diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go
index 1a27bd522..f0bd6cf21 100644
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@@ -120,7 +120,10 @@ func (s *ConnectCA) ConfigurationSet(
return err
}
- if root != nil && root.ID == newActiveRoot.ID {
+ // If the root didn't change or if this is a secondary DC, just update the
+ // config and return.
+ if (s.srv.config.Datacenter != s.srv.config.PrimaryDatacenter) ||
+ root != nil && root.ID == newActiveRoot.ID {
args.Op = structs.CAOpSetConfig
resp, err := s.srv.raftApply(structs.ConnectCARequestType, args)
if err != nil {
diff --git a/agent/consul/leader.go b/agent/consul/leader.go
index ba1313989..ce3961193 100644
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@@ -227,6 +227,8 @@ func (s *Server) establishLeadership() error {
return err
}
+ s.startEnterpriseLeader()
+
s.startCARootPruning()
s.setConsistentReadReady()
@@ -245,6 +247,8 @@ func (s *Server) revokeLeadership() error {
return err
}
+ s.stopEnterpriseLeader()
+
s.stopCARootPruning()
s.setCAProvider(nil, nil)
diff --git a/agent/consul/leader_oss.go b/agent/consul/leader_oss.go
index 3ec519045..c1f696869 100644
--- a/agent/consul/leader_oss.go
+++ b/agent/consul/leader_oss.go
@@ -23,3 +23,7 @@ func (s *Server) initializeCA() error {
return s.initializeRootCA(provider, conf)
}
+
+// Stub methods, only present in Consul Enterprise.
+func (s *Server) startEnterpriseLeader() {}
+func (s *Server) stopEnterpriseLeader() {}
diff --git a/agent/consul/server.go b/agent/consul/server.go
index fefb11f61..94bc01e8d 100644
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@@ -274,6 +274,15 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (*
config.UseTLS = true
}
+ // Set the primary DC if it wasn't set.
+ if config.PrimaryDatacenter == "" {
+ if config.ACLDatacenter != "" {
+ config.PrimaryDatacenter = config.ACLDatacenter
+ } else {
+ config.PrimaryDatacenter = config.Datacenter
+ }
+ }
+
// Create the TLS wrapper for outgoing connections.
tlsConf := config.tlsConfig()
tlsWrap, err := tlsConf.OutgoingTLSWrapper()
diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
index d28b94619..afa51d85a 100644
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@@ -498,7 +498,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
#### Configuration Key Reference
* `acl_datacenter` - **This field is
- deprecated in Consul 1.3.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
+ deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement