diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index 1e04f6733e..4cdb72ff7c 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -178,7 +178,7 @@ func (s *ConnectCA) ConfigurationSet( newRoot := *r if newRoot.Active { newRoot.Active = false - newRoot.RotateOutAt = time.Now().Add(caRootExpireDuration) + newRoot.RotatedOutAt = time.Now() } newRoots = append(newRoots, &newRoot) } diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 2b0497dc38..8b32226dcb 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -33,7 +33,7 @@ var ( caRootPruneInterval = time.Hour // caRootExpireDuration is the duration after which an inactive root is considered - // "expired". + // "expired". Currently this is based on the default leaf cert TTL of 3 days. caRootExpireDuration = 7 * 24 * time.Hour // minAutopilotVersion is the minimum Consul version in which Autopilot features @@ -568,10 +568,6 @@ func (s *Server) setCAProvider(newProvider ca.Provider, root *structs.CARoot) { // startCARootPruning starts a goroutine that looks for stale CARoots // and removes them from the state store. func (s *Server) startCARootPruning() { - if !s.config.ConnectEnabled { - return - } - s.caPruningLock.Lock() defer s.caPruningLock.Unlock() @@ -602,6 +598,10 @@ func (s *Server) startCARootPruning() { // pruneCARoots looks for any CARoots that have been rotated out and expired. func (s *Server) pruneCARoots() error { + if !s.config.ConnectEnabled { + return nil + } + idx, roots, err := s.fsm.State().CARoots(nil) if err != nil { return err @@ -609,7 +609,7 @@ func (s *Server) pruneCARoots() error { var newRoots structs.CARoots for _, r := range roots { - if !r.Active && !r.RotateOutAt.IsZero() && r.RotateOutAt.Before(time.Now()) { + if !r.Active && !r.RotatedOutAt.IsZero() && time.Now().Sub(r.RotatedOutAt) > caRootExpireDuration { s.logger.Printf("[INFO] connect: pruning old unused root CA (ID: %s)", r.ID) continue } @@ -640,10 +640,6 @@ func (s *Server) pruneCARoots() error { // stopCARootPruning stops the CARoot pruning process. func (s *Server) stopCARootPruning() { - if !s.config.ConnectEnabled { - return - } - s.caPruningLock.Lock() defer s.caPruningLock.Unlock() diff --git a/agent/structs/connect_ca.go b/agent/structs/connect_ca.go index 52b9c16f15..375a7df325 100644 --- a/agent/structs/connect_ca.go +++ b/agent/structs/connect_ca.go @@ -73,10 +73,10 @@ type CARoot struct { // cannot be active. Active bool - // RotateOutAt is the time at which this CA can be removed from the state. + // RotatedOutAt is the time at which this CA was removed from the state. // This will only be set on roots that have been rotated out from being the - // active one. - RotateOutAt time.Time `json:"-"` + // active root. + RotatedOutAt time.Time `json:"-"` RaftIndex }