Avoid returning empty roots with uninitialized CA
Currently getCARoots could return an empty object with an empty trust domain before the CA is initialized. This commit returns an error while there is no CA config or no trust domain. There could be a CA config and no trust domain because the CA config can be created in InitializeCA before initialization succeeds.
This commit is contained in:
parent
69ad7c0544
commit
e6622ab0ab
|
@ -16,19 +16,23 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
if config == nil {
|
||||||
|
return nil, fmt.Errorf("CA has not finished initializing")
|
||||||
|
}
|
||||||
|
|
||||||
indexedRoots := &structs.IndexedCARoots{}
|
indexedRoots := &structs.IndexedCARoots{}
|
||||||
|
|
||||||
if config != nil {
|
// Build TrustDomain based on the ClusterID stored.
|
||||||
// Build TrustDomain based on the ClusterID stored.
|
signingID := connect.SpiffeIDSigningForCluster(config)
|
||||||
signingID := connect.SpiffeIDSigningForCluster(config)
|
if signingID == nil {
|
||||||
if signingID == nil {
|
// If CA is bootstrapped at all then this should never happen but be
|
||||||
// If CA is bootstrapped at all then this should never happen but be
|
// defensive.
|
||||||
// defensive.
|
return nil, fmt.Errorf("no cluster trust domain setup")
|
||||||
return nil, fmt.Errorf("no cluster trust domain setup")
|
}
|
||||||
}
|
|
||||||
|
|
||||||
indexedRoots.TrustDomain = signingID.Host()
|
indexedRoots.TrustDomain = signingID.Host()
|
||||||
|
if indexedRoots.TrustDomain == "" {
|
||||||
|
return nil, fmt.Errorf("CA has not finished initializing")
|
||||||
}
|
}
|
||||||
|
|
||||||
indexedRoots.Index, indexedRoots.Roots = index, roots
|
indexedRoots.Index, indexedRoots.Roots = index, roots
|
||||||
|
|
Loading…
Reference in New Issue