Backport of Add upgrade note for #15147. into release/1.9.x (#15160)

hashicorp · Apr 26, 2022 · 87c724f · 87c724f
1 parent f12c092
commit 87c724f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/website/content/docs/upgrading/upgrade-to-1.8.x.mdx b/website/content/docs/upgrading/upgrade-to-1.8.x.mdx
@@ -44,6 +44,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
 @include 'entity-alias-mapping.mdx'
 
 @include 'pki-forwarding-bug.mdx'
+
+@include 'raft-panic-old-tls-key.mdx'
+
 ## Known Issues
 
 - MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error
@@ -60,5 +63,5 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
   packages for Vault 1.8.0 and the 1.8.1-0 package, and is fixed in 1.8.1-1 and up.
 - The introduction of `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` could inadvertently give
   users the ability to generate tokens and key if globs are used in policies. To avoid issues like this,
-  globs should be avoided in policies to help adhere to the principle of least privilege. See the 
+  globs should be avoided in policies to help adhere to the principle of least privilege. See the
   [roleset documentation](/docs/secrets/gcp#rolesets) for more information.
diff --git a/website/content/docs/upgrading/upgrade-to-1.9.x.mdx b/website/content/docs/upgrading/upgrade-to-1.9.x.mdx
@@ -97,6 +97,8 @@ See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information
 
 @include 'pki-forwarding-bug.mdx'
 
+@include 'raft-panic-old-tls-key.mdx'
+
 ## Known Issues
 
 ### Identity Token Backend Key Rotations

diff --git a/website/content/partials/raft-panic-old-tls-key.mdx b/website/content/partials/raft-panic-old-tls-key.mdx
@@ -0,0 +1,17 @@
+## Integrated Storage panic related to old TLS key
+
+Raft in Vault uses its own set of TLS certificates, independent of those that the user
+controls to protect the API port and those used for replication and clustering. These
+certs get rotated daily, but to ensure that nodes which were down or behind on Raft log
+replication don't lose the ability to speak with other nodes, the newly generated daily
+TLS cert only starts being used once we see that all nodes have received it.
+
+A recent security audit related change results in this rotation code [getting a
+panic](https://github.com/hashicorp/vault/issues/15147) when the current cert is
+more than 24h old.  This can happen if the cluster as a whole is down for a day
+or more. It can also happen if a single node is unreachable 24h, or sufficiently
+backlogged in applying raft logs that it's more than a day behind.
+
+Impacted versions: 1.10.1, 1.9.5, 1.8.10.  Versions prior to these are unaffected.
+
+New releases addressing this panic are coming soon.