scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 11:08:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restore seal startup behavior when not in multi-seal mode (#23229)

Browse Source 
- Only enable the warning mode for seals being unavailable when
   multiple exist when running within multi-seal mode.
 - This addresses a panic that occurs when a legacy style
   migration is attempted and the non-disabled seal is unavailable.
This commit is contained in:
Steven Clark
2023-09-21 16:22:26 -04:00
committed by GitHub
parent fe7f56b3a9
commit 3958bd0484
1 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
command/server.go
View File

@@ -2627,6 +2627,11 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
} }
sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap) sealWrapperInfoKeysMap := make(map[string]infoKeysAndMap)
sealHaBetaEnabled, err := server.IsSealHABetaEnabled()
if err != nil {
return nil, err
}
configuredSeals := 0 configuredSeals := 0
for _, configSeal := range config.Seals { for _, configSeal := range config.Seals {
sealTypeEnvVarName := "VAULT_SEAL_TYPE" sealTypeEnvVarName := "VAULT_SEAL_TYPE"
@@ -2652,7 +2657,20 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
} }
configuredSeals++ configuredSeals++
} else { } else {
if sealHaBetaEnabled {
recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError)) recordSealConfigWarning(fmt.Errorf("error configuring seal: %v", wrapperConfigError))
} else {
// It seems that we are checking for this particular error here is to distinguish between a
// mis-configured seal vs one that fails for another reason. Apparently the only other reason is
// a key not found error. It seems the intention is for the key not found error to be returned
// as a seal specific error later
if !errwrap.ContainsType(wrapperConfigError, new(logical.KeyNotFoundError)) {
return nil, fmt.Errorf("error parsing Seal configuration: %s", wrapperConfigError)
} else {
sealLogger.Error("error configuring seal", "name", configSeal.Name, "err", wrapperConfigError)
recordSealConfigError(wrapperConfigError)
}
}
} }
sealWrapper := vaultseal.NewSealWrapper( sealWrapper := vaultseal.NewSealWrapper(
@@ -2708,12 +2726,6 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Compute seal generation // Compute seal generation
sealHaBetaEnabled, err := server.IsSealHABetaEnabled()
if err != nil {
return nil, err
}
sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths, sealHaBetaEnabled) sealGenerationInfo, err := c.computeSealGenerationInfo(existingSealGenerationInfo, allSealKmsConfigs, hasPartiallyWrappedPaths, sealHaBetaEnabled)
if err != nil { if err != nil {
return nil, err return nil, err