Move writing of stored keys to the end of Vault initialization. (#28538)

Move the call to SetStoredKeys to the end of the initialization process. On
Vault Enterprise, this minimizes the chances that the initial seal re-wrap fails
when a node other than the one performing initialization becomes the active one.

vault/init.go

@@ -319,32 +319,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 		SecretShares: [][]byte{},
 	}
 
-	// If we are storing shares, pop them out of the returned results and push
-	// them through the seal
-	switch c.seal.StoredKeysSupported() {
-	case seal.StoredKeysSupportedShamirRoot:
-		keysToStore := [][]byte{barrierKey}
-		if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
-			c.logger.Error("failed to set seal key", "error", err)
-			return nil, fmt.Errorf("failed to set seal key: %w", err)
-		}
-		if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
-			c.logger.Error("failed to store keys", "error", err)
-			return nil, fmt.Errorf("failed to store keys: %w", err)
-		}
-		results.SecretShares = sealKeyShares
-	case seal.StoredKeysSupportedGeneric:
-		keysToStore := [][]byte{barrierKey}
-		if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
-			c.logger.Error("failed to store keys", "error", err)
-			return nil, fmt.Errorf("failed to store keys: %w", err)
-		}
-	default:
-		// We don't support initializing an old-style Shamir seal anymore, so
-		// this case is only reachable by tests.
-		results.SecretShares = barrierKeyShares
-	}
-
 	// Perform initial setup
 	if err := c.setupCluster(ctx); err != nil {
 		c.logger.Error("cluster setup failed during init", "error", err)
@@ -356,6 +330,12 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 		initPTCleanup()
 	}
 
+	// Save in a variable whether stored keys are supported before calling postUnsea(), as postUnseal()
+	// clears the barrier config. For a defaultSeal with a "legacy seal" (i.e. barrier config has StoredShares == 0),
+	// this will cause StoredKeysSupported() to go from StoredKeysNotSupported to StoredKeysSupportedShamirRoot.
+	// This would be a problem below when we determine whether to call SetStoredKeys.
+	storedKeysSupported := c.seal.StoredKeysSupported()
+
 	activeCtx, ctxCancel := context.WithCancel(namespace.RootContext(nil))
 	if err := c.postUnseal(activeCtx, ctxCancel, standardUnsealStrategy{}); err != nil {
 		c.logger.Error("post-unseal setup failed during init", "error", err)
@@ -413,6 +393,32 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 		}
 	}
 
+	// If we are storing shares, pop them out of the returned results and push
+	// them through the seal
+	switch storedKeysSupported {
+	case seal.StoredKeysSupportedShamirRoot:
+		keysToStore := [][]byte{barrierKey}
+		if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil {
+			c.logger.Error("failed to set seal key", "error", err)
+			return nil, fmt.Errorf("failed to set seal key: %w", err)
+		}
+		if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
+			c.logger.Error("failed to store keys", "error", err)
+			return nil, fmt.Errorf("failed to store keys: %w", err)
+		}
+		results.SecretShares = sealKeyShares
+	case seal.StoredKeysSupportedGeneric:
+		keysToStore := [][]byte{barrierKey}
+		if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil {
+			c.logger.Error("failed to store keys", "error", err)
+			return nil, fmt.Errorf("failed to store keys: %w", err)
+		}
+	default:
+		// We don't support initializing an old-style Shamir seal anymore, so
+		// this case is only reachable by tests.
+		results.SecretShares = barrierKeyShares
+	}
+
 	// Prepare to re-seal
 	if err := c.preSeal(); err != nil {
 		c.logger.Error("pre-seal teardown failed", "error", err)