When not in seal HA, do not use Rewrapped flag to trigger a seal re-wrap on start up. (#22668)

2026-02-03 20:40:45 -05:00 · 2023-08-30 16:02:32 -04:00 · 2023-08-30 16:02:32 -04:00 · a96a1a7346
commit a96a1a7346
parent c8efa4c7a4
2 changed files with 8 additions and 3 deletions
--- a/command/server.go
+++ b/command/server.go
@ -2724,8 +2724,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 }

 func (c *ServerCommand) computeSealGenerationInfo(existingSealGenInfo *vaultseal.SealGenerationInfo, sealConfigs []*configutil.KMS) (*vaultseal.SealGenerationInfo, error) {
-	var generation uint64
-	generation = 1
+	generation := uint64(1)

 	if existingSealGenInfo != nil {
 		if cmp.Equal(existingSealGenInfo.Seals, sealConfigs) {
--- a/vault/core.go
+++ b/vault/core.go
@ -2397,8 +2397,14 @@ func (s standardUnsealStrategy) unseal(ctx context.Context, logger log.Logger, c
 			return err
 		}

-		if !sealGenerationInfo.IsRewrapped() {
+		sealHaEnabled, err := server.IsSealHABetaEnabled()
+		if err != nil {
+			return err
+		}
+		if sealHaEnabled && !sealGenerationInfo.IsRewrapped() {
 			// Flag migration performed for seal-rewrap later
+			// Note that in the case where seal HA is not enabled, Core.migrateSeal() takes care of
+			// triggering the rewrap when necessary.
 			c.logger.Trace("seal generation information indicates that a seal-rewrap is needed", "generation", sealGenerationInfo.Generation, "rewrapped", sealGenerationInfo.IsRewrapped())
 			atomic.StoreUint32(c.sealMigrationDone, 1)
 		}