Default_follows_latest_issuer with many dynamic PKI mounts

In our use case, we have a system that creates numerous PKI mounts and configures them with a single issuer. Since upgrading to 1.11, the multiple-issuer functionality is causing new PKI mounts to fail to be usable, with this error:

no default issuer currently configured

It seems like if you want to use 1.11, you need to either explicitly select the issuer in all operations, nominate the created issuer as the default, or set the PKI mount configuration with default_follows_latest_issuer set to true.

Unfortunately, it seems like all of these things need to be done on 1.11, and cannot be set in earlier versions (we’re on 1.10 otherwise). I’m wondering what kind of backwards- or forwards-compatible options are available to ensure we don’t need to make such a change entirely in lock-step with the Vault version upgrade to 1.11.

I think the process of upgrading to 1.11 automatically selects the pre-1.11 configuration as default issuer, thus existing mounts should continue to work.

The problem is not the existing mounts (which are migrated) but any new PKI mounts which our application creates dynamically (and frequently) - these fail with the no default issuer currently configured error. But as I said, it seems like the code would need to support using an explicit issuer, or setting the default, or setting the issuer config. But we can’t modify the code to do this while on 1.10, and it immediately breaks on 1.11.

In my testing, it appears that the first issuer created in a newly mounted PKI engine, if created with legacy APIs, does still get set as default, maintaining compatible behaviour.

The error seems to happen on reading <PKI_MOUNT>/cert/ca.

Works fine for me, running Vault 1.11.6, having created mounts using scripts I wrote long before Vault 1.11, so using entirely the old APIs.