mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 19:47:54 +00:00
* Unseal HA changes, CE side * Transit wrapper update
This commit is contained in:
Scott Miller
@@ -1275,6 +1275,9 @@ func (c *ServerCommand) Run(args []string) int {
|
||||
c.UI.Error(err.Error())
|
||||
return 1
|
||||
}
|
||||
if setSealResponse.sealConfigWarning != nil {
|
||||
c.UI.Warn(fmt.Sprintf("Warnings during seal configuration: %v", setSealResponse.sealConfigWarning))
|
||||
}
|
||||
|
||||
for _, seal := range setSealResponse.getCreatedSeals() {
|
||||
seal := seal // capture range variable
|
||||
@@ -2557,7 +2560,8 @@ type SetSealResponse struct {
|
||||
unwrapSeal vault.Seal
|
||||
|
||||
// sealConfigError is present if there was an error configuring wrappers, other than KeyNotFound.
|
||||
sealConfigError error
|
||||
sealConfigError error
|
||||
sealConfigWarning error
|
||||
}
|
||||
|
||||
func (r *SetSealResponse) getCreatedSeals() []*vault.Seal {
|
||||
@@ -2602,9 +2606,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
}
|
||||
|
||||
var sealConfigError error
|
||||
var sealConfigWarning error
|
||||
recordSealConfigError := func(err error) {
|
||||
sealConfigError = errors.Join(sealConfigError, err)
|
||||
}
|
||||
recordSealConfigWarning := func(err error) {
|
||||
sealConfigWarning = errors.Join(sealConfigWarning, err)
|
||||
}
|
||||
enabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
|
||||
disabledSealWrappers := make([]*vaultseal.SealWrapper, 0)
|
||||
allSealKmsConfigs := make([]*configutil.KMS, 0)
|
||||
@@ -2615,6 +2623,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
}
|
||||
sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap)
|
||||
|
||||
configuredSeals := 0
|
||||
for _, configSeal := range config.Seals {
|
||||
sealTypeEnvVarName := "VAULT_SEAL_TYPE"
|
||||
if configSeal.Priority > 1 {
|
||||
@@ -2628,24 +2637,18 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
|
||||
sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", configSeal.Type))
|
||||
|
||||
allSealKmsConfigs = append(allSealKmsConfigs, configSeal)
|
||||
var wrapperInfoKeys []string
|
||||
wrapperInfoMap := map[string]string{}
|
||||
wrapper, wrapperConfigError := configutil.ConfigureWrapper(configSeal, &wrapperInfoKeys, &wrapperInfoMap, sealLogger)
|
||||
if wrapperConfigError != nil {
|
||||
// It seems that we are checking for this particular error here is to distinguish between a
|
||||
// mis-configured seal vs one that fails for another reason. Apparently the only other reason is
|
||||
// a key not found error. It seems the intention is for the key not found error to be returned
|
||||
// as a seal specific error later
|
||||
if !errwrap.ContainsType(wrapperConfigError, new(logical.KeyNotFoundError)) {
|
||||
return nil, fmt.Errorf("error parsing Seal configuration: %s", wrapperConfigError)
|
||||
} else {
|
||||
sealLogger.Error("error configuring seal", "name", configSeal.Name, "err", wrapperConfigError)
|
||||
recordSealConfigError(wrapperConfigError)
|
||||
if wrapperConfigError == nil {
|
||||
// for some reason configureWrapper in kms.go returns nil wrapper and nil error for wrapping.WrapperTypeShamir
|
||||
if wrapper == nil {
|
||||
wrapper = aeadwrapper.NewShamirWrapper()
|
||||
}
|
||||
}
|
||||
// for some reason configureWrapper in kms.go returns nil wrapper and nil error for wrapping.WrapperTypeShamir
|
||||
if wrapper == nil && wrapperConfigError == nil {
|
||||
wrapper = aeadwrapper.NewShamirWrapper()
|
||||
configuredSeals++
|
||||
} else {
|
||||
recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError))
|
||||
}
|
||||
|
||||
sealWrapper := vaultseal.NewSealWrapper(
|
||||
@@ -2654,6 +2657,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
configSeal.Name,
|
||||
configSeal.Type,
|
||||
configSeal.Disabled,
|
||||
wrapperConfigError == nil,
|
||||
)
|
||||
|
||||
if configSeal.Disabled {
|
||||
@@ -2661,7 +2665,6 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
} else {
|
||||
enabledSealWrappers = append(enabledSealWrappers, sealWrapper)
|
||||
}
|
||||
allSealKmsConfigs = append(allSealKmsConfigs, configSeal)
|
||||
|
||||
sealWrapperInfoKeysMap[sealWrapper.Name] = infoKeysAndMap{
|
||||
keys: wrapperInfoKeys,
|
||||
@@ -2669,6 +2672,12 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
}
|
||||
}
|
||||
|
||||
if len(enabledSealWrappers) == 0 && len(disabledSealWrappers) == 0 && sealConfigWarning != nil {
|
||||
// All of them errored out, so warnings are now errors
|
||||
recordSealConfigError(sealConfigWarning)
|
||||
sealConfigWarning = nil
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
// Set the info keys, this modifies the function arguments `info` and `infoKeys`
|
||||
// TODO(SEALHA): Why are we doing this? What is its use?
|
||||
@@ -2724,10 +2733,11 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
sealLogger := c.logger
|
||||
switch {
|
||||
case len(enabledSealWrappers) == 0:
|
||||
return nil, errors.New("no enabled Seals in configuration")
|
||||
|
||||
return nil, errors.Join(sealConfigWarning, errors.New("no enabled Seals in configuration"))
|
||||
case configuredSeals == 0:
|
||||
return nil, errors.Join(sealConfigWarning, errors.New("no seals were successfully initialized"))
|
||||
case containsShamir(enabledSealWrappers) && containsShamir(disabledSealWrappers):
|
||||
return nil, errors.New("shamir seals cannot be set disabled (they should simply not be set)")
|
||||
return nil, errors.Join(sealConfigWarning, errors.New("shamir seals cannot be set disabled (they should simply not be set)"))
|
||||
|
||||
case len(enabledSealWrappers) == 1 && containsShamir(enabledSealWrappers):
|
||||
// The barrier seal is Shamir. If there are any disabled seals, then we put them all in the same
|
||||
@@ -2747,7 +2757,9 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
// so just put enabled and disabled wrappers on the same seal Access
|
||||
allSealWrappers := append(enabledSealWrappers, disabledSealWrappers...)
|
||||
barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, allSealWrappers))
|
||||
|
||||
if configuredSeals < len(enabledSealWrappers) {
|
||||
c.UI.Warn("WARNING: running with fewer than all configured seals during unseal. Will not be fully highly available until errors are corrected and Vault restarted.")
|
||||
}
|
||||
case len(enabledSealWrappers) == 1:
|
||||
// We may have multiple seals disabled, but we know Shamir is not one of them.
|
||||
barrierSeal = vault.NewAutoSeal(vaultseal.NewAccess(sealLogger, sealGenerationInfo, enabledSealWrappers))
|
||||
@@ -2757,13 +2769,14 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
|
||||
|
||||
default:
|
||||
// We know there are multiple enabled seals and that the seal HA beta is not enabled
|
||||
return nil, errors.New("error: more than one enabled seal found")
|
||||
return nil, errors.Join(sealConfigWarning, errors.New("error: more than one enabled seal found"))
|
||||
}
|
||||
|
||||
return &SetSealResponse{
|
||||
barrierSeal: barrierSeal,
|
||||
unwrapSeal: unwrapSeal,
|
||||
sealConfigError: sealConfigError,
|
||||
barrierSeal: barrierSeal,
|
||||
unwrapSeal: unwrapSeal,
|
||||
sealConfigError: sealConfigError,
|
||||
sealConfigWarning: sealConfigWarning,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user