ca: remove unused provider.ActiveRoot call

In the previous commit the single use of this storedRoot was removed.

In this commit the original objective is completed. The
Provider.ActiveRoot is being removed because

1. the secondary should get the active root from the Consul primary DC,
   not the provider, so that secondary DCs do not need to communicate
   with a provider instance in a different DC.
2. so that the Provider.ActiveRoot interface can be changed without
   impacting other code paths.
This commit is contained in:
Daniel Nephin 2021-11-25 16:33:48 -05:00
parent d0578c6dfc
commit 0de7efb316
2 changed files with 14 additions and 48 deletions

View File

@ -621,48 +621,22 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
return err return err
} }
var ( _, activeRoot, err := c.delegate.State().CARootActive(nil)
storedRootID string if err != nil {
expectedSigningKeyID string return err
currentSigningKeyID string }
activeSecondaryRoot *structs.CARoot var currentSigningKeyID string
) if activeRoot != nil {
currentSigningKeyID = activeRoot.SigningKeyID
}
var expectedSigningKeyID string
if activeIntermediate != "" { if activeIntermediate != "" {
// In the event that we already have an intermediate, we must have
// already replicated some primary root information locally, so check
// to see if we're up to date by fetching the rootID and the
// signingKeyID used in the secondary.
//
// Note that for the same rootID the primary representation of the root
// will have a different SigningKeyID field than the secondary
// representation of the same root. This is because it's derived from
// the intermediate which is different in all datacenters.
storedRoot, err := provider.ActiveRoot()
if err != nil {
return err
}
storedRootID, err = connect.CalculateCertFingerprint(storedRoot)
if err != nil {
return fmt.Errorf("error parsing root fingerprint: %v, %#v", err, storedRoot)
}
intermediateCert, err := connect.ParseCert(activeIntermediate) intermediateCert, err := connect.ParseCert(activeIntermediate)
if err != nil { if err != nil {
return fmt.Errorf("error parsing active intermediate cert: %v", err) return fmt.Errorf("error parsing active intermediate cert: %v", err)
} }
expectedSigningKeyID = connect.EncodeSigningKeyID(intermediateCert.SubjectKeyId) expectedSigningKeyID = connect.EncodeSigningKeyID(intermediateCert.SubjectKeyId)
// This will fetch the secondary's exact current representation of the
// active root. Note that this data should only be used if the IDs
// match, otherwise it's out of date and should be regenerated.
_, activeSecondaryRoot, err = c.delegate.State().CARootActive(nil)
if err != nil {
return err
}
if activeSecondaryRoot != nil {
currentSigningKeyID = activeSecondaryRoot.SigningKeyID
}
} }
newActiveRoot, err := c.secondaryGetActivePrimaryCARoot() newActiveRoot, err := c.secondaryGetActivePrimaryCARoot()
@ -670,12 +644,10 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
return err return err
} }
_ = storedRootID // TODO: will be removed in the next commit
// Get a signed intermediate from the primary DC if the provider // Get a signed intermediate from the primary DC if the provider
// hasn't been initialized yet or if the primary's root has changed. // hasn't been initialized yet or if the primary's root has changed.
needsNewIntermediate := false needsNewIntermediate := activeIntermediate == ""
if activeIntermediate == "" { if activeRoot != nil && newActiveRoot.ID != activeRoot.ID {
needsNewIntermediate = true needsNewIntermediate = true
} }
@ -694,14 +666,7 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
} else { } else {
// Discard the primary's representation since our local one is // Discard the primary's representation since our local one is
// sufficiently up to date. // sufficiently up to date.
newActiveRoot = activeSecondaryRoot newActiveRoot = activeRoot
}
// Update the roots list in the state store if there's a new active root.
state := c.delegate.State()
_, activeRoot, err := state.CARootActive(nil)
if err != nil {
return err
} }
// Determine whether a root update is needed, and persist the roots/config accordingly. // Determine whether a root update is needed, and persist the roots/config accordingly.

View File

@ -144,6 +144,7 @@ func WaitForTestAgent(t *testing.T, rpc rpcFn, dc string, options ...waitOption)
// raft leadership is gained so WaitForLeader isn't sufficient to be sure that // raft leadership is gained so WaitForLeader isn't sufficient to be sure that
// the CA is fully initialized. // the CA is fully initialized.
func WaitForActiveCARoot(t *testing.T, rpc rpcFn, dc string, expect *structs.CARoot) { func WaitForActiveCARoot(t *testing.T, rpc rpcFn, dc string, expect *structs.CARoot) {
t.Helper()
retry.Run(t, func(r *retry.R) { retry.Run(t, func(r *retry.R) {
args := &structs.DCSpecificRequest{ args := &structs.DCSpecificRequest{
Datacenter: dc, Datacenter: dc,