diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 391b73ca76..7a7967b31d 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -387,9 +387,6 @@ func (s *Server) revokeLeadership() { s.stopConnectLeader() - s.caManager.setCAProvider(nil, nil) - s.caManager.setState(caStateUninitialized, false) - s.stopACLTokenReaping() s.stopACLUpgrade() diff --git a/agent/consul/leader_connect.go b/agent/consul/leader_connect.go index 6ca14e4ced..b3bb857fae 100644 --- a/agent/consul/leader_connect.go +++ b/agent/consul/leader_connect.go @@ -49,14 +49,6 @@ func (s *Server) stopConnectLeader() { s.leaderRoutineManager.Stop(caRootPruningRoutineName) s.leaderRoutineManager.Stop(caRootMetricRoutineName) s.leaderRoutineManager.Stop(caSigningMetricRoutineName) - - // If the provider implements NeedsStop, we call Stop to perform any shutdown actions. - provider, _ := s.caManager.getCAProvider() - if provider != nil { - if needsStop, ok := provider.(ca.NeedsStop); ok { - needsStop.Stop() - } - } } // createProvider returns a connect CA provider from the given config. diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index 4c2b634e08..3af8a65fa8 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -271,6 +271,14 @@ func (c *CAManager) Stop() { c.leaderRoutineManager.Stop(secondaryCARootWatchRoutineName) c.leaderRoutineManager.Stop(intermediateCertRenewWatchRoutineName) c.leaderRoutineManager.Stop(backgroundCAInitializationRoutineName) + + if provider, _ := c.getCAProvider(); provider != nil { + if needsStop, ok := provider.(ca.NeedsStop); ok { + needsStop.Stop() + } + } + c.setCAProvider(nil, nil) + c.setState(caStateUninitialized, false) } func (c *CAManager) startPostInitializeRoutines(ctx context.Context) { diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index 33d5fb2833..4626db4ef4 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -138,6 +138,7 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind return indexedRoots, nil } +// TODO: Move this off Server. This is only called by RPC endpoints. func (s *Server) SignCertificate(csr *x509.CertificateRequest, spiffeID connect.CertURI) (*structs.IssuedCert, error) { provider, caRoot := s.caManager.getCAProvider() if provider == nil {