fix aws pca certs (#11470)
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
This commit is contained in:
parent
4789e3a4d0
commit
e7ffef54ee
|
@ -359,15 +359,15 @@ func (a *AWSProvider) loadCACerts() error {
|
|||
|
||||
if a.isPrimary {
|
||||
// Just use the cert as a root
|
||||
a.rootPEM = *output.Certificate
|
||||
a.rootPEM = EnsureTrailingNewline(*output.Certificate)
|
||||
} else {
|
||||
a.intermediatePEM = *output.Certificate
|
||||
a.intermediatePEM = EnsureTrailingNewline(*output.Certificate)
|
||||
// TODO(banks) support user-supplied CA being a Subordinate even in the
|
||||
// primary DC. For now this assumes there is only one cert in the chain
|
||||
if output.CertificateChain == nil {
|
||||
return fmt.Errorf("Subordinate CA %s returned no chain", a.arn)
|
||||
}
|
||||
a.rootPEM = *output.CertificateChain
|
||||
a.rootPEM = EnsureTrailingNewline(*output.CertificateChain)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
@ -485,7 +485,7 @@ func (a *AWSProvider) signCSR(csrPEM string, templateARN string, ttl time.Durati
|
|||
}
|
||||
|
||||
if certOutput.Certificate != nil {
|
||||
return true, *certOutput.Certificate, nil
|
||||
return true, EnsureTrailingNewline(*certOutput.Certificate), nil
|
||||
}
|
||||
|
||||
return false, "", nil
|
||||
|
@ -540,9 +540,9 @@ func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) er
|
|||
return err
|
||||
}
|
||||
|
||||
// We succsefully initialized, keep track of the root and intermediate certs.
|
||||
a.rootPEM = rootPEM
|
||||
a.intermediatePEM = intermediatePEM
|
||||
// We successfully initialized, keep track of the root and intermediate certs.
|
||||
a.rootPEM = EnsureTrailingNewline(rootPEM)
|
||||
a.intermediatePEM = EnsureTrailingNewline(intermediatePEM)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@ package ca
|
|||
import (
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
|
@ -114,7 +115,7 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
|
|||
|
||||
// TEST LOAD FROM PREVIOUS STATE
|
||||
{
|
||||
// Now create new providers fromthe state of the first ones simulating
|
||||
// Now create new providers from the state of the first ones simulating
|
||||
// leadership change in both DCs
|
||||
t.Log("Restarting Providers with State")
|
||||
|
||||
|
@ -179,6 +180,28 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
|
|||
testSignAndValidate(t, p1, rootPEM, nil)
|
||||
testSignAndValidate(t, p2, rootPEM, []string{intPEM})
|
||||
}
|
||||
|
||||
// Test that SetIntermediate() gives back certs with trailing new lines
|
||||
{
|
||||
|
||||
// "Set" root, intermediate certs without a trailing new line
|
||||
newIntPEM := strings.TrimSuffix(intPEM, "\n")
|
||||
newRootPEM := strings.TrimSuffix(rootPEM, "\n")
|
||||
|
||||
cfg2 := testProviderConfigSecondary(t, map[string]interface{}{
|
||||
"ExistingARN": p2State[AWSStateCAARNKey],
|
||||
})
|
||||
p2 = testAWSProvider(t, cfg2)
|
||||
require.NoError(t, p2.SetIntermediate(newIntPEM, newRootPEM))
|
||||
|
||||
newRootPEM, err = p1.ActiveRoot()
|
||||
require.NoError(t, err)
|
||||
newIntPEM, err = p2.ActiveIntermediate()
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Equal(t, rootPEM, newRootPEM)
|
||||
require.Equal(t, intPEM, newIntPEM)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) {
|
||||
|
|
Loading…
Reference in New Issue