From e45a25828d8563afaca78c602185b1ff0ff91586 Mon Sep 17 00:00:00 2001
From: Nick Cabatoff <ncabatoff@hashicorp.com>
Date: Thu, 20 Jan 2022 08:56:30 -0500
Subject: [PATCH] Support go-sockaddr templates in top-level cluster_addr
 config (#13678) (#13706)

In doing some testing I found that the listener clusteraddr isn't really used, or at least isn't as important as the top-level clusteraddr setting.  As such, go-sockaddr templating needs to be implemented for the top-level `cluster_addr` setting or it's unusable for HA.

Also fix a nil pointer panic I discovered at the same time.
---
 changelog/13678.txt | 3 +++
 command/server.go   | 6 +++++-
 vault/core.go       | 3 +++
 3 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 changelog/13678.txt

diff --git a/changelog/13678.txt b/changelog/13678.txt
new file mode 100644
index 0000000000000..f8cbbf306016d
--- /dev/null
+++ b/changelog/13678.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: add support for go-sockaddr templates in the top-level cluster_addr field
+```
\ No newline at end of file
diff --git a/command/server.go b/command/server.go
index 718009b8cf419..2d9800110368d 100644
--- a/command/server.go
+++ b/command/server.go
@@ -724,7 +724,6 @@ func (c *ServerCommand) runRecoveryMode() int {
 			c.logger.Info("goroutine trace", "stack", string(buf[:n]))
 		}
 	}
-
 }
 
 func logProxyEnvironmentVariables(logger hclog.Logger) {
@@ -2407,6 +2406,11 @@ CLUSTER_SYNTHESIS_COMPLETE:
 	}
 
 	if coreConfig.ClusterAddr != "" {
+		rendered, err := configutil.ParseSingleIPTemplate(coreConfig.ClusterAddr)
+		if err != nil {
+			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
+		}
+		coreConfig.ClusterAddr = rendered
 		// Force https as we'll always be TLS-secured
 		u, err := url.ParseRequestURI(coreConfig.ClusterAddr)
 		if err != nil {
diff --git a/vault/core.go b/vault/core.go
index 459989689484a..a614b9a499051 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -1368,6 +1368,9 @@ func (c *Core) getUnsealKey(ctx context.Context, seal Seal) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	if config == nil {
+		return nil, fmt.Errorf("failed to obtain seal/recovery configuration")
+	}
 
 	// Check if we don't have enough keys to unlock, proceed through the rest of
 	// the call only if we have met the threshold