From d0578c6dfc2709ce1e21d4443a1f4498762b78ef Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Thu, 25 Nov 2021 16:15:09 -0500 Subject: [PATCH] ca: extract the lookup of the active primary CA This method had only one caller, which always looked for the active root. This commit moves the lookup into the method to reduce the logic in the one caller. This is being done in preparation for a larger change. Keeping this separate so it is easier to see. The `storedRootID != primaryRoots.ActiveRootID` is being removed because these can never be different. The `storedRootID` comes from `provider.ActiveRoot`, the `primaryRoots.ActiveRootID` comes from the store `CARoot` from the primary. In both cases the source of the data is the primary DC. Technically they could be different if someone modified the provider outside of Consul, but that would break many things, so is not a supported flow. If these were out of sync because of ordering of events then the secondary will soon receive an update to `primaryRoots` and everything will be sorted out again. --- agent/consul/leader_connect_ca.go | 33 +++++++++++++++---------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index 2cf6fce970..6a6a2a7023 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -197,11 +197,18 @@ func (c *CAManager) secondarySetPrimaryRoots(newRoots structs.IndexedCARoots) { c.primaryRoots = newRoots } -func (c *CAManager) secondaryGetPrimaryRoots() structs.IndexedCARoots { +func (c *CAManager) secondaryGetActivePrimaryCARoot() (*structs.CARoot, error) { // TODO: this could be a different lock, as long as its the same lock in secondarySetPrimaryRoots c.stateLock.Lock() - defer c.stateLock.Unlock() - return c.primaryRoots + primaryRoots := c.primaryRoots + c.stateLock.Unlock() + + for _, root := range primaryRoots.Roots { + if root.ID == primaryRoots.ActiveRootID && root.Active { + return root, nil + } + } + return nil, fmt.Errorf("primary datacenter does not have an active root CA for Connect") } // initializeCAConfig is used to initialize the CA config if necessary @@ -658,25 +665,17 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf } } - // Determine which of the provided PRIMARY representations of roots is the - // active one. We'll use this as a template to generate any new root - // representations meant for this secondary. - var newActiveRoot *structs.CARoot - primaryRoots := c.secondaryGetPrimaryRoots() - for _, root := range primaryRoots.Roots { - if root.ID == primaryRoots.ActiveRootID && root.Active { - newActiveRoot = root - break - } - } - if newActiveRoot == nil { - return fmt.Errorf("primary datacenter does not have an active root CA for Connect") + newActiveRoot, err := c.secondaryGetActivePrimaryCARoot() + if err != nil { + return err } + _ = storedRootID // TODO: will be removed in the next commit + // Get a signed intermediate from the primary DC if the provider // hasn't been initialized yet or if the primary's root has changed. needsNewIntermediate := false - if activeIntermediate == "" || storedRootID != primaryRoots.ActiveRootID { + if activeIntermediate == "" { needsNewIntermediate = true }