From ca916eec32f20f7b57b8700eb3e3de7bfba4576b Mon Sep 17 00:00:00 2001
From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com>
Date: Mon, 17 Oct 2022 13:24:27 -0500
Subject: [PATCH] ca: fix a masked bug in leaf cert generation that would not
 be notified of root cert rotation after the first one (#15005)

In practice this was masked by #14956 and was only uncovered fixing the
other bug.

  go test ./agent -run TestAgentConnectCALeafCert_goodNotLocal

would fail when only #14956 was fixed.
---
 .changelog/15005.txt                 | 3 +++
 agent/cache-types/connect_ca_leaf.go | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 .changelog/15005.txt

diff --git a/.changelog/15005.txt b/.changelog/15005.txt
new file mode 100644
index 000000000..f5a1b97ec
--- /dev/null
+++ b/.changelog/15005.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one
+```
diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go
index b93882c23..0e326e054 100644
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@@ -165,6 +165,7 @@ func (c *ConnectCALeaf) fetchDone(rootUpdateCh chan struct{}) {
 	if len(c.rootWatchSubscribers) == 0 && c.rootWatchCancel != nil {
 		// This was the last request. Stop the root watcher.
 		c.rootWatchCancel()
+		c.rootWatchCancel = nil
 	}
 }