Avoid returning empty roots with uninitialized CA

Currently getCARoots could return an empty object with an empty trust
domain before the CA is initialized. This commit returns an error while
there is no CA config or no trust domain.

There could be a CA config and no trust domain because the CA config can
be created in InitializeCA before initialization succeeds.
This commit is contained in:
freddygv 2021-11-08 16:51:49 -07:00
parent d9110136f2
commit cc5a7ed36c
1 changed files with 13 additions and 9 deletions

View File

@ -16,10 +16,12 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
if err != nil {
return nil, err
}
if config == nil {
return nil, fmt.Errorf("CA has not finished initializing")
}
indexedRoots := &structs.IndexedCARoots{}
if config != nil {
// Build TrustDomain based on the ClusterID stored.
signingID := connect.SpiffeIDSigningForCluster(config)
if signingID == nil {
@ -29,6 +31,8 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
}
indexedRoots.TrustDomain = signingID.Host()
if indexedRoots.TrustDomain == "" {
return nil, fmt.Errorf("CA has not finished initializing")
}
indexedRoots.Index, indexedRoots.Roots = index, roots