diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 00cfbfa3e4..4cfe22ce45 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -624,6 +624,27 @@ func TestConnectCAConfig_UpdateSecondary(t *testing.T) { assert.Equal("web", reply.Service) assert.Equal(spiffeId.URI().String(), reply.ServiceURI) } + + // Update a minor field in the config that doesn't trigger an intermediate refresh. + { + newConfig := &structs.CAConfiguration{ + Provider: "consul", + Config: map[string]interface{}{ + "PrivateKey": newKey, + "RootCert": "", + "RotationPeriod": 180 * 24 * time.Hour, + }, + } + { + args := &structs.CARequest{ + Datacenter: "secondary", + Config: newConfig, + } + var reply interface{} + + require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply)) + } + } } // Test CA signing diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index a00ffe2b5e..69a3424c1a 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -579,7 +579,7 @@ func (c *CAManager) persistNewRootAndConfig(provider ca.Provider, newActiveRoot var newRoots structs.CARoots for _, r := range oldRoots { newRoot := *r - if newRoot.Active { + if newRoot.Active && newActiveRoot != nil { newRoot.Active = false newRoot.RotatedOutAt = time.Now() }