From cbd1857186246b516ae46e0eec6b174bf3a058a7 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Fri, 23 Aug 2019 11:32:37 -0400 Subject: [PATCH] Secondary CA `establishLeadership` fix (#6383) This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment. --- agent/consul/leader_connect.go | 6 ++++-- agent/consul/leader_connect_test.go | 7 +++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/agent/consul/leader_connect.go b/agent/consul/leader_connect.go index e22ed31a03..02caa4516b 100644 --- a/agent/consul/leader_connect.go +++ b/agent/consul/leader_connect.go @@ -382,11 +382,13 @@ func (s *Server) initializeSecondaryCA(provider ca.Provider, roots structs.Index var intermediatePEM string if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil { - return err + // this is a failure in the primary and shouldn't be capable of erroring out our establishing leadership + s.logger.Printf("[WARN] connect: Primary datacenter refused to sign our intermediate CA certificate: %v", err) + return nil } if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil { - return err + return fmt.Errorf("Failed to set the intermediate certificate with the CA provider: %v", err) } // Append the new intermediate to our local active root entry. diff --git a/agent/consul/leader_connect_test.go b/agent/consul/leader_connect_test.go index 82c6b68fa9..42a54fe454 100644 --- a/agent/consul/leader_connect_test.go +++ b/agent/consul/leader_connect_test.go @@ -471,6 +471,8 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.ACLsEnabled = true c.ACLMasterToken = "root" c.ACLDefaultPolicy = "deny" + // set the build to ensure all the version checks pass and enable all the connect features that operate cross-dc + c.Build = "1.6.0" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -482,10 +484,10 @@ func TestLeader_ReplicateIntentions(t *testing.T) { s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig) // create some tokens - replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`) + replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`) require.NoError(err) - replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`) + replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`) require.NoError(err) // dc2 as a secondary DC @@ -496,6 +498,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.ACLsEnabled = true c.ACLDefaultPolicy = "deny" c.ACLTokenReplication = false + c.Build = "1.6.0" }) defer os.RemoveAll(dir2) defer s2.Shutdown()