From 97d7f0b7dc8fff3d577f00d02491e06992b01df9 Mon Sep 17 00:00:00 2001
From: Ryan Cragun <me@ryan.ec>
Date: Fri, 16 Jun 2023 12:19:23 -0600
Subject: [PATCH] Add paths for seal config to cache exceptions. (#21223)
 (#21320)

Add paths for seal config to cache exceptions.

Add barrierSealConfigPath and recoverySealConfigPlaintextPath to
cacheExceptionsPaths in order to avoid a race that causes some
nodes to always see a nil value.

Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
---
 changelog/21223.txt   | 3 +++
 sdk/physical/cache.go | 6 ++++++
 2 files changed, 9 insertions(+)
 create mode 100644 changelog/21223.txt

diff --git a/changelog/21223.txt b/changelog/21223.txt
new file mode 100644
index 000000000000..96605f0a4a3f
--- /dev/null
+++ b/changelog/21223.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures.
+```
diff --git a/sdk/physical/cache.go b/sdk/physical/cache.go
index ffac33189bbc..4674458918f7 100644
--- a/sdk/physical/cache.go
+++ b/sdk/physical/cache.go
@@ -5,6 +5,7 @@ import (
 	"sync/atomic"
 
 	metrics "github.com/armon/go-metrics"
+
 	log "github.com/hashicorp/go-hclog"
 	lru "github.com/hashicorp/golang-lru"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
@@ -30,6 +31,11 @@ var cacheExceptionsPaths = []string{
 	"core/poison-pill",
 	"core/raft/tls",
 	"core/license",
+
+	// Add barrierSealConfigPath and recoverySealConfigPlaintextPath to the cache
+	// exceptions to avoid unseal errors. See VAULT-17227
+	"core/seal-config",
+	"core/recovery-config",
 }
 
 // CacheRefreshContext returns a context with an added value denoting if the