Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false (#20664)

* Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false The logic around the check to set both to false was wrong, and should be validated independently. Additionally, these fields should only exist on auto-tidy and not on the manual tidy endpoint. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update builtin/logical/pki/path_tidy.go Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
2023-05-19 08:09:48 -04:00 · 2023-05-19 08:09:48 -04:00 · ea3441333a
parent 7753808910
commit ea3441333a
3 changed files with 22 additions and 20 deletions
--- a/builtin/logical/pki/fields.go
+++ b/builtin/logical/pki/fields.go
@ -547,23 +547,6 @@ greater period of time. By default this is zero seconds.`,
 		Default: "0s",
 	}

-	fields["maintain_stored_certificate_counts"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `This configures whether stored certificates 
-are counted upon initialization of the backend, and whether during 
-normal operation, a running count of certificates stored is maintained.`,
-		Default: false,
-	}
-
-	fields["publish_stored_certificate_count_metrics"] = &framework.FieldSchema{
-		Type: framework.TypeBool,
-		Description: `This configures whether the stored certificate 
-count is published to the metrics consumer.  It does not affect if the
-stored certificate count is maintained, and if maintained, it will be
-available on the tidy-status endpoint.`,
-		Default: false,
-	}
-
 	fields["tidy_revocation_queue"] = &framework.FieldSchema{
 		Type: framework.TypeBool,
 		Description: `Set to true to remove stale revocation queue entries
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@ -508,6 +508,21 @@ func pathConfigAutoTidy(b *backend) *framework.Path {
 				Description: `Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.`,
 				Default:     int(defaultTidyConfig.Interval / time.Second), // TypeDurationSecond currently requires the default to be an int.
 			},
+			"maintain_stored_certificate_counts": {
+				Type: framework.TypeBool,
+				Description: `This configures whether stored certificates
+are counted upon initialization of the backend, and whether during
+normal operation, a running count of certificates stored is maintained.`,
+				Default: false,
+			},
+			"publish_stored_certificate_count_metrics": {
+				Type: framework.TypeBool,
+				Description: `This configures whether the stored certificate
+count is published to the metrics consumer.  It does not affect if the
+stored certificate count is maintained, and if maintained, it will be
+available on the tidy-status endpoint.`,
+				Default: false,
+			},
 		}),
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ReadOperation: &framework.PathOperation{
@ -1774,12 +1789,13 @@ func (b *backend) pathConfigAutoTidyWrite(ctx context.Context, req *logical.Requ
 	}

 	if runningStorageMetricsEnabledRaw, ok := d.GetOk("publish_stored_certificate_count_metrics"); ok {
-		if config.MaintainCount == false {
-			return logical.ErrorResponse("Can not publish a running storage metrics count to metrics without first maintaining that count.  Enable `maintain_stored_certificate_counts` to enable `publish_stored_certificate_count_metrics."), nil
-		}
 		config.PublishMetrics = runningStorageMetricsEnabledRaw.(bool)
 	}

+	if config.PublishMetrics && !config.MaintainCount {
+		return logical.ErrorResponse("Can not publish a running storage metrics count to metrics without first maintaining that count.  Enable `maintain_stored_certificate_counts` to enable `publish_stored_certificate_count_metrics`."), nil
+	}
+
 	if err := sc.writeAutoTidyConfig(config); err != nil {
 		return nil, err
 	}
--- a/changelog/20664.txt
+++ b/changelog/20664.txt
@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config.
+```