Initialize the agent leaf cert cache result with a state to prevent unnecessary second certificate signing

2020-06-29 15:46:34 -04:00 · 2020-06-29 15:46:34 -04:00 · e9e88e4527
parent fa42d9b34f
commit e9e88e4527
2 changed files with 20 additions and 1 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -877,7 +877,17 @@ func (a *Agent) setupClientAutoEncryptCache(reply *structs.SignedResponse) (*str
 	}

 	// prepolutate leaf cache
-	certRes := cache.FetchResult{Value: &reply.IssuedCert, Index: reply.ConnectCARoots.QueryMeta.Index}
+	certRes := cache.FetchResult{
+		Value: &reply.IssuedCert,
+		Index: reply.ConnectCARoots.QueryMeta.Index,
+	}
+
+	for _, ca := range reply.ConnectCARoots.Roots {
+		if ca.ID == reply.ConnectCARoots.ActiveRootID {
+			certRes.State = cachetype.ConnectCALeafSuccess(ca.SigningKeyID)
+			break
+		}
+	}
 	if err := a.cache.Prepopulate(cachetype.ConnectCALeafName, certRes, a.config.Datacenter, a.tokens.AgentToken(), leafReq.Key()); err != nil {
 		return nil, nil, err
 	}
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@ -121,6 +121,15 @@ type fetchState struct {
 	consecutiveRateLimitErrs int
 }

+func ConnectCALeafSuccess(authorityKeyID string) interface{} {
+	return fetchState{
+		authorityKeyID:           authorityKeyID,
+		forceExpireAfter:         time.Time{},
+		consecutiveRateLimitErrs: 0,
+		activeRootRotationStart:  time.Time{},
+	}
+}
+
 // fetchStart is called on each fetch that is about to block and wait for
 // changes to the leaf. It subscribes a chan to receive updates from the shared
 // root watcher and triggers root watcher if it's not already running.