mirror of https://github.com/status-im/consul.git
connect/ca: don't discard old roots on primaryInitialize
This commit is contained in:
parent
15043de647
commit
6105a7fd9f
|
@ -564,22 +564,9 @@ func (c *CAManager) primaryInitialize(provider ca.Provider, conf *structs.CAConf
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the highest index
|
if err := c.persistNewRootAndConfig(provider, rootCA, conf); err != nil {
|
||||||
idx, _, err := state.CARoots(nil)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store the root cert in raft
|
|
||||||
_, err = c.delegate.ApplyCARequest(&structs.CARequest{
|
|
||||||
Op: structs.CAOpSetRoots,
|
|
||||||
Index: idx,
|
|
||||||
Roots: []*structs.CARoot{rootCA},
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("raft apply failed: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
c.setCAProvider(provider, rootCA)
|
c.setCAProvider(provider, rootCA)
|
||||||
|
|
||||||
c.logger.Info("initialized primary datacenter CA with provider", "provider", conf.Provider)
|
c.logger.Info("initialized primary datacenter CA with provider", "provider", conf.Provider)
|
||||||
|
|
|
@ -691,6 +691,71 @@ func TestConnectCA_ConfigurationSet_RootRotation_Secondary(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCAManager_Initialize_Vault_KeepOldRoots_Primary(t *testing.T) {
|
||||||
|
ca.SkipIfVaultNotPresent(t)
|
||||||
|
|
||||||
|
if testing.Short() {
|
||||||
|
t.Skip("too slow for testing.Short")
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
testVault := ca.NewTestVaultServer(t)
|
||||||
|
defer testVault.Stop()
|
||||||
|
|
||||||
|
dir1pre, s1pre := testServer(t)
|
||||||
|
defer os.RemoveAll(dir1pre)
|
||||||
|
defer s1pre.Shutdown()
|
||||||
|
codec := rpcClient(t, s1pre)
|
||||||
|
defer codec.Close()
|
||||||
|
|
||||||
|
testrpc.WaitForLeader(t, s1pre.RPC, "dc1")
|
||||||
|
|
||||||
|
// Update the CA config to use Vault - this should force the generation of a new root cert.
|
||||||
|
vaultCAConf := &structs.CAConfiguration{
|
||||||
|
Provider: "vault",
|
||||||
|
Config: map[string]interface{}{
|
||||||
|
"Address": testVault.Addr,
|
||||||
|
"Token": testVault.RootToken,
|
||||||
|
"RootPKIPath": "pki-root/",
|
||||||
|
"IntermediatePKIPath": "pki-intermediate/",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
args := &structs.CARequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
Config: vaultCAConf,
|
||||||
|
}
|
||||||
|
var reply interface{}
|
||||||
|
|
||||||
|
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply))
|
||||||
|
|
||||||
|
// Should have 2 roots now.
|
||||||
|
_, roots, err := s1pre.fsm.State().CARoots(nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Len(t, roots, 2)
|
||||||
|
|
||||||
|
// Shutdown s1pre and restart it to trigger the primary CA init.
|
||||||
|
s1pre.Shutdown()
|
||||||
|
|
||||||
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.DataDir = s1pre.config.DataDir
|
||||||
|
c.NodeName = s1pre.config.NodeName
|
||||||
|
c.NodeID = s1pre.config.NodeID
|
||||||
|
})
|
||||||
|
defer os.RemoveAll(dir1)
|
||||||
|
defer s1.Shutdown()
|
||||||
|
|
||||||
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||||
|
|
||||||
|
// Roots should be unchanged
|
||||||
|
_, rootsAfterRestart, err := s1.fsm.State().CARoots(nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Len(t, rootsAfterRestart, 2)
|
||||||
|
require.Equal(t, roots[0].ID, rootsAfterRestart[0].ID)
|
||||||
|
require.Equal(t, roots[1].ID, rootsAfterRestart[1].ID)
|
||||||
|
}
|
||||||
|
|
||||||
func TestCAManager_Initialize_Vault_FixesSigningKeyID_Primary(t *testing.T) {
|
func TestCAManager_Initialize_Vault_FixesSigningKeyID_Primary(t *testing.T) {
|
||||||
ca.SkipIfVaultNotPresent(t)
|
ca.SkipIfVaultNotPresent(t)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue