diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 270cc7dc13..67850f9ebd 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -6799,7 +6799,7 @@ func TestAgentConnectCALeafCert_good(t *testing.T) { ca2 := connect.TestCAConfigSet(t, a, nil) // Issue a blocking query to ensure that the cert gets updated appropriately - { + t.Run("test blocking queries update leaf cert", func(t *testing.T) { resp := httptest.NewRecorder() req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?index="+index, nil) a.srv.h.ServeHTTP(resp, req) @@ -6815,7 +6815,7 @@ func TestAgentConnectCALeafCert_good(t *testing.T) { // Should not be a cache hit! The data was updated in response to the blocking // query being made. require.Equal(t, "MISS", resp.Header().Get("X-Cache")) - } + }) t.Run("test non-blocking queries update leaf cert", func(t *testing.T) { resp := httptest.NewRecorder() @@ -6834,33 +6834,26 @@ func TestAgentConnectCALeafCert_good(t *testing.T) { // Set a new CA ca3 := connect.TestCAConfigSet(t, a, nil) - resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test", nil) require.NoError(t, err) - obj, err = a.srv.AgentConnectCALeafCert(resp, req) - require.NoError(t, err) - issued2 := obj.(*structs.IssuedCert) - require.NotEqual(t, issued.CertPEM, issued2.CertPEM) - require.NotEqual(t, issued.PrivateKeyPEM, issued2.PrivateKeyPEM) - // Verify that the cert is signed by the new CA - requireLeafValidUnderCA(t, issued2, ca3) - - // Should not be a cache hit! - require.Equal(t, "MISS", resp.Header().Get("X-Cache")) - } - - // Test caching for the leaf cert - { - - for fetched := 0; fetched < 4; fetched++ { - - // Fetch it again + retry.Run(t, func(r *retry.R) { resp := httptest.NewRecorder() - obj2, err := a.srv.AgentConnectCALeafCert(resp, req) - require.NoError(t, err) - require.Equal(t, obj, obj2) - } + a.srv.h.ServeHTTP(resp, req) + + // Should not be a cache hit! + require.Equal(r, "MISS", resp.Header().Get("X-Cache")) + + dec := json.NewDecoder(resp.Body) + issued2 := &structs.IssuedCert{} + require.NoError(r, dec.Decode(issued2)) + + require.NotEqual(r, issued.CertPEM, issued2.CertPEM) + require.NotEqual(r, issued.PrivateKeyPEM, issued2.PrivateKeyPEM) + + // Verify that the cert is signed by the new CA + requireLeafValidUnderCA(r, issued2, ca3) + }) } }) } @@ -7405,7 +7398,7 @@ func waitForActiveCARoot(t *testing.T, srv *HTTPHandlers, expect *structs.CARoot }) } -func requireLeafValidUnderCA(t *testing.T, issued *structs.IssuedCert, ca *structs.CARoot) { +func requireLeafValidUnderCA(t require.TestingT, issued *structs.IssuedCert, ca *structs.CARoot) { leaf, intermediates, err := connect.ParseLeafCerts(issued.CertPEM) require.NoError(t, err) diff --git a/agent/config/config.go b/agent/config/config.go index ca6900b51f..145c74db7c 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -611,7 +611,7 @@ type Connect struct { MeshGatewayWANFederationEnabled *bool `mapstructure:"enable_mesh_gateway_wan_federation"` EnableServerlessPlugin *bool `mapstructure:"enable_serverless_plugin"` - // TestCALeafRootChangeSpread controls how long after a CA roots change before new leaft certs will be generated. + // TestCALeafRootChangeSpread controls how long after a CA roots change before new leaf certs will be generated. // This is only tuned in tests, generally set to 1ns to make tests deterministic with when to expect updated leaf // certs by. This configuration is not exposed to users (not documented, and agent/config/default.go will override it) TestCALeafRootChangeSpread *string `mapstructure:"test_ca_leaf_root_change_spread"`