raft: check for nil on concrete type in SetupCluster (#8784)

* raft: check for nil on concrete type in SetupCluster

* raft: move check to its own func

* raft: func cleanup

* raft: disallow disable_clustering = true when raft storage is used

* docs: update disable_clustering to mention new behavior

command/server.go

@@ -1152,7 +1152,7 @@ func (c *ServerCommand) Run(args []string) int {
 		// TODO: Remove when Raft can server as the ha_storage backend.
 		// See https://github.com/hashicorp/vault/issues/8206
 		if config.HAStorage.Type == "raft" {
-			c.UI.Error("Raft cannot be used as seperate HA storage at this time")
+			c.UI.Error("Raft cannot be used as separate HA storage at this time")
 			return 1
 		}
 		factory, exists := c.PhysicalBackends[config.HAStorage.Type]
@@ -1180,6 +1180,9 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 
 		coreConfig.RedirectAddr = config.HAStorage.RedirectAddr
+
+		// TODO: Check for raft and disableClustering case when Raft on HA
+		//       Storage support is added.
 		disableClustering = config.HAStorage.DisableClustering
 		if !disableClustering {
 			coreConfig.ClusterAddr = config.HAStorage.ClusterAddr
@@ -1188,6 +1191,12 @@ func (c *ServerCommand) Run(args []string) int {
 		if coreConfig.HAPhysical, ok = backend.(physical.HABackend); ok {
 			coreConfig.RedirectAddr = config.Storage.RedirectAddr
 			disableClustering = config.Storage.DisableClustering
+
+			if config.Storage.Type == "raft" && disableClustering {
+				c.UI.Error("Disable clustering cannot be set to true when Raft is the storage type")
+				return 1
+			}
+
 			if !disableClustering {
 				coreConfig.ClusterAddr = config.Storage.ClusterAddr
 			}

physical/raft/raft.go

@@ -491,15 +491,29 @@ func (b *RaftBackend) SetupCluster(ctx context.Context, opts SetupOpts) error {
 		return err
 	}
 
+	listenerIsNil := func(cl cluster.ClusterHook) bool {
+		switch {
+		case opts.ClusterListener == nil:
+			return true
+		default:
+			// Concrete type checks
+			switch cl.(type) {
+			case *cluster.Listener:
+				return cl.(*cluster.Listener) == nil
+			}
+		}
+		return false
+	}
+
 	switch {
-	case opts.TLSKeyring == nil && opts.ClusterListener == nil:
+	case opts.TLSKeyring == nil && listenerIsNil(opts.ClusterListener):
 		// If we don't have a provided network we use an in-memory one.
 		// This allows us to bootstrap a node without bringing up a cluster
 		// network. This will be true during bootstrap, tests and dev modes.
 		_, b.raftTransport = raft.NewInmemTransportWithTimeout(raft.ServerAddress(b.localID), time.Second)
 	case opts.TLSKeyring == nil:
 		return errors.New("no keyring provided")
-	case opts.ClusterListener == nil:
+	case listenerIsNil(opts.ClusterListener):
 		return errors.New("no cluster listener provided")
 	default:
 		// Set the local address and localID in the streaming layer and the raft config.

vault/cluster.go

@@ -344,8 +344,7 @@ func (c *Core) stopClusterListener() {
 	c.logger.Info("stopping cluster listeners")
 
 	clusterListener.Stop()
-	var nilCL *cluster.Listener
-	c.clusterListener.Store(nilCL)
+	c.clusterListener.Store((*cluster.Listener)(nil))
 
 	c.logger.Info("cluster listeners successfully shut down")
 }

website/pages/docs/configuration/index.mdx

@@ -157,7 +157,8 @@ The following parameters are used on backends that support [high availability][h
 
 - `disable_clustering` `(bool: false)` – Specifies whether clustering features
   such as request forwarding are enabled. Setting this to true on one Vault node
-  will disable these features _only when that node is the active node_.
+  will disable these features _only when that node is the active node_. This
+  parameter cannot be set to `true` if `raft` is the storage type.
 
 ### Vault Enterprise Parameters