From 6021105dfcf1760d1003e6ab1cf898aca1847e79 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Thu, 17 Feb 2022 18:45:08 -0500
Subject: [PATCH] ca: test that original certs from secondary still verify

There's a chance this could flake if the secondary hasn't received the
update yet, but running this test many times doesn't show any flakes
yet.
---
 agent/consul/leader_connect_ca_test.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/agent/consul/leader_connect_ca_test.go b/agent/consul/leader_connect_ca_test.go
index 9bdfc07401..73787700aa 100644
--- a/agent/consul/leader_connect_ca_test.go
+++ b/agent/consul/leader_connect_ca_test.go
@@ -766,6 +766,7 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 		}
 	})
 
+	var origLeafSecondary string
 	runStep(t, "start secondary DC", func(t *testing.T) {
 		joinWAN(t, serverDC2, serverDC1)
 		testrpc.WaitForActiveCARoot(t, serverDC2.RPC, "dc2", nil)
@@ -778,6 +779,7 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		leafPEM := getLeafCert(t, codec, roots.TrustDomain, "dc2")
 		verifyLeafCert(t, roots.Roots[0], leafPEM)
+		origLeafSecondary = leafPEM
 	})
 
 	runStep(t, "renew leaf signing CA in primary", func(t *testing.T) {
@@ -850,6 +852,13 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		// original certs from old root cert should still verify
 		verifyLeafCertWithRoots(t, roots, origLeaf)
+
+		// original certs from secondary should still verify
+		rootsSecondary := structs.IndexedCARoots{}
+		r := &structs.DCSpecificRequest{Datacenter: "dc2"}
+		err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", r, &rootsSecondary)
+		require.NoError(t, err)
+		verifyLeafCertWithRoots(t, rootsSecondary, origLeafSecondary)
 	})
 
 	runStep(t, "rotate to a different external root", func(t *testing.T) {
@@ -885,6 +894,13 @@ func TestCAManager_Initialize_Vault_WithExternalTrustedCA(t *testing.T) {
 
 		// original certs from old root cert should still verify
 		verifyLeafCertWithRoots(t, roots, origLeaf)
+
+		// original certs from secondary should still verify
+		rootsSecondary := structs.IndexedCARoots{}
+		r := &structs.DCSpecificRequest{Datacenter: "dc2"}
+		err = msgpackrpc.CallWithCodec(codec, "ConnectCA.Roots", r, &rootsSecondary)
+		require.NoError(t, err)
+		verifyLeafCertWithRoots(t, rootsSecondary, origLeafSecondary)
 	})
 }