NPE/panic when seal config is missing

[taitelman]

scenario : vault cluster with HA enabled , leader lost leadership for some reason the standby see this:

vault/vault/core.go

Line 3202 in 2d46c8d

case c.seal.BarrierSealConfigType().IsSameAs(barrierSealConfig.Type):

c.PhysicalBarrierSealConfig(ctx) at top of

vault/vault/core.go

Line 3196 in 2d46c8d

barrierSealConfig, err := c.PhysicalBarrierSealConfig(ctx)

can return nil,nil under some edge cases.
and then the code will fail in the next pointer usage since barrierSealConfig == nil

and the result is :

vault debug not reloading seals config since there is no seal generation info in storage

vault error panic: runtime error: invalid memory address or nil pointer dereference
vault [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x33db0ce]
vault goroutine 232 [running]:
vault github.com/hashicorp/vault/vault.(*Core).migrateMultiSealConfig(0xc0001b1000, {0xc656e30, 0xc0038ecdc0})
	/opt/app-root/src/vault/core.go:3203 +0xae
vault github.com/hashicorp/vault/vault.(*Core).migrateSeal(0xc656e30?, {0xc656e30?, 0xc0038ecdc0?})
	/opt/app-root/src/vault/core.go:1906 +0xc17
vault github.com/hashicorp/vault/vault.(*Core).waitForLeadership(0xc0001b1000, 0x0?, 0xc003a9f740, 0xc003a9f920)
	/opt/app-root/src/vault/ha.go:604 +0x77f
vault github.com/hashicorp/vault/vault.(*Core).runStandby.func9()
	/opt/app-root/src/vault/ha.go:475 +0x25

solution: switch case should handle nil values for barrierSealConfig more gracefully.

[taitelman]

debug line from :

vault/command/server.go

Line 3163 in 2d46c8d

c.logger.Debug("not reloading seals config since there is no seal generation info in storage")

[aphorise]

@taitelman out of interest - how did you achieve the seal change? - was it through a config change to an existing seal stanza & then a reload?