From f05bad4a1d6cfcb2cca0ff78eb6aa19ffc9df76c Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 1 Dec 2021 15:11:20 -0500 Subject: [PATCH] ca: update GenerateRoot godoc --- agent/connect/ca/provider.go | 14 +++++++++++--- agent/connect/ca/provider_consul.go | 3 +-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/agent/connect/ca/provider.go b/agent/connect/ca/provider.go index 4bab873aa9..6eab92f96e 100644 --- a/agent/connect/ca/provider.go +++ b/agent/connect/ca/provider.go @@ -118,9 +118,17 @@ type Provider interface { } type PrimaryProvider interface { - // GenerateRoot causes the creation of a new root certificate for this provider. - // This can also be a no-op if a root certificate already exists for the given - // config. If IsPrimary is false, calling this method is an error. + // GenerateRoot is called: + // * to initialize the CA system when a server is elected as a raft leader + // * when the CA configuration is updated in a way that might require + // generating a new root certificate. + // + // In both cases GenerateRoot is always called on a newly created provider + // after calling Provider.Configure, and before any other calls to the + // provider. + // + // The provider should return an existing root certificate if one exists, + // otherwise it should generate a new root certificate and return it. GenerateRoot() error // ActiveRoot returns the currently active root CA for this diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go index dea91e5d7d..d0e746803c 100644 --- a/agent/connect/ca/provider_consul.go +++ b/agent/connect/ca/provider_consul.go @@ -159,8 +159,7 @@ func (c *ConsulProvider) ActiveRoot() (string, error) { return providerState.RootCert, nil } -// GenerateRoot initializes a new root certificate and private key -// if needed. +// GenerateRoot initializes a new root certificate and private key if needed. func (c *ConsulProvider) GenerateRoot() error { providerState, err := c.getState() if err != nil {