From e51bd34952e0d3a32fed106d3627746bbe200170 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Wed, 2 Dec 2020 12:17:50 -0800 Subject: [PATCH] Merge pull request #9318 from hashicorp/ca-update-followup connect: Fix issue with updating config in secondary --- agent/consul/connect_ca_endpoint_test.go | 21 +++++++++++++++++++++ agent/consul/leader_connect_ca.go | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 00cfbfa3e4..4cfe22ce45 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -624,6 +624,27 @@ func TestConnectCAConfig_UpdateSecondary(t *testing.T) { assert.Equal("web", reply.Service) assert.Equal(spiffeId.URI().String(), reply.ServiceURI) } + + // Update a minor field in the config that doesn't trigger an intermediate refresh. + { + newConfig := &structs.CAConfiguration{ + Provider: "consul", + Config: map[string]interface{}{ + "PrivateKey": newKey, + "RootCert": "", + "RotationPeriod": 180 * 24 * time.Hour, + }, + } + { + args := &structs.CARequest{ + Datacenter: "secondary", + Config: newConfig, + } + var reply interface{} + + require.NoError(msgpackrpc.CallWithCodec(codec, "ConnectCA.ConfigurationSet", args, &reply)) + } + } } // Test CA signing diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index a00ffe2b5e..69a3424c1a 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -579,7 +579,7 @@ func (c *CAManager) persistNewRootAndConfig(provider ca.Provider, newActiveRoot var newRoots structs.CARoots for _, r := range oldRoots { newRoot := *r - if newRoot.Active { + if newRoot.Active && newActiveRoot != nil { newRoot.Active = false newRoot.RotatedOutAt = time.Now() }