From e6622ab0ab2959877176a3291bd089d8cffc14ca Mon Sep 17 00:00:00 2001 From: freddygv Date: Mon, 8 Nov 2021 16:51:49 -0700 Subject: [PATCH] Avoid returning empty roots with uninitialized CA Currently getCARoots could return an empty object with an empty trust domain before the CA is initialized. This commit returns an error while there is no CA config or no trust domain. There could be a CA config and no trust domain because the CA config can be created in InitializeCA before initialization succeeds. --- agent/consul/server_connect.go | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index 09453a5ee..f42443799 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -16,19 +16,23 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind if err != nil { return nil, err } + if config == nil { + return nil, fmt.Errorf("CA has not finished initializing") + } indexedRoots := &structs.IndexedCARoots{} - if config != nil { - // Build TrustDomain based on the ClusterID stored. - signingID := connect.SpiffeIDSigningForCluster(config) - if signingID == nil { - // If CA is bootstrapped at all then this should never happen but be - // defensive. - return nil, fmt.Errorf("no cluster trust domain setup") - } + // Build TrustDomain based on the ClusterID stored. + signingID := connect.SpiffeIDSigningForCluster(config) + if signingID == nil { + // If CA is bootstrapped at all then this should never happen but be + // defensive. + return nil, fmt.Errorf("no cluster trust domain setup") + } - indexedRoots.TrustDomain = signingID.Host() + indexedRoots.TrustDomain = signingID.Host() + if indexedRoots.TrustDomain == "" { + return nil, fmt.Errorf("CA has not finished initializing") } indexedRoots.Index, indexedRoots.Roots = index, roots