MCPcopy
hub / github.com/hashicorp/vault / reloadSeals

Method reloadSeals

command/server.go:3290–3395  ·  view source on GitHub ↗

reloadSeals reloads configuration files and determines whether it needs to re-create the Seal.Access() objects. This function needs do detect that core.SealAccess() is no longer using the seal Wrapper that is specified in the seal configuration files. This function returns true if the newConfig was

(ctx context.Context, grabStateLock bool, core *vault.Core, newConfig *server.Config)

Source from the content-addressed store, hash-verified

3288// This function returns true if the newConfig was used to re-create the Seal.Access() objects. In other words,
3289// if false is returned, there were no changes done to the seals.
3290func (c *ServerCommand) reloadSeals(ctx context.Context, grabStateLock bool, core *vault.Core, newConfig *server.Config) (bool, error) {
3291 if core.IsInSealMigrationMode(grabStateLock) {
3292 c.logger.Debug("not reloading seal configuration since Vault is in migration mode")
3293 return false, nil
3294 }
3295
3296 currentConfig := core.GetCoreConfigInternal()
3297
3298 // We only want to reload if multiseal is currently enabled, or it is being enabled
3299 if !(currentConfig.IsMultisealEnabled() || newConfig.IsMultisealEnabled()) {
3300 c.logger.Debug("not reloading seal configuration since enable_multiseal is not set, nor is it being disabled")
3301 return false, nil
3302 }
3303
3304 if conf, err := core.PhysicalBarrierSealConfig(ctx); err != nil {
3305 return false, fmt.Errorf("error reading barrier seal configuration from storage while reloading seals: %w", err)
3306 } else if conf == nil {
3307 c.logger.Debug("not reloading seal configuration since there is no barrier config in storage (the seal has not been initialized)")
3308 return false, nil
3309 }
3310
3311 if core.SealAccess().BarrierSealConfigType() == vault.SealConfigTypeShamir {
3312 switch {
3313 case len(newConfig.Seals) == 0:
3314 // We are fine, our ServerCommand.reloadConfigFiles() does not do the "automagic" creation
3315 // of the Shamir seal configuration.
3316 c.logger.Debug("not reloading seal configuration since the new one has no seal stanzas")
3317 return false, nil
3318
3319 case len(newConfig.Seals) == 1 && newConfig.Seals[0].Disabled:
3320 // If we have only one seal and it is disabled, it means that the newConfig wants to migrate
3321 // to Shamir, which is not supported by seal reloading.
3322 c.logger.Debug("not reloading seal configuration since the new one specifies migration to Shamir")
3323 return false, nil
3324
3325 case len(newConfig.Seals) == 1 && newConfig.Seals[0].Type == vault.SealConfigTypeShamir.String():
3326 // Having a single Shamir seal in newConfig is not really possible, since a Shamir seal
3327 // is specified in configuration by *not* having a seal stanza. If we were to hit this
3328 // case, though, it is equivalent to trying to migrate to Shamir, which is not supported
3329 // by seal reloading.
3330 c.logger.Debug("not reloading seal configuration since the new one has single Shamir stanza")
3331 return false, nil
3332 }
3333 }
3334
3335 // Verify that the new config we picked up is not trying to migrate from autoseal to shamir
3336 if len(newConfig.Seals) == 1 && newConfig.Seals[0].Disabled {
3337 // If we get here, it means the node was not started in migration mode, but the new config says
3338 // we should go into migration mode. This case should be caught by the core.IsInSealMigrationMode()
3339 // above.
3340
3341 return false, errors.New("not reloading seal configuration: moving from autoseal to shamir requires seal migration")
3342 }
3343
3344 // Verify that the new config we picked up is not trying to migrate shamir to autoseal
3345 if core.SealAccess().BarrierSealConfigType() == vault.SealConfigTypeShamir {
3346 return false, errors.New("not reloading seal configuration: moving from Shamir to autoseal requires seal migration")
3347 }

Callers 2

reloadSealsOnSigHupMethod · 0.95

Calls 15

configureSealsMethod · 0.95
setSealsToFinalizeMethod · 0.95
IsInSealMigrationModeMethod · 0.80
GetCoreConfigInternalMethod · 0.80
SealAccessMethod · 0.80
SetMultisealEnabledMethod · 0.80
PhysicalAccessMethod · 0.80
SetSealsMethod · 0.80
IsRewrappedMethod · 0.80
SetSealsOnPerfStandbyMethod · 0.80

Tested by

no test coverage detected