github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Secondary CA `establishLeadership` fix (#6383) 

This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment.
pull/6388/head
Matt Keeler 2019-08-23 11:32:37 -04:00 committed by GitHub
parent 90d122055b
commit cbd1857186
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
agent/consul/leader_connect.go
View File

@ -382,11 +382,13 @@ func (s *Server) initializeSecondaryCA(provider ca.Provider, roots structs.Index
var intermediatePEM string var intermediatePEM string
if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil { if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil {
return err // this is a failure in the primary and shouldn't be capable of erroring out our establishing leadership
s.logger.Printf("[WARN] connect: Primary datacenter refused to sign our intermediate CA certificate: %v", err)
return nil
} }
if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil { if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil {
return err return fmt.Errorf("Failed to set the intermediate certificate with the CA provider: %v", err)
} }
// Append the new intermediate to our local active root entry. // Append the new intermediate to our local active root entry.

7
agent/consul/leader_connect_test.go
View File

@ -471,6 +471,8 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLMasterToken = "root" c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny" c.ACLDefaultPolicy = "deny"
// set the build to ensure all the version checks pass and enable all the connect features that operate cross-dc
c.Build = "1.6.0"
}) })
defer os.RemoveAll(dir1) defer os.RemoveAll(dir1)
defer s1.Shutdown() defer s1.Shutdown()
@ -482,10 +484,10 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig) s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig)
// create some tokens // create some tokens
replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`) replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
require.NoError(err) require.NoError(err)
replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`) replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
require.NoError(err) require.NoError(err)
// dc2 as a secondary DC // dc2 as a secondary DC
@ -496,6 +498,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
c.ACLsEnabled = true c.ACLsEnabled = true
c.ACLDefaultPolicy = "deny" c.ACLDefaultPolicy = "deny"
c.ACLTokenReplication = false c.ACLTokenReplication = false
c.Build = "1.6.0"
}) })
defer os.RemoveAll(dir2) defer os.RemoveAll(dir2)
defer s2.Shutdown() defer s2.Shutdown()