From 917b9b2b9851bbef611fdd3ce47b3e31a6fb313f Mon Sep 17 00:00:00 2001
From: Lalit Adithya <lalit@lalitadithya.com>
Date: Tue, 10 Nov 2020 19:08:08 +0530
Subject: [PATCH] Checking if vault is unsealed and active using the HTTP
 endpoint

Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
---
 pkg/internal/vault/vault.go | 15 +++++++++++++++
 pkg/issuer/vault/setup.go   | 12 ++----------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/pkg/internal/vault/vault.go b/pkg/internal/vault/vault.go
index 98429df3b..b6283be62 100644
--- a/pkg/internal/vault/vault.go
+++ b/pkg/internal/vault/vault.go
@@ -42,6 +42,7 @@ type VaultClientBuilder func(namespace string, secretsLister corelisters.SecretL
 type Interface interface {
 	Sign(csrPEM []byte, duration time.Duration) (certPEM []byte, caPEM []byte, err error)
 	Sys() *vault.Sys
+	IsVaultInitializedAndUnsealed() error
 }
 
 type Client interface {
@@ -373,3 +374,17 @@ func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]b
 
 	return []byte(strings.Join(crtPems, "\n")), caPem, nil
 }
+
+func (v *Vault) IsVaultInitializedAndUnsealed() error {
+	healthURL := path.Join("/v1", "sys", "health")
+	heatlhRequest := v.client.NewRequest("GET", healthURL)
+	healthResp, err := v.client.RawRequest(heatlhRequest)
+	// 429 = if unsealed and standby
+	// 472 = if disaster recovery mode replication secondary and active
+	// 473 = if performance standby
+	if err != nil && healthResp.StatusCode != 429 && healthResp.StatusCode != 472 && healthResp.StatusCode != 473 {
+		return err
+	}
+	defer healthResp.Body.Close()
+	return nil
+}
diff --git a/pkg/issuer/vault/setup.go b/pkg/issuer/vault/setup.go
index 4d4d0d850..2f5fc19e3 100644
--- a/pkg/issuer/vault/setup.go
+++ b/pkg/issuer/vault/setup.go
@@ -110,16 +110,8 @@ func (v *Vault) Setup(ctx context.Context) error {
 		return err
 	}
 
-	health, err := client.Sys().Health()
-	if err != nil {
-		s := messageVaultHealthCheckFailed + err.Error()
-		logf.V(logf.WarnLevel).Infof("%s: %s", v.issuer.GetObjectMeta().Name, s)
-		apiutil.SetIssuerCondition(v.issuer, v.issuer.GetGeneration(), v1.IssuerConditionReady, cmmeta.ConditionFalse, errorVault, s)
-		return err
-	}
-
-	if !health.Initialized || health.Sealed {
-		logf.V(logf.WarnLevel).Infof("%s: %s: health: %v", v.issuer.GetObjectMeta().Name, messageVaultStatusVerificationFailed, health)
+	if err := client.IsVaultInitializedAndUnsealed(); err != nil {
+		logf.V(logf.WarnLevel).Infof("%s: %s: error: %s", v.issuer.GetObjectMeta().Name, messageVaultStatusVerificationFailed, err.Error())
 		apiutil.SetIssuerCondition(v.issuer, v.issuer.GetGeneration(), v1.IssuerConditionReady, cmmeta.ConditionFalse, errorVault, messageVaultStatusVerificationFailed)
 		return fmt.Errorf(messageVaultStatusVerificationFailed)
 	}