From d86723c8253c2502a18e451ed35651cf905d88fe Mon Sep 17 00:00:00 2001
From: "Scott G. Miller" <smiller@hashicorp.com>
Date: Thu, 18 Apr 2024 10:15:41 -0500
Subject: [PATCH 1/2] Potential fix for incompatible seal types between raft
 leader and new follower after having downgraded to one seal

---
 vault/raft.go          | 4 ++--
 vault/seal_autoseal.go | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/vault/raft.go b/vault/raft.go
index db7e2559a5d..f621d30b4f0 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -957,8 +957,8 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
 		return nil, err
 	}
 
-	if sealConfig.Type != c.seal.BarrierSealConfigType().String() {
-		return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierSealConfigType())
+	if !CompatibleSealTypes(sealConfig.Type, c.seal.BarrierSealConfigType().String()) {
+		return nil, fmt.Errorf("incompatible seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierSealConfigType())
 	}
 
 	challengeB64, ok := secret.Data["challenge"]
diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go
index c3edf9d8a02..fa953045eac 100644
--- a/vault/seal_autoseal.go
+++ b/vault/seal_autoseal.go
@@ -194,7 +194,7 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
 
 	barrierTypeUpgradeCheck(d.BarrierSealConfigType(), conf)
 
-	if conf.Type != d.BarrierSealConfigType().String() && conf.Type != SealConfigTypeMultiseal.String() && d.BarrierSealConfigType() != SealConfigTypeMultiseal {
+	if !CompatibleSealTypes(conf.Type, d.BarrierSealConfigType().String()) {
 		d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierSealConfigType())
 		return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierSealConfigType())
 	}
@@ -203,6 +203,10 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
 	return conf.Clone(), nil
 }
 
+func CompatibleSealTypes(a, b string) bool {
+	return a == b || a == SealConfigTypeMultiseal.String() || b == SealConfigTypeMultiseal.String()
+}
+
 func (d *autoSeal) ClearBarrierConfig(ctx context.Context) error {
 	return d.SetBarrierConfig(ctx, nil)
 }

From cdd904336fb51ca83b5ae78511730f825ff0089c Mon Sep 17 00:00:00 2001
From: "Scott G. Miller" <smiller@hashicorp.com>
Date: Fri, 19 Apr 2024 08:56:53 -0500
Subject: [PATCH 2/2] changelog

---
 changelog/26523.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/26523.txt

diff --git a/changelog/26523.txt b/changelog/26523.txt
new file mode 100644
index 00000000000..3b3ef6427d4
--- /dev/null
+++ b/changelog/26523.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): fix bug where raft followers disagree with the seal type after returning to one seal from two.
+```