mirror of https://github.com/status-im/consul.git
Secondary CA `establishLeadership` fix (#6383)
This prevents ACL issues (or other issues) during intermediate CA cert signing from failing leader establishment.
This commit is contained in:
parent
90d122055b
commit
cbd1857186
|
@ -382,11 +382,13 @@ func (s *Server) initializeSecondaryCA(provider ca.Provider, roots structs.Index
|
|||
|
||||
var intermediatePEM string
|
||||
if err := s.forwardDC("ConnectCA.SignIntermediate", s.config.PrimaryDatacenter, s.generateCASignRequest(csr), &intermediatePEM); err != nil {
|
||||
return err
|
||||
// this is a failure in the primary and shouldn't be capable of erroring out our establishing leadership
|
||||
s.logger.Printf("[WARN] connect: Primary datacenter refused to sign our intermediate CA certificate: %v", err)
|
||||
return nil
|
||||
}
|
||||
|
||||
if err := provider.SetIntermediate(intermediatePEM, newActiveRoot.RootCert); err != nil {
|
||||
return err
|
||||
return fmt.Errorf("Failed to set the intermediate certificate with the CA provider: %v", err)
|
||||
}
|
||||
|
||||
// Append the new intermediate to our local active root entry.
|
||||
|
|
|
@ -471,6 +471,8 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
|
|||
c.ACLsEnabled = true
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
// set the build to ensure all the version checks pass and enable all the connect features that operate cross-dc
|
||||
c.Build = "1.6.0"
|
||||
})
|
||||
defer os.RemoveAll(dir1)
|
||||
defer s1.Shutdown()
|
||||
|
@ -482,10 +484,10 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
|
|||
s1.tokens.UpdateAgentToken("root", tokenStore.TokenSourceConfig)
|
||||
|
||||
// create some tokens
|
||||
replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
|
||||
replToken1, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
|
||||
require.NoError(err)
|
||||
|
||||
replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read"`)
|
||||
replToken2, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `acl = "read" operator = "write"`)
|
||||
require.NoError(err)
|
||||
|
||||
// dc2 as a secondary DC
|
||||
|
@ -496,6 +498,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) {
|
|||
c.ACLsEnabled = true
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
c.ACLTokenReplication = false
|
||||
c.Build = "1.6.0"
|
||||
})
|
||||
defer os.RemoveAll(dir2)
|
||||
defer s2.Shutdown()
|
||||
|
|
Loading…
Reference in New Issue