Return legacy CRL storage path when no migration has occurred.

hashicorp · Apr 29, 2022 · 5b9c604 · 5b9c604
1 parent f7e03b3
commit 5b9c604
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 9 deletions.
diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go
@@ -328,13 +328,13 @@ func (b *backend) invalidate(ctx context.Context, key string) {
 		// This is for a secondary cluster to pick up that the migration has completed
 		// and reset its compatibility mode and rebuild the CRL locally.
 		b.updatePkiStorageVersion(ctx)
-		b.crlBuilder.requestRebuildOnActiveNode(b)
+		b.crlBuilder.requestRebuildIfActiveNode(b)
 	case strings.HasPrefix(key, issuerPrefix):
 		// If an issuer has changed on the primary, we need to schedule an update of our CRL,
 		// the primary cluster would have done it already, but the CRL is cluster specific so
 		// force a rebuild of ours.
 		if !b.useLegacyBundleCaStorage() {
-			b.crlBuilder.requestRebuildOnActiveNode(b)
+			b.crlBuilder.requestRebuildIfActiveNode(b)
 		} else {
 			b.Logger().Debug("Ignoring invalidation updates for issuer as the PKI migration has yet to complete.")
 		}

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -139,7 +139,7 @@ func fetchCAInfo(ctx context.Context, b *backend, req *logical.Request, issuerRe
 func fetchCertBundle(ctx context.Context, b *backend, s logical.Storage, issuerRef string) (*issuerEntry, *certutil.CertBundle, error) {
 	if b.useLegacyBundleCaStorage() {
 		// We have not completed the migration so attempt to load the bundle from the legacy location
-		b.Logger().Info("Using legacy CA bundle")
+		b.Logger().Info("Using legacy CA bundle as PKI migration has not completed.")
 		return getLegacyCertBundle(ctx, s)
 	}
 
@@ -175,7 +175,7 @@ func fetchCertBySerial(ctx context.Context, b *backend, req *logical.Request, pr
 		if err = b.crlBuilder.rebuildIfForced(ctx, b, req); err != nil {
 			return nil, err
 		}
-		path, err = resolveIssuerCRLPath(ctx, req.Storage, defaultRef)
+		path, err = resolveIssuerCRLPath(ctx, b, req.Storage, defaultRef)
 		if err != nil {
 			return nil, err
 		}

diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
@@ -60,8 +60,8 @@ func (cb *crlBuilder) rebuild(ctx context.Context, b *backend, request *logical.
 	return cb._doRebuild(ctx, b, request, forceNew, _ignoreForceFlag)
 }
 
-// requestRebuildOnActiveNode will schedule a rebuild of the CRL from the next read or write api call assuming we are the active node of a cluster
-func (cb *crlBuilder) requestRebuildOnActiveNode(b *backend) {
+// requestRebuildIfActiveNode will schedule a rebuild of the CRL from the next read or write api call assuming we are the active node of a cluster
+func (cb *crlBuilder) requestRebuildIfActiveNode(b *backend) {
 	// Only schedule us on active nodes, ignoring secondary nodes, the active can/should rebuild the CRL.
 	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) ||
 		b.System().ReplicationState().HasState(consts.ReplicationDRSecondary) {

diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go
@@ -404,7 +404,7 @@ func (b *backend) pathGetIssuerCRL(ctx context.Context, req *logical.Request, da
 		return nil, err
 	}
 
-	crlPath, err := resolveIssuerCRLPath(ctx, req.Storage, issuerName)
+	crlPath, err := resolveIssuerCRLPath(ctx, b, req.Storage, issuerName)
 	if err != nil {
 		return nil, err
 	}

diff --git a/builtin/logical/pki/storage.go b/builtin/logical/pki/storage.go
@@ -643,7 +643,11 @@ func resolveIssuerReference(ctx context.Context, s logical.Storage, reference st
 	return IssuerRefNotFound, errutil.UserError{Err: fmt.Sprintf("unable to find PKI issuer for reference: %v", reference)}
 }
 
-func resolveIssuerCRLPath(ctx context.Context, s logical.Storage, reference string) (string, error) {
+func resolveIssuerCRLPath(ctx context.Context, b *backend, s logical.Storage, reference string) (string, error) {
+	if b.useLegacyBundleCaStorage() {
+		return "crl", nil
+	}
+
 	issuer, err := resolveIssuerReference(ctx, s, reference)
 	if err != nil {
 		return "crl", err

diff --git a/builtin/logical/pki/storage_migrations.go b/builtin/logical/pki/storage_migrations.go
@@ -89,7 +89,7 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
 
 	// Since we do not have all the mount information available we must schedule
 	// the CRL to be rebuilt at a later time.
-	b.crlBuilder.requestRebuildOnActiveNode(b)
+	b.crlBuilder.requestRebuildIfActiveNode(b)
 
 	// We always want to write out this log entry as the secondary clusters leverage this path to wake up
 	// if they were upgraded prior to the primary cluster's migration occurred.