mirror of https://github.com/hashicorp/consul
Add retry in TestAgentConnectCALeafCert_good
parent
e4a579022b
commit
6311c651de
|
@ -6799,7 +6799,7 @@ func TestAgentConnectCALeafCert_good(t *testing.T) {
|
|||
ca2 := connect.TestCAConfigSet(t, a, nil)
|
||||
|
||||
// Issue a blocking query to ensure that the cert gets updated appropriately
|
||||
{
|
||||
t.Run("test blocking queries update leaf cert", func(t *testing.T) {
|
||||
resp := httptest.NewRecorder()
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?index="+index, nil)
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
@ -6815,7 +6815,7 @@ func TestAgentConnectCALeafCert_good(t *testing.T) {
|
|||
// Should not be a cache hit! The data was updated in response to the blocking
|
||||
// query being made.
|
||||
require.Equal(t, "MISS", resp.Header().Get("X-Cache"))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("test non-blocking queries update leaf cert", func(t *testing.T) {
|
||||
resp := httptest.NewRecorder()
|
||||
|
@ -6834,33 +6834,26 @@ func TestAgentConnectCALeafCert_good(t *testing.T) {
|
|||
// Set a new CA
|
||||
ca3 := connect.TestCAConfigSet(t, a, nil)
|
||||
|
||||
resp := httptest.NewRecorder()
|
||||
req, err := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test", nil)
|
||||
require.NoError(t, err)
|
||||
obj, err = a.srv.AgentConnectCALeafCert(resp, req)
|
||||
require.NoError(t, err)
|
||||
issued2 := obj.(*structs.IssuedCert)
|
||||
require.NotEqual(t, issued.CertPEM, issued2.CertPEM)
|
||||
require.NotEqual(t, issued.PrivateKeyPEM, issued2.PrivateKeyPEM)
|
||||
|
||||
// Verify that the cert is signed by the new CA
|
||||
requireLeafValidUnderCA(t, issued2, ca3)
|
||||
|
||||
// Should not be a cache hit!
|
||||
require.Equal(t, "MISS", resp.Header().Get("X-Cache"))
|
||||
}
|
||||
|
||||
// Test caching for the leaf cert
|
||||
{
|
||||
|
||||
for fetched := 0; fetched < 4; fetched++ {
|
||||
|
||||
// Fetch it again
|
||||
retry.Run(t, func(r *retry.R) {
|
||||
resp := httptest.NewRecorder()
|
||||
obj2, err := a.srv.AgentConnectCALeafCert(resp, req)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, obj, obj2)
|
||||
}
|
||||
a.srv.h.ServeHTTP(resp, req)
|
||||
|
||||
// Should not be a cache hit!
|
||||
require.Equal(r, "MISS", resp.Header().Get("X-Cache"))
|
||||
|
||||
dec := json.NewDecoder(resp.Body)
|
||||
issued2 := &structs.IssuedCert{}
|
||||
require.NoError(r, dec.Decode(issued2))
|
||||
|
||||
require.NotEqual(r, issued.CertPEM, issued2.CertPEM)
|
||||
require.NotEqual(r, issued.PrivateKeyPEM, issued2.PrivateKeyPEM)
|
||||
|
||||
// Verify that the cert is signed by the new CA
|
||||
requireLeafValidUnderCA(r, issued2, ca3)
|
||||
})
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -7405,7 +7398,7 @@ func waitForActiveCARoot(t *testing.T, srv *HTTPHandlers, expect *structs.CARoot
|
|||
})
|
||||
}
|
||||
|
||||
func requireLeafValidUnderCA(t *testing.T, issued *structs.IssuedCert, ca *structs.CARoot) {
|
||||
func requireLeafValidUnderCA(t require.TestingT, issued *structs.IssuedCert, ca *structs.CARoot) {
|
||||
leaf, intermediates, err := connect.ParseLeafCerts(issued.CertPEM)
|
||||
require.NoError(t, err)
|
||||
|
||||
|
|
|
@ -611,7 +611,7 @@ type Connect struct {
|
|||
MeshGatewayWANFederationEnabled *bool `mapstructure:"enable_mesh_gateway_wan_federation"`
|
||||
EnableServerlessPlugin *bool `mapstructure:"enable_serverless_plugin"`
|
||||
|
||||
// TestCALeafRootChangeSpread controls how long after a CA roots change before new leaft certs will be generated.
|
||||
// TestCALeafRootChangeSpread controls how long after a CA roots change before new leaf certs will be generated.
|
||||
// This is only tuned in tests, generally set to 1ns to make tests deterministic with when to expect updated leaf
|
||||
// certs by. This configuration is not exposed to users (not documented, and agent/config/default.go will override it)
|
||||
TestCALeafRootChangeSpread *string `mapstructure:"test_ca_leaf_root_change_spread"`
|
||||
|
|
Loading…
Reference in New Issue