Setup intermediate_pki_path on secondary #8001
Conversation
Make sure to mount vault backend for intermediate_pki_path on secondary dc.
hanshasselberg
changed the title
| @@ -231,7 +244,22 @@ func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error { | |||
|
|
|||
| // ActiveIntermediate returns the current intermediate certificate. | |||
| func (v *VaultProvider) ActiveIntermediate() (string, error) { | |||
| return v.getCA(v.config.IntermediatePKIPath) | |||
| if err := v.setupIntermediatePKIPath(); err != nil { | |||
There was a problem hiding this comment.
Not sure it is the best way to make sure everything is setup in here, but I didn't find a better place. Using setupIntermediatePKIPathDone as a guard to make sure the setup is only done once.
| } | ||
| } | ||
| v.setupIntermediatePKIPathDone = true |
There was a problem hiding this comment.
Does this need a mutex or is it only accessed by a single goroutine?
There was a problem hiding this comment.
There are two different flows.
The leader in the primary dc calls this the first time in initializeRootCA while holding caProviderReconfigurationLock:
consul/agent/consul/leader_connect.go
Lines 262 to 266 in ad7fb3a
The leader in a secondary dc calls this the first time in initializeSecondaryCA while holding caProviderReconfigurationLock:
consul/agent/consul/leader_connect.go
Lines 346 to 349 in ad7fb3a
An error will prevent the initialization to move on and and it will be retried later. I think this is safe to do. However I considered using atomic just to make sure we don't shoot our foot in case the other code changes.
Make sure to mount vault backend for intermediate_pki_path on secondary dc.
Make sure to mount vault backend for intermediate_pki_path on secondary dc.
|
Hi @i0rek Would it be possible to bring this in for beta3? cc @mikemorris |
Make sure to mount vault backend for intermediate_pki_path on secondary
dc.