connect/ca: Don't discard old roots on primaryInitialize #14598

kyhavlov · 2022-09-13T22:51:32Z

There are a couple cases in primaryInitialize in the CAManager that can cause the root to need updating when the leader is starting up. Currently when this happens, the old roots are discarded and only the new root is preserved, which could cause problems if the root was just rotated out and we still need to keep the old root around for interoperability during the switch to the new root.

This PR changes that behavior to keep the old roots around in this case in primaryInitialize - they'll still be pruned through the normal leader routine once enough time has passed after they've been rotated out.

dhiaayachi

LGTM!
Is this fix meant to be backported?

kyhavlov requested review from a team and dhiaayachi and removed request for a team September 13, 2022 22:51

dhiaayachi approved these changes Sep 15, 2022

View reviewed changes

kyhavlov added backport/1.11 labels Sep 15, 2022

kyhavlov added 2 commits September 15, 2022 12:59

connect/ca: don't discard old roots on primaryInitialize

6105a7f

Add changelog note

573701f

kyhavlov force-pushed the root-removal-fix branch from c8d364b to 573701f Compare September 15, 2022 19:59

kyhavlov merged commit 0d9ae52 into main Sep 15, 2022

kyhavlov deleted the root-removal-fix branch September 15, 2022 21:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

connect/ca: Don't discard old roots on primaryInitialize #14598

connect/ca: Don't discard old roots on primaryInitialize #14598

kyhavlov commented Sep 13, 2022

dhiaayachi left a comment

connect/ca: Don't discard old roots on primaryInitialize #14598

connect/ca: Don't discard old roots on primaryInitialize #14598

Conversation

kyhavlov commented Sep 13, 2022

dhiaayachi left a comment

Choose a reason for hiding this comment