From 3958bd0484bb769d0a9830a4184a6eb73b5f16e4 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Thu, 21 Sep 2023 16:22:26 -0400 Subject: [PATCH] Restore seal startup behavior when not in multi-seal mode (#23229) - Only enable the warning mode for seals being unavailable when multiple exist when running within multi-seal mode. - This addresses a panic that occurs when a legacy style migration is attempted and the non-disabled seal is unavailable. --- command/server.go | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/command/server.go b/command/server.go index 4f0b2c49e7..855c7a628a 100644 --- a/command/server.go +++ b/command/server.go @@ -2627,6 +2627,11 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma } sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap) + sealHaBetaEnabled, err := server.IsSealHABetaEnabled() + if err != nil { + return nil, err + } + configuredSeals := 0 for _, configSeal := range config.Seals { sealTypeEnvVarName := "VAULT_SEAL_TYPE" @@ -2652,7 +2657,20 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma } configuredSeals++ } else { - recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError)) + if sealHaBetaEnabled { + recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError)) + } else { + // It seems that we are checking for this particular error here is to distinguish between a + // mis-configured seal vs one that fails for another reason. Apparently the only other reason is + // a key not found error. It seems the intention is for the key not found error to be returned + // as a seal specific error later + if !errwrap.ContainsType(wrapperConfigError, new(logical.KeyNotFoundError)) { + return nil, fmt.Errorf("error parsing Seal configuration: %s", wrapperConfigError) + } else { + sealLogger.Error("error configuring seal", "name", configSeal.Name, "err", wrapperConfigError) + recordSealConfigError(wrapperConfigError) + } + } } sealWrapper := vaultseal.NewSealWrapper( @@ -2708,12 +2726,6 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Compute seal generation - - sealHaBetaEnabled, err := server.IsSealHABetaEnabled() - if err != nil { - return nil, err - } - sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths, sealHaBetaEnabled) if err != nil { return nil, err