Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix re-migration of existing CA bundles #21316

Merged
merged 12 commits into from
Jun 21, 2023
Merged

Fix re-migration of existing CA bundles #21316

merged 12 commits into from
Jun 21, 2023

Conversation

cipherboy
Copy link
Contributor

Later in Vault 1.11, 1.12, and 1.13's release, we added a fix for a regression regarding chain building that resulted in a small migration to rebuild all issuer's chains within the mount. This resulted in a second storage migration "version" being created, which was unfortunate as the existing logic resulted in the entire migration being re-attempted:

    if (migrationInfo.migrationLog == nil) ||
        (migrationInfo.migrationLog.Hash != migrationInfo.legacyBundleHash) ||
        (migrationInfo.migrationLog.MigrationVersion != latestMigrationVersion) {  /// <<--- HERE

As a result, if the migrated legacy issuers (from storage version 0/1) were deleted prior to version 2's upgrade (to 1.13.0, 1.12.2, and 1.11.6), these would be recreated and would need to be removed again. Additionally, when managed keys were in use (in Vault Enterprise), an error like:

Error during migration of PKI mount: failed to lookup public key from managed key: no managed key found with uuid

would be visible in the logs. This only affects issuers created prior to upgrading to Vault 1.11.

Related: VAULT-17307

@cipherboy cipherboy added bug Used to indicate a potential bug secret/pki backport/1.11.x labels Jun 16, 2023
@cipherboy cipherboy added this to the 1.11.12 milestone Jun 16, 2023
@cipherboy cipherboy requested review from kitography, stevendpclark and a team June 16, 2023 14:51
@cipherboy cipherboy changed the title Fix re-migration of existing bundle Fix re-migration of existing CA bundles Jun 16, 2023
cipherboy added 2 commits June 16, 2023 09:53
@cipherboy
Add changelog entry
71ff506 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Add known-issue about PKI double migration
5763978 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy requested a review from a team as a code owner June 16, 2023 15:08
@cipherboy cipherboy modified the milestones: 1.11.12, 1.12.9 Jun 16, 2023
schavis
schavis requested changes Jun 16, 2023
View reviewed changes
Copy link
Contributor

@schavis schavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made some editorial suggestions to improve content accessibility. Let me know if you have any questions :)

website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated
> failed to lookup public key from managed key:
> no managed key found with uuid

This has been fixed in Vault 1.14.0, 1.13.4, 1.12.8, and 1.11.12.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This has been fixed in Vault 1.14.0, 1.13.4, 1.12.8, and 1.11.12.

Suggest deleting this line and making the information easier to find by highlighting it at the beginning.

@cipherboy cipherboy enabled auto-merge (squash) June 20, 2023 16:36
@cipherboy cipherboy self-assigned this Jun 20, 2023
@cipherboy
Copy link
Contributor Author

@schavis Mind re-reviewing with the updates? Thanks!

@cipherboy cipherboy requested a review from schavis June 20, 2023 18:13
@cipherboy
Update to correct fixed-in versions
5f97c70 
Signed-off-by: Alexander Scheel <[email protected]>
schavis
schavis requested changes Jun 21, 2023
View reviewed changes
Copy link
Contributor

@schavis schavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor tweaks for active voice

website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
website/content/partials/pki-double-migration-bug.mdx Outdated Show resolved Hide resolved
@cipherboy cipherboy merged commit 15aee2e into main Jun 21, 2023
@cipherboy cipherboy deleted the cipherboy-fix-re-migration-of-existing-bundle branch June 21, 2023 20:34
This was referenced Jun 21, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schavis schavis schavis approved these changes

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography Awaiting requested review from kitography

Assignees

@cipherboy cipherboy

Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Milestone
1.12.9
Development

Successfully merging this pull request may close these issues.
3 participants
@cipherboy @stevendpclark @schavis