From da5bcc574e44ded513b8ff6a0f150d77c296b04b Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 10:45:22 -0700 Subject: [PATCH 1/3] Use ClusterID to check for readiness The TrustDomain is populated from the Host() method which includes the hard-coded "consul" domain. This means that despite having an empty cluster ID, the TrustDomain won't be empty. --- agent/consul/server_connect.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index f424437996..32b9ef3cb7 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -29,12 +29,12 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind // defensive. return nil, fmt.Errorf("no cluster trust domain setup") } - - indexedRoots.TrustDomain = signingID.Host() - if indexedRoots.TrustDomain == "" { + if signingID.ClusterID == "" { return nil, fmt.Errorf("CA has not finished initializing") } + indexedRoots.TrustDomain = signingID.Host() + indexedRoots.Index, indexedRoots.Roots = index, roots if indexedRoots.Roots == nil { indexedRoots.Roots = make(structs.CARoots, 0) From 400697507b474432ede5d36cf4bf2e26ee240e8c Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 10:50:08 -0700 Subject: [PATCH 2/3] Move assertion to after config fetch --- agent/consul/server_connect.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/agent/consul/server_connect.go b/agent/consul/server_connect.go index 32b9ef3cb7..a5c569d550 100644 --- a/agent/consul/server_connect.go +++ b/agent/consul/server_connect.go @@ -16,7 +16,7 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind if err != nil { return nil, err } - if config == nil { + if config == nil || config.ClusterID == "" { return nil, fmt.Errorf("CA has not finished initializing") } @@ -29,9 +29,6 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind // defensive. return nil, fmt.Errorf("no cluster trust domain setup") } - if signingID.ClusterID == "" { - return nil, fmt.Errorf("CA has not finished initializing") - } indexedRoots.TrustDomain = signingID.Host() From d6c26ea59888ecf302b0a62053be795ad088ae73 Mon Sep 17 00:00:00 2001 From: freddygv Date: Wed, 10 Nov 2021 12:00:00 -0700 Subject: [PATCH 3/3] Bump retry time for cross-DC RPC The secondary DC now takes longer to populate the MGW snapshot because it needs to wait for the secondary CA to be initialized before it can receive roots and generate xDS config. Previously MGWs could receive empty roots before the CA was initialized. This wasn't necessarily a problem since the cluster ID in the trust domain isn't verified. --- .../connect/envoy/case-wanfed-gw/primary/verify.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats b/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats index 3c9d899985..5be23d04c0 100644 --- a/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats +++ b/test/integration/connect/envoy/case-wanfed-gw/primary/verify.bats @@ -23,7 +23,7 @@ load helpers } @test "primary should be able to rpc to the secondary" { - retry_default curl -sL -f -XPUT localhost:8500/v1/kv/foo?dc=secondary -d'{"Value":"bar"}' + retry_long curl -sL -f -XPUT localhost:8500/v1/kv/foo?dc=secondary -d'{"Value":"bar"}' } @test "wan pool should show 2 healthy nodes" {