Seal Migration does not update seal type from Shamir to Transit

[asr-rbx]

Describe the bug
After migrating from Shamir seal type to Transit Autounseal, v1/sys/seal-status response fails to return "transit" as the seal type even though the seal has been migrated successfully according to logs within the vault instance.

To Reproduce
Steps to reproduce the behavior:

1. Start a vault cluster with regular shamir seal type.
2. Setup a transit engine in a different vault cluster to act as the transit auto unseal endpoint for this cluster.
3. Migrate the vault cluster by following the steps outlined here:
   https://developer.hashicorp.com/vault/docs/concepts/seal#migration-post-vault-1-5-1
4. After migrating all nodes, check the seal status via a curl request:

curl -vvv --insecure https://127.0.0.1:8200/v1/sys/seal-status
{"type":"shamir","initialized":true,"sealed":false,"t":3,"n":5,"progress":0,"nonce":"","version":"1.12.7","build_date":"2023-06-06T18:12:20Z","migration":false,"cluster_name":"vault-cluster-f6e9d82f","cluster_id":"6a227b87-90a6-2e0d-4d80-81b83b28e60d","recovery_seal":false,"storage_type":"raft"}

Expected behavior
seal-status HTTP API should return the "type" as "transit" rather than "shamir".

Environment:

• Vault Server Version (retrieve with vault status):

/ $ vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.12.7
Build Date               2023-06-06T18:12:20Z
Storage Type             raft
Cluster Name             vault-cluster-26beabf9
Cluster ID               35853f86-7813-79b9-29f7-0e89f30d2a3c
HA Enabled               true
HA Cluster               https://vault-0.vault-internal:8201
HA Mode                  standby
Active Node Address      https://10.190.2.93:8200
Raft Committed Index     2264623
Raft Applied Index       2264623

• Vault CLI Version (retrieve with vault version):

/ $ vault version
Vault v1.12.7 (54c721017a52d7b94ec5bd4e570e7cdfc9e021a1), built 2023-06-06T18:12:20Z

• Server Operating System/Architecture:
  Linux/AMD64

Vault server configuration file(s):

disable_mlock = true
ui = true

listener "tcp" {
  tls_disable = false
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/etc/vault/tls/tls.crt"
  tls_key_file  = "/etc/vault/tls/tls.key"
  tls_client_ca_file = "/etc/vault/tls/ca.crt"
  telemetry {
    unauthenticated_metrics_access = "true"
  }
}

telemetry {
  disable_hostname = true
  prometheus_retention_time = "12h"
}

storage "raft" {
  path = "/vault/data"

  retry_join {
    # https://github.com/hashicorp/vault/issues/8941#issuecomment-625446965
    # -internal is used for raft storage
    # leader_api_addr = "http://vault-internal:8200"
    auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server,vault-active=true,vault-initialized=true,vault-sealed=false\" namespace=\"vault\" "
    auto_join_port = 8200
    auto_join_scheme = "https"
    leader_tls_servername = "vault-internal"
    leader_ca_cert_file = "/etc/vault/tls/ca.crt"
    leader_client_cert_file = "/etc/vault/tls/tls.crt"
    leader_client_key_file = "/etc/vault/tls/tls.key"
  }
}
service_registration "kubernetes" {}

seal-transit-config.hcl

seal "transit" {
   address = "https://myvault.example.com:8200"
   token = "SCRUBBED-VALUE"
   tls_server_name = "myvault.example.com"
   key_name = "autounseal"
   disable_renewal = "false"
   mount_path = "transit/"
   tls_ca_cert = "/etc/ssl/certs/ca-certificates.crt"
}

Additional context
Restarting the vault instance post seal migration does not result in the issue getting fixed. seal-status API continues to report "shamir" instead of "transit".

[stevendpclark]

Hello @asr-rbx,

Thanks for taking the time to report the issue. I've tried a seal migration and I believe the issue you reported has been addressed on newer releases from the revision you are reporting the issue on (Vault 1.12.7). The following is what I see post migration from a Shamir to Transit seal on Vault 1.17.1.

$ vault operator unseal -migrate
Unseal Key (will be hidden):
Key                      Value
---                      -----
Seal Type                transit
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.17.1
Build Date               2024-06-25T16:33:25Z
Storage Type             file
Cluster Name             vault-cluster-e8015a46
Cluster ID               6aa9768e-6f6f-8c7b-7041-36322e740708
HA Enabled               false

$ vault read /sys/seal-status
Key                   Value
---                   -----
build_date            2024-06-25T16:33:25Z
cluster_id            6aa9768e-6f6f-8c7b-7041-36322e740708
cluster_name          vault-cluster-e8015a46
initialized           true
migration             false
n                     1
nonce                 n/a
progress              0
recovery_seal         true
recovery_seal_type    shamir
sealed                false
storage_type          file
t                     1
type                  transit
version               1.17.1

Based on the above output, I'm going to close this issue. Please feel free to re-open if I've incorrectly diagnosed anything.