Secondary CA `establishLeadership` fix (#6383)

This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment.
This commit is contained in:
Matt Keeler 2019-08-23 11:32:37 -04:00 committed by GitHub
parent 37f89f8ffe
commit 89ac998e8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 4 deletions

View File

@ -382,11 +382,13 @@ func (s *Server) initializeSecondaryCA(provider ca.Provider, roots structs.Index
var intermediatePEM string
if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil {
return err
// this is a failure in the primary and shouldn't be capable of erroring out our establishing leadership
s.logger.Printf("[WARN] connect: Primary datacenter refused to sign our intermediate CA certificate: %v", err)
return nil
}
if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil {
return err
return fmt.Errorf("Failed to set the intermediate certificate with the CA provider: %v", err)
}
// Append the new intermediate to our local active root entry.

View File

@ -471,6 +471,8 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
c.ACLsEnabled = true
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
// set the build to ensure all the version checks pass and enable all the connect features that operate cross-dc
c.Build = "1.6.0"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
@ -482,10 +484,10 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig)
// create some tokens
replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
require.NoError(err)
replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
require.NoError(err)
// dc2 as a secondary DC
@ -496,6 +498,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
c.ACLsEnabled = true
c.ACLDefaultPolicy = "deny"
c.ACLTokenReplication = false
c.Build = "1.6.0"
})
defer os.RemoveAll(dir2)
defer s2.Shutdown()