var/vault-unseal/run

    #   install program
    %{l_shtool} install -c -s -m 755 \
        vault-unseal $RPM_BUILD_ROOT%{l_prefix}/sbin/

    #   install default configuration
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE vault-unseal.yaml} $RPM_BUILD_ROOT%{l_prefix}/etc/vault-unseal/

    #   install run-command script
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE rc.vault-unseal} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/

    #   determine installation files
    %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
        %{l_files_std} \
        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/etc/vault-unseal' \
        '%config %attr(0600,%{l_rusr},%{l_rusr}) %{l_prefix}/etc/vault-unseal/*' \
        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/vault-unseal/*'

%files -f files

%clean

%post
    if [ $1 -eq 2 ]; then
        #   after upgrade, restart service
        eval `%{l_rc} vault-unseal status 2>/dev/null`
        [ ".$vault_unseal_active" = .yes ] && %{l_rc} vault-unseal restart
    fi
    exit 0

%preun
    if [ $1 -eq 0 ]; then
        #   stop service
        %{l_rc} vault-unseal stop 2>/dev/null

        #   remove run-time files
        rm -f $RPM_INSTALL_PREFIX/var/vault-unseal/log/* >/dev/null 2>&1 || true
        rm -f $RPM_INSTALL_PREFIX/var/vault-unseal/run/* >/dev/null 2>&1 || true
    fi
    exit 0
new package 7 years ago			`##`
			`## vault-unseal.spec -- OpenPKG RPM Package Specification`
bump year in all copyright messages 6 years ago			`## Copyright (c) 2000-2020 OpenPKG Project <http://openpkg.org/>`
new package 7 years ago			`##`
			`## Permission to use, copy, modify, and distribute this software for`
			`## any purpose with or without fee is hereby granted, provided that`
			`## the above copyright notice and this permission notice appear in all`
			`## copies.`
			`##`
			## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
			`## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF`
			`## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.`
			`## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR`
			`## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,`
			`## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT`
			`## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF`
			`## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND`
			`## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
			`## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT`
			`## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
			`## SUCH DAMAGE.`
			`##`

			`# package version`
			`%define V_opkg 0.0.2`
upgrading package: vault-unseal 0.0.2.20200119 -> 0.0.2.20200402 6 years ago			`%define V_dist 20200402`
new package 7 years ago
			`# package information`
			`Name: vault-unseal`
			`Summary: Vault Auto-Unsealing`
			`URL: https://github.com/lrstanley/vault-unseal`
			`Vendor: Liam Stanley`
			`Packager: OpenPKG Project`
			`Distribution: OpenPKG Community`
			`Class: EVAL`
			`Group: Database`
			`License: MIT`
			`Version: %{V_opkg}.%{V_dist}`
upgrading package: vault-unseal 0.0.2.20200119 -> 0.0.2.20200402 6 years ago			`Release: 20200402`
new package 7 years ago
			`# list of sources`
			`Source0: http://download.openpkg.org/components/versioned/vault-unseal/vault-unseal-%{V_dist}.tar.xz`
			`Source1: vault-unseal.yaml`
			`Source2: rc.vault-unseal`
			`Patch0: vault-unseal.patch`

			`# build information`
			`BuildPreReq: OpenPKG, openpkg >= 20160101, go`
			`PreReq: OpenPKG, openpkg >= 20160101`

			`%description`
fix description 6 years ago			`The database of the Vault secret store is encrypted with a master`
			`key and hence still "sealed" on daemon startup. For Vaults`
			`own operation it has to be "unsealed" first. For this three`
new package 7 years ago			`approaches exist: (1) auto-unseal with a Cloud provider service,`
			`(2) auto-unseal with a second Vault "transit" store or (3) manually`
			`by at least N (of M) people via the "vault operator unseal"`
			`command (executed locally or remotely). In case (1) and (2) are`
			`not an option (or if the "transit" Vault of (2) has to be unsealed`
			`itself) (3) can be automated. For this you run M instances of the`
			`vault-unseal(8) daemon (for instance one on each node of a Vault`
			`cluster itself). Each instance of vault-unseal(8) is given a subset`
			`N of the M total number of unseal tokens.`

			`%track`
			`prog vault-unseal:release = {`
			`version = %{V_opkg}`
			`url = https://github.com/lrstanley/vault-unseal/releases`
			`regex = v(__VER__)\.tar\.gz`
			`}`
			`prog vault-unseal:snapshot = {`
			`version = %{V_dist}`
			`url = http://download.openpkg.org/components/versioned/vault-unseal/`
			`regex = vault-unseal-(__VER__)\.tar\.xz`
			`}`

			`%prep`
			`%setup -q -n vault-unseal`
			`%patch -p0`

			`%build`
			`# build program`
			export GOPATH=`pwd`
			`go build -v -o vault-unseal src/github.com/lrstanley/vault-unseal/*.go`

			`%install`
			`# create directory tree`
			`%{l_shtool} mkdir -f -p -m 755 \`
			`$RPM_BUILD_ROOT%{l_prefix}/sbin \`
			`$RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \`
			`$RPM_BUILD_ROOT%{l_prefix}/etc/vault-unseal \`
			`$RPM_BUILD_ROOT%{l_prefix}/var/vault-unseal/log \`
			`$RPM_BUILD_ROOT%{l_prefix}/var/vault-unseal/run`

			`# install program`
			`%{l_shtool} install -c -s -m 755 \`
			`vault-unseal $RPM_BUILD_ROOT%{l_prefix}/sbin/`

			`# install default configuration`
			`%{l_shtool} install -c -m 644 %{l_value -s -a} \`
			`%{SOURCE vault-unseal.yaml} $RPM_BUILD_ROOT%{l_prefix}/etc/vault-unseal/`

			`# install run-command script`
			`%{l_shtool} install -c -m 644 %{l_value -s -a} \`
			`%{SOURCE rc.vault-unseal} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/`

			`# determine installation files`
			`%{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \`
			`%{l_files_std} \`
			`'%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/etc/vault-unseal' \`
fix permissions 7 years ago			`'%config %attr(0600,%{l_rusr},%{l_rusr}) %{l_prefix}/etc/vault-unseal/*' \`
new package 7 years ago			`'%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/vault-unseal/*'`

			`%files -f files`

			`%clean`

			`%post`
			`if [ $1 -eq 2 ]; then`
			`# after upgrade, restart service`
			eval `%{l_rc} vault-unseal status 2>/dev/null`
			`[ ".$vault_unseal_active" = .yes ] && %{l_rc} vault-unseal restart`
			`fi`
			`exit 0`

			`%preun`
			`if [ $1 -eq 0 ]; then`
			`# stop service`
			`%{l_rc} vault-unseal stop 2>/dev/null`

			`# remove run-time files`
			`rm -f $RPM_INSTALL_PREFIX/var/vault-unseal/log/* >/dev/null 2>&1 \|\| true`
			`rm -f $RPM_INSTALL_PREFIX/var/vault-unseal/run/* >/dev/null 2>&1 \|\| true`
			`fi`
			`exit 0`