From 2261d51515db2abce93109101abb5b9d79fe9f19 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 10:45:22 -0700 Subject: [PATCH 1/3] Use ClusterID to check for readiness The TrustDomain is populated from the Host() method which includes the hard-coded "consul" domain. This means that despite having an empty cluster ID, the TrustDomain won't be empty. --- agent/consul/server_connect.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index f42443799..32b9ef3cb 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -29,12 +29,12 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind // defensive. return nil, fmt.Errorf("no cluster trust domain setup") } - - indexedRoots.TrustDomain = signingID.Host() - if indexedRoots.TrustDomain == "" { + if signingID.ClusterID == "" { return nil, fmt.Errorf("CA has not finished initializing") } + indexedRoots.TrustDomain = signingID.Host() + indexedRoots.Index, indexedRoots.Roots = index, roots if indexedRoots.Roots == nil { indexedRoots.Roots = make(structs.CARoots, 0) From 5ac1ab359b55378935749e762cabd69caadfaf13 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 10:50:08 -0700 Subject: [PATCH 2/3] Move assertion to after config fetch --- agent/consul/server_connect.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index 32b9ef3cb..a5c569d55 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -16,7 +16,7 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind if err != nil { return nil, err } - if config == nil { + if config == nil || config.ClusterID == "" { return nil, fmt.Errorf("CA has not finished initializing") } @@ -29,9 +29,6 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind // defensive. return nil, fmt.Errorf("no cluster trust domain setup") } - if signingID.ClusterID == "" { - return nil, fmt.Errorf("CA has not finished initializing") - } indexedRoots.TrustDomain = signingID.Host() From 2d2ff0ae399f4bfb8eb9ff37001e3f70dc2c2af5 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 12:00:00 -0700 Subject: [PATCH 3/3] Bump retry time for cross-DC RPC The secondary DC now takes longer to populate the MGW snapshot because it needs to wait for the secondary CA to be initialized before it can receive roots and generate xDS config. Previously MGWs could receive empty roots before the CA was initialized. This wasn't necessarily a problem since the cluster ID in the trust domain isn't verified. --- .../connect/envoy/case-wanfed-gw/primary/verify.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats b/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats index 3c9d89998..5be23d04c 100644 --- a/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats +++ b/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats @@ -23,7 +23,7 @@ load helpers } @test "primary should be able to rpc to the secondary" { - retry_default curl -sL -f -XPUT localhost:8500/v1/kv/foo?dc=secondary -d'{"Value":"bar"}' + retry_long curl -sL -f -XPUT localhost:8500/v1/kv/foo?dc=secondary -d'{"Value":"bar"}' } @test "wan pool should show 2 healthy nodes" {