Note leadership issues in comments

2018-06-20 13:12:03 +01:00 · 2018-06-20 13:12:03 +01:00 · b4fbeb0453
parent 21fb98ad5a
commit b4fbeb0453
1 changed files with 9 additions and 0 deletions
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -433,6 +433,12 @@ func (s *Server) initializeCA() error {
 		return err
 	}

+	// TODO(banks): in the case that we've just gained leadership in an already
+	// configured cluster. We really need to fetch RootCA from state to provide it
+	// in setCAProvider. This matters because if the current active root has
+	// intermediates, parsing the rootCA from only the root cert PEM above will
+	// not include them and so leafs we sign will not bundle the intermediates.
+
 	s.setCAProvider(provider, rootCA)

 	// Check if the CA root is already initialized and exit if it is.
@ -445,6 +451,9 @@ func (s *Server) initializeCA() error {
 	}
 	if activeRoot != nil {
 		if activeRoot.ID != rootCA.ID {
+			// TODO(banks): this seems like a pretty catastrophic state to get into.
+			// Shouldn't we do something stronger than warn and continue signing with
+			// a key that's not the active CA according to the state?
 			s.logger.Printf("[WARN] connect: CA root %q is not the active root (%q)", rootCA.ID, activeRoot.ID)
 		}
 		return nil