diff --git a/builtin/logical/pki/periodic.go b/builtin/logical/pki/periodic.go index b8119e0cd..77ff31212 100644 --- a/builtin/logical/pki/periodic.go +++ b/builtin/logical/pki/periodic.go @@ -53,15 +53,6 @@ func runUnifiedTransfer(sc *storageContext) { return } - if !status.lastRun.IsZero() { - // We have run before, we only run again if we have - // been requested to forceRerun, and we haven't run since our - // minimum delay - if !(status.forceRerun.Load() && time.Since(status.lastRun) < minUnifiedTransferDelay) { - return - } - } - if !config.UnifiedCRL { // Feature is disabled, no need to run return @@ -80,6 +71,17 @@ func runUnifiedTransfer(sc *storageContext) { } defer status.isRunning.Store(false) + // Because access to lastRun is not locked, we need to delay this check + // until after we grab the isRunning CAS lock. + if !status.lastRun.IsZero() { + // We have run before, we only run again if we have + // been requested to forceRerun, and we haven't run since our + // minimum delay. + if !(status.forceRerun.Load() && time.Since(status.lastRun) < minUnifiedTransferDelay) { + return + } + } + // Reset our flag before we begin, we do this before we start as // we can't guarantee that we can properly parse/fix the error from an // error that comes in from the revoke API after that. This will diff --git a/changelog/20701.txt b/changelog/20701.txt new file mode 100644 index 000000000..24942d5d0 --- /dev/null +++ b/changelog/20701.txt @@ -0,0 +1,3 @@ +```release-notes:bug +secrets/pki: Fix race during runUnifiedTransfer when deciding to skip re-running a test within a short window. +```