scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

During a seal reload through SIGHUP, only write updated seal barrier on an active node (#26381)

Browse Source 
* During a seal reload through SIGHUP, do not write updated seal barrier on non-active nodes

* Add cl
This commit is contained in:
Steven Clark
2024-04-12 08:51:44 -04:00
committed by GitHub
parent 34d7fc39a0
commit bd5f61aae1
3 changed files with 45 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/26381.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core/seal: During a seal reload through SIGHUP, only write updated seal barrier on an active node
```

27
command/server.go
View File

@@ -3485,13 +3485,30 @@ func (c *ServerCommand) reloadSeals(ctx context.Context, grabStateLock bool, cor
newGen := setSealResponse.barrierSeal.GetAccess().GetSealGenerationInfo() newGen := setSealResponse.barrierSeal.GetAccess().GetSealGenerationInfo()
err = core.SetSeals(ctx, grabStateLock, setSealResponse.barrierSeal, secureRandomReader, !newGen.IsRewrapped() || setSealResponse.hasPartiallyWrappedPaths) var standby, perf bool
if err != nil { if grabStateLock {
return false, fmt.Errorf("error setting seal: %s", err) // If grabStateLock is false we know we are on a leader activation
standby, perf = core.StandbyStates()
} }
switch {
case !perf && !standby:
c.logger.Debug("persisting reloaded seals as we are the active node")
err = core.SetSeals(ctx, grabStateLock, setSealResponse.barrierSeal, secureRandomReader, !newGen.IsRewrapped() || setSealResponse.hasPartiallyWrappedPaths)
if err != nil {
return false, fmt.Errorf("error setting seal: %s", err)
}
if err := core.SetPhysicalSealGenInfo(ctx, newGen); err != nil { if err := core.SetPhysicalSealGenInfo(ctx, newGen); err != nil {
c.logger.Warn("could not update seal information in storage", "err", err) c.logger.Warn("could not update seal information in storage", "err", err)
}
case perf:
c.logger.Debug("updating reloaded seals in memory on perf standby")
err = core.SetSealsOnPerfStandby(ctx, grabStateLock, setSealResponse.barrierSeal, secureRandomReader)
if err != nil {
return false, fmt.Errorf("error setting seal on perf standby: %s", err)
}
default:
return false, errors.New("skipping seal reload as we are a standby")
} }
// finalize the old seals and set the new seals as the current ones // finalize the old seals and set the new seals as the current ones

28
vault/core.go
View File

@@ -4464,12 +4464,22 @@ func (c *Core) GetRaftAutopilotState(ctx context.Context) (*raft.AutopilotState,
return raftBackend.GetAutopilotServerState(ctx) return raftBackend.GetAutopilotServerState(ctx)
} }
// Events returns a reference to the common event bus for sending and subscribint to events. // Events returns a reference to the common event bus for sending and subscribing to events.
func (c *Core) Events() *eventbus.EventBus { func (c *Core) Events() *eventbus.EventBus {
return c.events return c.events
} }
func (c *Core) SetSeals(ctx context.Context, grabLock bool, barrierSeal Seal, secureRandomReader io.Reader, shouldRewrap bool) error { func (c *Core) SetSeals(ctx context.Context, grabLock bool, barrierSeal Seal, secureRandomReader io.Reader, shouldRewrap bool) error {
return c.setSeals(ctx, grabLock, barrierSeal, secureRandomReader, shouldRewrap, true)
}
// SetSealsOnPerfStandby sets the seal state within the core object without attempting to persist it to disk,
// normally SetSeals is what you should be calling.
func (c *Core) SetSealsOnPerfStandby(ctx context.Context, grabLock bool, barrierSeal Seal, secureRandomReader io.Reader) error {
return c.setSeals(ctx, grabLock, barrierSeal, secureRandomReader, false, false)
}
func (c *Core) setSeals(ctx context.Context, grabLock bool, barrierSeal Seal, secureRandomReader io.Reader, shouldRewrap bool, performWrite bool) error {
if grabLock { if grabLock {
ctx, _ = c.GetContext() ctx, _ = c.GetContext()
@@ -4497,14 +4507,16 @@ func (c *Core) SetSeals(ctx context.Context, grabLock bool, barrierSeal Seal, se
} }
barrierConfigCopy.Type = barrierSeal.BarrierSealConfigType().String() barrierConfigCopy.Type = barrierSeal.BarrierSealConfigType().String()
err = barrierSeal.SetBarrierConfig(ctx, barrierConfigCopy) if performWrite {
if err != nil { err = barrierSeal.SetBarrierConfig(ctx, barrierConfigCopy)
return fmt.Errorf("error setting barrier config for new seal: %s", err) if err != nil {
} return fmt.Errorf("error setting barrier config for new seal: %s", err)
}
err = barrierSeal.SetStoredKeys(ctx, rootKey) err = barrierSeal.SetStoredKeys(ctx, rootKey)
if err != nil { if err != nil {
return fmt.Errorf("error setting root key in new seal: %s", err) return fmt.Errorf("error setting root key in new seal: %s", err)
}
} }
c.seal = barrierSeal c.seal = barrierSeal