From b4db60b6c8d9ea4615cf7c93baa89e3c03de8d1a Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Mon, 15 Dec 2025 13:34:21 -0500 Subject: [PATCH] Vault 40239/perf secondary approle periodic tidy (#10794) (#10939) * Adding logic to run tidy on local secret IDs only for perf secondaries * Modifying periodic tidy to run on local mounts * Updating changelog for fix in VAULT-40239 Co-authored-by: Sean Ellefson --- builtin/credential/approle/backend.go | 2 +- .../credential/approle/path_tidy_user_id.go | 29 ++++++++++++------- changelog/_10794.txt | 3 ++ 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 changelog/_10794.txt diff --git a/builtin/credential/approle/backend.go b/builtin/credential/approle/backend.go index dcdee123dd..a8ff1b479b 100644 --- a/builtin/credential/approle/backend.go +++ b/builtin/credential/approle/backend.go @@ -168,7 +168,7 @@ func (b *backend) invalidate(_ context.Context, key string) { // to delay the removal of SecretIDs by a minute. func (b *backend) periodicFunc(ctx context.Context, req *logical.Request) error { // Initiate clean-up of expired SecretID entries - if b.System().LocalMount() || !b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary|consts.ReplicationPerformanceStandby) { + if !b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) { b.tidySecretID(ctx, req) } return nil diff --git a/builtin/credential/approle/path_tidy_user_id.go b/builtin/credential/approle/path_tidy_user_id.go index 84c660fe40..3833c6ff26 100644 --- a/builtin/credential/approle/path_tidy_user_id.go +++ b/builtin/credential/approle/path_tidy_user_id.go @@ -261,16 +261,25 @@ func (b *backend) tidySecretIDinternal(s logical.Storage) { return nil } - - err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix) - if err != nil { - logger.Error("error tidying global secret IDs", "error", err) - return - } - err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix) - if err != nil { - logger.Error("error tidying local secret IDs", "error", err) - return + // If this is a replicated mount on a Performance secondary cluster, only attempt to clean up local + // secret IDs. Otherwise, clean up all secret IDs. + if !b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) { + err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix) + if err != nil { + logger.Error("error tidying local secret IDs", "error", err) + return + } + } else { + err = tidyFunc(secretIDPrefix, secretIDAccessorPrefix) + if err != nil { + logger.Error("error tidying global secret IDs", "error", err) + return + } + err = tidyFunc(secretIDLocalPrefix, secretIDAccessorLocalPrefix) + if err != nil { + logger.Error("error tidying local secret IDs", "error", err) + return + } } } diff --git a/changelog/_10794.txt b/changelog/_10794.txt new file mode 100644 index 0000000000..af4987f090 --- /dev/null +++ b/changelog/_10794.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/approle (enterprise): Fixed bug that prevented periodic tidy running on performance secondary +```