From 5eae4ca14cfdfe8499deca142b436eb8f7987425 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 11 Apr 2023 10:08:19 -0400 Subject: [PATCH] backport of commit ee40ffc03f5a3d9066237018d6541f0fc41fd584 (#20074) Co-authored-by: Alexander Scheel --- builtin/logical/pki/crl_util.go | 10 +++++++--- changelog/20057.txt | 3 +++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 changelog/20057.txt diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index 641e90c8a761..d157512e819f 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -993,7 +993,7 @@ func revokeCert(sc *storageContext, config *crlConfig, cert *x509.Certificate) ( if ignoreErr != nil { // Just log the error if we fail to write across clusters, a separate background // thread will reattempt it later on as we have the local write done. - sc.Backend.Logger().Debug("Failed to write unified revocation entry, will re-attempt later", + sc.Backend.Logger().Error("Failed to write unified revocation entry, will re-attempt later", "serial_number", colonSerial, "error", ignoreErr) sc.Backend.unifiedTransferStatus.forceRun() } @@ -1043,8 +1043,12 @@ func writeRevocationDeltaWALs(sc *storageContext, config *crlConfig, hyphenSeria // listing for the unified CRL rebuild, this revocation will not // appear on either the main or the next delta CRL, but will need to // wait for a subsequent complete CRL rebuild). - if err := writeSpecificRevocationDeltaWALs(sc, hyphenSerial, colonSerial, unifiedDeltaWALPath); err != nil { - return fmt.Errorf("failed to write cross-cluster delta WAL entry: %w", err) + if ignoredErr := writeSpecificRevocationDeltaWALs(sc, hyphenSerial, colonSerial, unifiedDeltaWALPath); ignoredErr != nil { + // Just log the error if we fail to write across clusters, a separate background + // thread will reattempt it later on as we have the local write done. + sc.Backend.Logger().Error("Failed to write cross-cluster delta WAL entry, will re-attempt later", + "serial_number", colonSerial, "error", ignoredErr) + sc.Backend.unifiedTransferStatus.forceRun() } } diff --git a/changelog/20057.txt b/changelog/20057.txt new file mode 100644 index 000000000000..585a07d91b3a --- /dev/null +++ b/changelog/20057.txt @@ -0,0 +1,3 @@ +```release-note: bug +secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. +```