address feedback comments

command/operator_raft_join.go

@@ -111,7 +111,7 @@ func (c *OperatorRaftJoinCommand) Run(args []string) int {
 	args = f.Args()
 	switch len(args) {
 	case 0:
-		// No-opThis is accepted if we're using raft of HA-only
+		// No-op: This is acceptable if we're using raft for HA-only
 	case 1:
 		leaderAPIAddr = strings.TrimSpace(args[0])
 	default:

physical/raft/raft.go

@@ -1199,6 +1199,11 @@ func (l *RaftLock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) {
 
 	l.b.l.RLock()
 
+	// Ensure that we still have a raft instance after grabbing the read lock
+	if l.b.raft == nil {
+		return nil, errors.New("attempted to grab a lock on a nil raft backend")
+	}
+
 	// Cache the notifyCh locally
 	leaderNotifyCh := l.b.raftNotifyCh
 

vault/core.go

@@ -1704,7 +1704,7 @@ func (c *Core) sealInternal() error {
 	return c.sealInternalWithOptions(true, false, true)
 }
 
-func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, shutdownRaft bool) error {
+func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, performCleanup bool) error {
 	// Mark sealed, and if already marked return
 	if swapped := atomic.CompareAndSwapUint32(c.sealed, 0, 1); !swapped {
 		return nil
@@ -1785,18 +1785,18 @@ func (c *Core) sealInternalWithOptions(grabStateLock, keepHALock, shutdownRaft b
 
 	c.teardownReplicationResolverHandler()
 
-	// If the storage backend needs to be sealed
-	if shutdownRaft {
+	// Perform additional cleanup upon sealing.
+	if performCleanup {
 		if raftBackend := c.getRaftBackend(); raftBackend != nil {
 			if err := raftBackend.TeardownCluster(c.getClusterListener()); err != nil {
 				c.logger.Error("error stopping storage cluster", "error", err)
 				return err
 			}
 		}
-	}
 
-	// Stop the cluster listener
-	c.stopClusterListener()
+		// Stop the cluster listener
+		c.stopClusterListener()
+	}
 
 	c.logger.Debug("sealing barrier")
 	if err := c.barrier.Seal(); err != nil {

vault/raft.go

@@ -294,7 +294,7 @@ func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
 			// If there already exists a pending key update then the update
 			// hasn't replicated down to all standby nodes yet. Don't allow any
 			// new keys to be created until all standbys have seen this previous
-			// rotation. As a backoff strategy another rotation attempt is
+			// rotation. As a backoff strategy, another rotation attempt is
 			// scheduled for 5 minutes from now.
 			logger.Warn("skipping new raft TLS config creation, keys are pending")
 			return time.Now().Add(time.Minute * 5), nil
@@ -320,7 +320,7 @@ func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
 		}
 
 		// Write the keyring again with the new applied index. This allows us to
-		// track if standby nodes receive the update.
+		// track if standby nodes received the update.
 		keyring.Keys[1].AppliedIndex = raftBackend.AppliedIndex()
 		keyring.AppliedIndex = raftBackend.AppliedIndex()
 		entry, err = logical.StorageEntryJSON(raftTLSStoragePath, keyring)
@@ -339,7 +339,13 @@ func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
 	// checkCommitted verifies key updates have been applied to all nodes and
 	// finalizes the rotation by deleting the old keys and updating the raft
 	// backend.
-	checkCommitted := func() error {
+	checkCommitted := func(haOnly bool) error {
+		// No-op here if we're using raft for HA-only. Since the storage is
+		// shared, the two phase commit is not done on rotation.
+		if haOnly {
+			return nil
+		}
+
 		keyring, err := readKeyring()
 		if err != nil {
 			return errwrap.Wrapf("failed to read raft TLS keyring: {{err}}", err)
@@ -395,6 +401,8 @@ func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
 		keyCheckInterval := time.NewTicker(1 * time.Minute)
 		defer keyCheckInterval.Stop()
 
+		isRaftHAOnly := c.isRaftHAOnly()
+
 		var backoff bool
 		for {
 			// If we encountered and error we should try to create the key
@@ -406,7 +414,7 @@ func (c *Core) startPeriodicRaftTLSRotate(ctx context.Context) error {
 
 			select {
 			case <-keyCheckInterval.C:
-				err := checkCommitted()
+				err := checkCommitted(isRaftHAOnly)
 				if err != nil {
 					logger.Error("failed to activate TLS key", "error", err)
 				}