diff --git a/.github/actions/build-vault/action.yml b/.github/actions/build-vault/action.yml index 781d73901d..7b9c36b3cb 100644 --- a/.github/actions/build-vault/action.yml +++ b/.github/actions/build-vault/action.yml @@ -90,9 +90,11 @@ runs: if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then build_step_name='Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}' package_version='${{ inputs.vault-version }}' + linux_package_license='BUSL-1.1' else build_step_name='Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}+${{ inputs.vault-edition }}' package_version='${{ inputs.vault-version }}+ent' # this should always be +ent here regardless of enterprise edition + linux_package_license='IPLA' fi # Generate a builder cache key that considers anything that might change # our build container, including: @@ -110,7 +112,13 @@ runs: echo "build-step-name=${build_step_name}" echo "vault-builder-cache-key=${docker_sha}-${build_sha}-${tools_sha}-${github_sha}-$(cat .go-version)" echo "package-version=${package_version}" + echo "linux_package_license=${linux_package_license}" } | tee -a "$GITHUB_OUTPUT" + - if: inputs.vault-edition != 'ce' + id: build-vault-select-license + uses: hashicorp-forge/actions-pao-tool/select-license@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3 + with: + arch: ${{ matrix.goarch }} - if: inputs.cgo-enabled == '0' name: ${{ steps.metadata.outputs.build-step-name }} env: @@ -200,6 +208,8 @@ runs: - if: inputs.vault-edition != 'ce' shell: bash run: make ci-prepare-ent-legal + env: + LICENSE_DIR: "${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy" - if: inputs.vault-edition == 'ce' shell: bash run: make ci-prepare-ce-legal @@ -222,7 +232,7 @@ runs: version: ${{ steps.metadata.outputs.package-version }} maintainer: HashiCorp homepage: https://github.com/hashicorp/vault - license: BUSL-1.1 + license: ${{ steps.metadata.outputs.linux_package_license }} binary: ${{ steps.metadata.outputs.binary-path }} deb_depends: openssl rpm_depends: openssl diff --git a/.github/actions/containerize/action.yml b/.github/actions/containerize/action.yml index 89700d60ac..64a17d01f5 100644 --- a/.github/actions/containerize/action.yml +++ b/.github/actions/containerize/action.yml @@ -38,6 +38,11 @@ outputs: runs: using: composite steps: + - if: inputs.vault-edition != 'ce' && (inputs.docker == 'true' || inputs.redhat == 'true') + uses: hashicorp-forge/actions-pao-tool/select-license@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3 + id: build-vault-select-license + with: + arch: ${{ matrix.goarch }} - id: vars shell: bash run: | @@ -48,6 +53,8 @@ runs: docker_container_target='default' redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi' redhat_container_target='ubi' + license_source='LICENSE' + license_dest='/usr/share/doc/vault/LICENSE.txt' ;; "ent") container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' @@ -55,6 +62,8 @@ runs: docker_container_target='default' redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' redhat_container_target='ubi' + license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy' + license_dest='/usr/share/doc/vault/Softcopy/' ;; "ent.hsm") container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' @@ -62,6 +71,8 @@ runs: docker_container_target='ubi-hsm' redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' redhat_container_target='ubi-hsm' + license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy' + license_dest='/usr/share/doc/vault/Softcopy/' ;; "ent.hsm.fips1403") container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}' @@ -69,6 +80,8 @@ runs: docker_container_target='ubi-hsm-fips' redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' redhat_container_target='ubi-hsm-fips' + license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy' + license_dest='/usr/share/doc/vault/Softcopy/' ;; "ent.fips1403") # NOTE: For compatibility we still publish the ent.fips1403 containers to different @@ -81,6 +94,8 @@ runs: docker_container_target='ubi-fips' redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi' redhat_container_target='ubi-fips' + license_source='${{ steps.build-vault-select-license.outputs.license-path }}/Softcopy' + license_dest='/usr/share/doc/vault/Softcopy/' ;; *) echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1 @@ -93,6 +108,8 @@ runs: echo "docker-container-target=${docker_container_target}" echo "redhat-container-tags=${redhat_container_tags}" echo "redhat-container-target=${redhat_container_target}" + echo "license_source=${license_source}" + echo "license_dest=${license_dest}" echo "revision=$(make ci-get-revision)" } | tee -a "$GITHUB_OUTPUT" - if: inputs.docker == 'true' || inputs.redhat == 'true' @@ -108,6 +125,9 @@ runs: with: arch: ${{ inputs.goarch }} do_zip_extract_step: 'false' # Don't download and extract an already present binary + extra_build_args: | + LICENSE_SOURCE=${{ steps.vars.outputs.license_source }} + LICENSE_DEST=${{ steps.vars.outputs.license_dest }} repo_name: ${{ inputs.vault-edition == 'ce' && 'vault' || 'vault-enterprise' }} revision: ${{ steps.vars.outputs.revision }} tags: ${{ steps.vars.outputs.docker-container-tags }} @@ -118,6 +138,9 @@ runs: with: arch: ${{ inputs.goarch }} do_zip_extract_step: 'false' # Don't download and extract an already present binary + extra_build_args: | + LICENSE_SOURCE=${{ steps.vars.outputs.license_source }} + LICENSE_DEST=${{ steps.vars.outputs.license_dest }} redhat_tag: ${{ steps.vars.outputs.redhat-container-tags }} repo_name: ${{ inputs.vault-edition == 'ce' && 'vault' || 'vault-enterprise' }} revision: ${{ steps.vars.outputs.revision }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 859e05600f..30cdf45160 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -163,6 +163,9 @@ jobs: # Don't download them on a cache hit during setup, just make sure they're cached before # subsequent workflows are run. no-restore: true + - if: steps.metadata.outputs.is-ent-branch == 'true' + name: Generate PAO metadata + uses: hashicorp-forge/actions-pao-tool/collect@6997f7457c338e008506005cc370e7b02f7fb421 # v1.0.3 ui: # The Web UI workflow is a prerequisite workflow for building our artifacts. If the application diff --git a/.yamllint b/.yamllint index fe62ee82d7..e12dc256ec 100644 --- a/.yamllint +++ b/.yamllint @@ -7,4 +7,4 @@ rules: comments-indentation: disable line-length: disable commas: - max-spaces-after: -1 + max-spaces-after: -1 diff --git a/Dockerfile b/Dockerfile index 3e8eefb1b7..e34616b22e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,10 @@ ARG PRODUCT_VERSION ARG PRODUCT_REVISION # TARGETARCH and TARGETOS are set automatically when --platform is provided. ARG TARGETOS TARGETARCH +# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific. +ARG LICENSE_SOURCE +# LICENSE_DEST is the path where license files are installed in the container +ARG LICENSE_DEST # Additional metadata labels used by container registries, platforms # and certification scanners. @@ -25,7 +29,7 @@ LABEL name="Vault" \ description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log." # Copy the license file as per Legal requirement -COPY LICENSE /usr/share/doc/$NAME/LICENSE.txt +COPY ${LICENSE_SOURCE} ${LICENSE_DEST} # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD ENV NAME=$NAME @@ -34,11 +38,7 @@ ENV VERSION=$VERSION # Create a non-root user to run the software. RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME} -RUN apk add --no-cache libcap su-exec dumb-init tzdata curl && \ - mkdir -p /usr/share/doc/vault && \ - curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \ - curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt && \ - apk del curl +RUN apk add --no-cache libcap su-exec dumb-init tzdata COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ @@ -89,6 +89,10 @@ ARG PRODUCT_VERSION ARG PRODUCT_REVISION # TARGETARCH and TARGETOS are set automatically when --platform is provided. ARG TARGETOS TARGETARCH +# LICENSE_SOURCE is the path to IBM license documents, which may be architecture-specific. +ARG LICENSE_SOURCE +# LICENSE_DEST is the path where license files are installed in the container +ARG LICENSE_DEST # Additional metadata labels used by container registries, platforms # and certification scanners. @@ -106,10 +110,11 @@ ENV NAME=$NAME ENV VERSION=$VERSION # Copy the license file as per Legal requirement -COPY LICENSE /usr/share/doc/$NAME/LICENSE.txt +COPY ${LICENSE_SOURCE} ${LICENSE_DEST}/ # We must have a copy of the license in this directory to comply with the HasLicense Redhat requirement -COPY LICENSE /licenses/LICENSE.txt +# Note the trailing slash on the first argument -- plain files meet the requirement but directories do not. +COPY ${LICENSE_SOURCE}/ /licenses/ # Set up certificates, our base tools, and Vault. Unlike the other version of # this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile), @@ -140,11 +145,6 @@ RUN mkdir -p /vault/logs && \ chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \ chgrp -R 0 /vault && chmod -R g+rwX /vault -# Include EULA and Terms of Eval -RUN mkdir -p /usr/share/doc/vault && \ - curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \ - curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt - # Expose the logs directory as a volume since there's potentially long-running # state in there VOLUME /vault/logs diff --git a/scripts/ci-helper.sh b/scripts/ci-helper.sh index a267700886..99d1f7e90c 100755 --- a/scripts/ci-helper.sh +++ b/scripts/ci-helper.sh @@ -133,13 +133,16 @@ function build() { function prepare_ent_legal() { : "${PKG_NAME:="vault"}" + if [ -z "${LICENSE_DIR:-}" ]; then + echo "You must set LICENSE_DIR; example: export LICENSE_DIR=.release/ibm-pao/license/default" 1>&2 + return 1 + fi + pushd "$(repo_root)" mkdir -p dist - curl -o dist/EULA.txt https://eula.hashicorp.com/EULA.txt - curl -o dist/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt + cp -R "$LICENSE_DIR" dist/ mkdir -p ".release/linux/package/usr/share/doc/$PKG_NAME" - cp dist/EULA.txt ".release/linux/package/usr/share/doc/$PKG_NAME/EULA.txt" - cp dist/TermsOfEvaluation.txt ".release/linux/package/usr/share/doc/$PKG_NAME/TermsOfEvaluation.txt" + cp -R "$LICENSE_DIR" ".release/linux/package/usr/share/doc/$PKG_NAME/" popd } diff --git a/tools/pipeline/internal/pkg/changed/checkers.go b/tools/pipeline/internal/pkg/changed/checkers.go index 80459d81b0..f6c1e9fa9d 100644 --- a/tools/pipeline/internal/pkg/changed/checkers.go +++ b/tools/pipeline/internal/pkg/changed/checkers.go @@ -160,7 +160,8 @@ func FileGroupCheckerEnterprise(ctx context.Context, file *File) FileGroups { hasBaseDir(name, "vault_ent"), hasBaseDir(name, filepath.Join("scripts", "dev", "hsm")), hasBaseDir(name, filepath.Join("scripts", "testing")), - hasBaseDir(name, filepath.Join("specs")): + hasBaseDir(name, filepath.Join("specs")), + hasBaseDir(name, filepath.Join(".release", "ibm-pao")): return FileGroups{FileGroupEnterprise} } diff --git a/tools/pipeline/internal/pkg/changed/checkers_test.go b/tools/pipeline/internal/pkg/changed/checkers_test.go index bb6839f332..2eb75d142f 100644 --- a/tools/pipeline/internal/pkg/changed/checkers_test.go +++ b/tools/pipeline/internal/pkg/changed/checkers_test.go @@ -15,16 +15,17 @@ func TestFileGroupDefaultCheckers(t *testing.T) { t.Parallel() for filename, groups := range map[string]FileGroups{ - ".build/entrypoint.sh": {FileGroupPipeline}, - ".github/actions/changed-files/actions.yml": {FileGroupPipeline}, - ".github/workflows/build.yml": {FileGroupPipeline}, - ".github/workflows/build-artifacts-ce.yml": {FileGroupCommunity, FileGroupPipeline}, - ".github/workflows/build-artifacts-ent.yml": {FileGroupEnterprise, FileGroupPipeline}, - ".github/workflows/backport-ce-ent.yml": {FileGroupCommunity, FileGroupPipeline}, - ".go-version": {FileGroupGoToolchain}, - "audit/backend_ce.go": {FileGroupGoApp, FileGroupCommunity}, - "audit/backend_config_ent.go": {FileGroupGoApp, FileGroupEnterprise}, - "builtin/logical/transit/something_ent.go": {FileGroupGoApp, FileGroupEnterprise}, + ".build/entrypoint.sh": {FileGroupPipeline}, + ".github/actions/changed-files/actions.yml": {FileGroupPipeline}, + ".github/workflows/build.yml": {FileGroupPipeline}, + ".github/workflows/build-artifacts-ce.yml": {FileGroupCommunity, FileGroupPipeline}, + ".github/workflows/build-artifacts-ent.yml": {FileGroupEnterprise, FileGroupPipeline}, + ".github/workflows/backport-ce-ent.yml": {FileGroupCommunity, FileGroupPipeline}, + ".go-version": {FileGroupGoToolchain}, + ".release/ibm-pao/eboms/5900-BJ8.essentials.csv": {FileGroupEnterprise}, + "audit/backend_ce.go": {FileGroupGoApp, FileGroupCommunity}, + "audit/backend_config_ent.go": {FileGroupGoApp, FileGroupEnterprise}, + "builtin/logical/transit/something_ent.go": {FileGroupGoApp, FileGroupEnterprise}, "buf.yml": {FileGroupProto}, "changelog/1726.txt": {FileGroupChangelog}, "changelog/_1726.txt": {FileGroupChangelog},