Fix tidy-status, tidy-cancel on PR Secondaries (#17497) (#17503)

* Fix tidy-status, tidy-cancel on PR Secondaries

PKI's tidy-status included a bug that prevented PR secondary nodes from
responding with the status of the running tidy operation: while the
operation constructor correctly forwarded the node on PR standby
instances, the handler itself forwarded also on PR secondary nodes.

This is incorrect as the PR secondary nodes are the active node in the
local PR cluster, and run tidy operations otherwise.

This meant that while auto-tidy and tidy operations would run, there was
no insight into the process.

When implementing tidy-cancel, tidy-status's handler logic was reused,
duplicating the bug there as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

builtin/logical/pki/path_tidy.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/vault/sdk/framework"
-	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -248,12 +247,6 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 }
 
 func (b *backend) pathTidyStatusRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	// If this node is a performance secondary return an ErrReadOnly so that the request gets forwarded,
-	// but only if the PKI backend is not a local mount.
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary) && !b.System().LocalMount() {
-		return nil, logical.ErrReadOnly
-	}
-
 	b.tidyStatusLock.RLock()
 	defer b.tidyStatusLock.RUnlock()
 

changelog/17497.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters.
+```