upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Vault 40239/perf secondary approle periodic tidy (#10794) (#10939)

Browse source 
* Adding logic to run tidy on local secret IDs only for perf secondaries

* Modifying periodic tidy to run on local mounts

* Updating changelog for fix in VAULT-40239

Co-authored-by: Sean Ellefson <sellefson@hashicorp.com>
This commit is contained in:
Vault Automation 2025-12-15 13:34:21 -05:00 committed by GitHub
parent 41bc535dc9
commit b4db60b6c8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 23 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
builtin/credential/approle/backend.go
View file

@ -168,7 +168,7 @@ func (b *backend) invalidate(_ context.Context, key string) {
// to delay the removal of SecretIDs by a minute.
func (b *backend) periodicFunc(ctx context.Context, req *logical.Request) error {
// Initiate clean-up of expired SecretID entries
if b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby) {
if !b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
b.tidySecretID(ctx, req)
}
return nil

29
builtin/credential/approle/path_tidy_user_id.go
View file

@ -261,16 +261,25 @@ func (b *backend) tidySecretIDinternal(s logical.Storage) {
return nil
}
err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
if err != nil {
logger.Error("error tidying global secret IDs", "error", err)
return
}
err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
if err != nil {
logger.Error("error tidying local secret IDs", "error", err)
return
// If this is a replicated mount on a Performance secondary cluster, only attempt to clean up local
// secret IDs. Otherwise, clean up all secret IDs.
if !b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) {
err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
if err != nil {
logger.Error("error tidying local secret IDs", "error", err)
return
}
} else {
err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix)
if err != nil {
logger.Error("error tidying global secret IDs", "error", err)
return
}
err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix)
if err != nil {
logger.Error("error tidying local secret IDs", "error", err)
return
}
}
}

3
changelog/_10794.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
auth/approle (enterprise): Fixed bug that prevented periodic tidy running on performance secondary
```