mirror of https://github.com/status-im/consul.git
ca: remove unused provider.ActiveRoot call
In the previous commit the single use of this storedRoot was removed. In this commit the original objective is completed. The Provider.ActiveRoot is being removed because 1. the secondary should get the active root from the Consul primary DC, not the provider, so that secondary DCs do not need to communicate with a provider instance in a different DC. 2. so that the Provider.ActiveRoot interface can be changed without impacting other code paths.
This commit is contained in:
parent
d0578c6dfc
commit
0de7efb316
|
@ -621,48 +621,22 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
_, activeRoot, err := c.delegate.State().CARootActive(nil)
|
||||||
storedRootID string
|
if err != nil {
|
||||||
expectedSigningKeyID string
|
return err
|
||||||
currentSigningKeyID string
|
}
|
||||||
activeSecondaryRoot *structs.CARoot
|
var currentSigningKeyID string
|
||||||
)
|
if activeRoot != nil {
|
||||||
|
currentSigningKeyID = activeRoot.SigningKeyID
|
||||||
|
}
|
||||||
|
|
||||||
|
var expectedSigningKeyID string
|
||||||
if activeIntermediate != "" {
|
if activeIntermediate != "" {
|
||||||
// In the event that we already have an intermediate, we must have
|
|
||||||
// already replicated some primary root information locally, so check
|
|
||||||
// to see if we're up to date by fetching the rootID and the
|
|
||||||
// signingKeyID used in the secondary.
|
|
||||||
//
|
|
||||||
// Note that for the same rootID the primary representation of the root
|
|
||||||
// will have a different SigningKeyID field than the secondary
|
|
||||||
// representation of the same root. This is because it's derived from
|
|
||||||
// the intermediate which is different in all datacenters.
|
|
||||||
storedRoot, err := provider.ActiveRoot()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
storedRootID, err = connect.CalculateCertFingerprint(storedRoot)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("error parsing root fingerprint: %v, %#v", err, storedRoot)
|
|
||||||
}
|
|
||||||
|
|
||||||
intermediateCert, err := connect.ParseCert(activeIntermediate)
|
intermediateCert, err := connect.ParseCert(activeIntermediate)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error parsing active intermediate cert: %v", err)
|
return fmt.Errorf("error parsing active intermediate cert: %v", err)
|
||||||
}
|
}
|
||||||
expectedSigningKeyID = connect.EncodeSigningKeyID(intermediateCert.SubjectKeyId)
|
expectedSigningKeyID = connect.EncodeSigningKeyID(intermediateCert.SubjectKeyId)
|
||||||
|
|
||||||
// This will fetch the secondary's exact current representation of the
|
|
||||||
// active root. Note that this data should only be used if the IDs
|
|
||||||
// match, otherwise it's out of date and should be regenerated.
|
|
||||||
_, activeSecondaryRoot, err = c.delegate.State().CARootActive(nil)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if activeSecondaryRoot != nil {
|
|
||||||
currentSigningKeyID = activeSecondaryRoot.SigningKeyID
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
newActiveRoot, err := c.secondaryGetActivePrimaryCARoot()
|
newActiveRoot, err := c.secondaryGetActivePrimaryCARoot()
|
||||||
|
@ -670,12 +644,10 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
_ = storedRootID // TODO: will be removed in the next commit
|
|
||||||
|
|
||||||
// Get a signed intermediate from the primary DC if the provider
|
// Get a signed intermediate from the primary DC if the provider
|
||||||
// hasn't been initialized yet or if the primary's root has changed.
|
// hasn't been initialized yet or if the primary's root has changed.
|
||||||
needsNewIntermediate := false
|
needsNewIntermediate := activeIntermediate == ""
|
||||||
if activeIntermediate == "" {
|
if activeRoot != nil && newActiveRoot.ID != activeRoot.ID {
|
||||||
needsNewIntermediate = true
|
needsNewIntermediate = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -694,14 +666,7 @@ func (c *CAManager) secondaryInitializeIntermediateCA(provider ca.Provider, conf
|
||||||
} else {
|
} else {
|
||||||
// Discard the primary's representation since our local one is
|
// Discard the primary's representation since our local one is
|
||||||
// sufficiently up to date.
|
// sufficiently up to date.
|
||||||
newActiveRoot = activeSecondaryRoot
|
newActiveRoot = activeRoot
|
||||||
}
|
|
||||||
|
|
||||||
// Update the roots list in the state store if there's a new active root.
|
|
||||||
state := c.delegate.State()
|
|
||||||
_, activeRoot, err := state.CARootActive(nil)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Determine whether a root update is needed, and persist the roots/config accordingly.
|
// Determine whether a root update is needed, and persist the roots/config accordingly.
|
||||||
|
|
|
@ -144,6 +144,7 @@ func WaitForTestAgent(t *testing.T, rpc rpcFn, dc string, options ...waitOption)
|
||||||
// raft leadership is gained so WaitForLeader isn't sufficient to be sure that
|
// raft leadership is gained so WaitForLeader isn't sufficient to be sure that
|
||||||
// the CA is fully initialized.
|
// the CA is fully initialized.
|
||||||
func WaitForActiveCARoot(t *testing.T, rpc rpcFn, dc string, expect *structs.CARoot) {
|
func WaitForActiveCARoot(t *testing.T, rpc rpcFn, dc string, expect *structs.CARoot) {
|
||||||
|
t.Helper()
|
||||||
retry.Run(t, func(r *retry.R) {
|
retry.Run(t, func(r *retry.R) {
|
||||||
args := &structs.DCSpecificRequest{
|
args := &structs.DCSpecificRequest{
|
||||||
Datacenter: dc,
|
Datacenter: dc,
|
||||||
|
|
Loading…
Reference in New Issue