From a5a9560bbd67073f30f7d5d1c73716714f77bcb8 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Mon, 29 Jun 2020 15:46:34 -0400 Subject: [PATCH] Initialize the agent leaf cert cache result with a state to prevent unnecessary second certificate signing --- agent/agent.go | 12 +++++++++++- agent/cache-types/connect_ca_leaf.go | 9 +++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/agent/agent.go b/agent/agent.go index a797ca5294..9e5666a0f7 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -877,7 +877,17 @@ func (a *Agent) setupClientAutoEncryptCache(reply *structs.SignedResponse) (*str } // prepolutate leaf cache - certRes := cache.FetchResult{Value: &reply.IssuedCert, Index: reply.ConnectCARoots.QueryMeta.Index} + certRes := cache.FetchResult{ + Value: &reply.IssuedCert, + Index: reply.ConnectCARoots.QueryMeta.Index, + } + + for _, ca := range reply.ConnectCARoots.Roots { + if ca.ID == reply.ConnectCARoots.ActiveRootID { + certRes.State = cachetype.ConnectCALeafSuccess(ca.SigningKeyID) + break + } + } if err := a.cache.Prepopulate(cachetype.ConnectCALeafName, certRes, a.config.Datacenter, a.tokens.AgentToken(), leafReq.Key()); err != nil { return nil, nil, err } diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go index 51ce12a0c6..c177804893 100644 --- a/agent/cache-types/connect_ca_leaf.go +++ b/agent/cache-types/connect_ca_leaf.go @@ -121,6 +121,15 @@ type fetchState struct { consecutiveRateLimitErrs int } +func ConnectCALeafSuccess(authorityKeyID string) interface{} { + return fetchState{ + authorityKeyID: authorityKeyID, + forceExpireAfter: time.Time{}, + consecutiveRateLimitErrs: 0, + activeRootRotationStart: time.Time{}, + } +} + // fetchStart is called on each fetch that is about to block and wait for // changes to the leaf. It subscribes a chan to receive updates from the shared // root watcher and triggers root watcher if it's not already running.