backport of commit 0ac2fa19aa (#20707)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

builtin/logical/pki/periodic.go

@@ -50,15 +50,6 @@ func runUnifiedTransfer(sc *storageContext) {
 		return
 	}
 
-	if !status.lastRun.IsZero() {
-		// We have run before, we only run again if we have
-		// been requested to forceRerun, and we haven't run since our
-		// minimum delay
-		if !(status.forceRerun.Load() && time.Since(status.lastRun) < minUnifiedTransferDelay) {
-			return
-		}
-	}
-
 	if !config.UnifiedCRL {
 		// Feature is disabled, no need to run
 		return
@@ -77,6 +68,17 @@ func runUnifiedTransfer(sc *storageContext) {
 	}
 	defer status.isRunning.Store(false)
 
+	// Because access to lastRun is not locked, we need to delay this check
+	// until after we grab the isRunning CAS lock.
+	if !status.lastRun.IsZero() {
+		// We have run before, we only run again if we have
+		// been requested to forceRerun, and we haven't run since our
+		// minimum delay.
+		if !(status.forceRerun.Load() && time.Since(status.lastRun) < minUnifiedTransferDelay) {
+			return
+		}
+	}
+
 	// Reset our flag before we begin, we do this before we start as
 	// we can't guarantee that we can properly parse/fix the error from an
 	// error that comes in from the revoke API after that. This will

changelog/20701.txt

@@ -0,0 +1,3 @@
+```release-notes:bug
+secrets/pki: Fix race during runUnifiedTransfer when deciding to skip re-running a test within a short window.
+```