From 9a317e2101d8845951e50b404ed42353e2e7eb0d Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Wed, 14 Jun 2023 18:23:44 -0400
Subject: [PATCH] backport of commit 58f029d6082b5231ca49312c75b360300781d399
 (#21239)

Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
---
 changelog/21223.txt   | 3 +++
 sdk/physical/cache.go | 5 +++++
 2 files changed, 8 insertions(+)
 create mode 100644 changelog/21223.txt

diff --git a/changelog/21223.txt b/changelog/21223.txt
new file mode 100644
index 000000000000..96605f0a4a3f
--- /dev/null
+++ b/changelog/21223.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures.
+```
diff --git a/sdk/physical/cache.go b/sdk/physical/cache.go
index af40f5385957..250078c54c42 100644
--- a/sdk/physical/cache.go
+++ b/sdk/physical/cache.go
@@ -29,6 +29,11 @@ var cacheExceptionsPaths = []string{
 	"sys/expire/",
 	"core/poison-pill",
 	"core/raft/tls",
+
+	// Add barrierSealConfigPath and recoverySealConfigPlaintextPath to the cache
+	// exceptions to avoid unseal errors. See VAULT-17227
+	"core/seal-config",
+	"core/recovery-config",
 }
 
 // CacheRefreshContext returns a context with an added value denoting if the