Check if storage should be updated during invalidation (#28059)

* check if storage should be updated during invalidation * add changelog * add other tests and fix for auth move * fix changelog * fix comment * remove ent tests --------- Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
2025-10-29 17:52:32 +00:00 · 2024-08-22 16:00:55 -05:00
parent 1488f0956d
commit 6558df47b4
4 changed files with 40 additions and 16 deletions
--- a/changelog/28059.txt
+++ b/changelog/28059.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+command: The `vault secrets move` and `vault auth move` command will no longer attempt to write to storage on performance standby nodes.
+```
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -485,15 +485,17 @@ func (c *Core) remountCredential(ctx context.Context, src, dst namespace.MountPa
 	srcMatch.Path = strings.TrimPrefix(dst.MountPath, credentialRoutePrefix)

 	// Update the mount table
-	if err := c.persistAuth(ctx, c.auth, &srcMatch.Local); err != nil {
-		srcMatch.Path = srcPath
-		srcMatch.Tainted = true
-		c.authLock.Unlock()
-		if err == logical.ErrReadOnly && c.perfStandby {
-			return err
-		}
+	if updateStorage {
+		if err := c.persistAuth(ctx, c.auth, &srcMatch.Local); err != nil {
+			srcMatch.Path = srcPath
+			srcMatch.Tainted = true
+			c.authLock.Unlock()
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}

-		return fmt.Errorf("failed to update auth table with error %+v", err)
+			return fmt.Errorf("failed to update auth table with error %+v", err)
+		}
 	}

 	// Remount the backend, setting the existing route entry
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -1189,15 +1189,17 @@ func (c *Core) remountSecretsEngine(ctx context.Context, src, dst namespace.Moun
 	srcMatch.Path = dst.MountPath

 	// Update the mount table
-	if err := c.persistMounts(ctx, c.mounts, &srcMatch.Local); err != nil {
-		srcMatch.Path = srcPath
-		srcMatch.Tainted = true
-		c.mountsLock.Unlock()
-		if err == logical.ErrReadOnly && c.perfStandby {
-			return err
-		}
+	if updateStorage {
+		if err := c.persistMounts(ctx, c.mounts, &srcMatch.Local); err != nil {
+			srcMatch.Path = srcPath
+			srcMatch.Tainted = true
+			c.mountsLock.Unlock()
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}

-		return fmt.Errorf("failed to update mount table with error %+v", err)
+			return fmt.Errorf("failed to update mount table with error %+v", err)
+		}
 	}

 	// Remount the backend
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -652,6 +652,23 @@ func GenerateRandBytes(length int) ([]byte, error) {
 	return buf, nil
 }

+func TestWaitPerfStandby(t testing.TB, core *Core) {
+	t.Helper()
+	start := time.Now()
+	var perfStandby bool
+	for time.Now().Sub(start) < 30*time.Second {
+		perfStandby = core.PerfStandby()
+
+		if perfStandby {
+			break
+		}
+	}
+	if !perfStandby {
+		err := errors.New("core not in perf standby mode")
+		t.Fatal(err)
+	}
+}
+
 func TestWaitActive(t testing.TB, core *Core) {
 	t.Helper()
 	if err := TestWaitActiveWithError(core); err != nil {