Secondary CA `establishLeadership` fix (#6383)

This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment.
2019-08-23 11:32:37 -04:00 · 2019-08-23 11:32:37 -04:00 · 89ac998e8b
parent 37f89f8ffe
commit 89ac998e8b
2 changed files with 9 additions and 4 deletions
--- a/agent/consul/leader_connect.go
+++ b/agent/consul/leader_connect.go
@ -382,11 +382,13 @@ func (s *Server) initializeSecondaryCA(provider ca.Provider, roots structs.Index

 		var intermediatePEM string
 		if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil {
-			return err
+			// this is a failure in the primary and shouldn't be capable of erroring out our establishing leadership
+			s.logger.Printf("[WARN] connect: Primary datacenter refused to sign our intermediate CA certificate: %v", err)
+			return nil
 		}

 		if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil {
-			return err
+			return fmt.Errorf("Failed to set the intermediate certificate with the CA provider: %v", err)
 		}

 		// Append the new intermediate to our local active root entry.
--- a/agent/consul/leader_connect_test.go
+++ b/agent/consul/leader_connect_test.go
@ -471,6 +471,8 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.ACLsEnabled = true
 		c.ACLMasterToken = "root"
 		c.ACLDefaultPolicy = "deny"
+		// set the build to ensure all the version checks pass and enable all the connect features that operate cross-dc
+		c.Build = "1.6.0"
 	})
 	defer os.RemoveAll(dir1)
 	defer s1.Shutdown()
@ -482,10 +484,10 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 	s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig)

 	// create some tokens
-	replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
+	replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
 	require.NoError(err)

-	replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
+	replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
 	require.NoError(err)

 	// dc2 as a secondary DC
@ -496,6 +498,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
 		c.ACLsEnabled = true
 		c.ACLDefaultPolicy = "deny"
 		c.ACLTokenReplication = false
+		c.Build = "1.6.0"
 	})
 	defer os.RemoveAll(dir2)
 	defer s2.Shutdown()