status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-19 17:14:37 +00:00
Code Issues Projects Releases Wiki Activity

Note leadership issues in comments

Browse Source
This commit is contained in:
Paul Banks 2018-06-20 13:12:03 +01:00 committed by Jack Pearkes
parent b5f24a21cb
commit e33bfe249e
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
agent/consul/leader.go
View File

@ -433,6 +433,12 @@ func (s *Server) initializeCA() error {
return err return err
} }
// TODO(banks): in the case that we've just gained leadership in an already
// configured cluster. We really need to fetch RootCA from state to provide it
// in setCAProvider. This matters because if the current active root has
// intermediates, parsing the rootCA from only the root cert PEM above will
// not include them and so leafs we sign will not bundle the intermediates.
s.setCAProvider(provider, rootCA) s.setCAProvider(provider, rootCA)
// Check if the CA root is already initialized and exit if it is. // Check if the CA root is already initialized and exit if it is.
@ -445,6 +451,9 @@ func (s *Server) initializeCA() error {
} }
if activeRoot != nil { if activeRoot != nil {
if activeRoot.ID != rootCA.ID { if activeRoot.ID != rootCA.ID {
// TODO(banks): this seems like a pretty catastrophic state to get into.
// Shouldn't we do something stronger than warn and continue signing with
// a key that's not the active CA according to the state?
s.logger.Printf("[WARN] connect: CA root %q is not the active root (%q)", rootCA.ID, activeRoot.ID) s.logger.Printf("[WARN] connect: CA root %q is not the active root (%q)", rootCA.ID, activeRoot.ID)
} }
return nil return nil