From 3cc8222ee028420c3c395f80bdc9cacf201830ea Mon Sep 17 00:00:00 2001 From: Ying Li Date: Wed, 7 Jun 2017 17:56:03 -0700 Subject: [PATCH] If a node has no registered TLS info, or has TLS info indicating that it was signed by a different CA cert, and the cluster is in the middle of a root rotation, then the root reconciler updates the node info to mark it as needing a rotation. However, when a node requests a new cert, it will only download the new cert if the issuance status is ISSUED. If the root reconciler happens to get to the node immediately after the CA signs it but before the node downloads it, then the node will never download it and will poll until timeout, and then request a new certificate instead. Since a node only gets marked as ROTATE if it's not already in PENDING, just download the cert even if the cluster says that the issuance state is ROTATE. This will cut short a lot of extra polling before the node gets a new certificate as per the ROTATE directive. Signed-off-by: Ying Li --- ca/certificates.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ca/certificates.go b/ca/certificates.go index 37c8a172de..642c07772b 100644 --- a/ca/certificates.go +++ b/ca/certificates.go @@ -871,7 +871,7 @@ func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x50 caClient = api.NewNodeCAClient(conn.ClientConn) // If there was no deadline exceeded error, and the certificate was issued, return - case err == nil && statusResponse.Status.State == api.IssuanceStateIssued: + case err == nil && (statusResponse.Status.State == api.IssuanceStateIssued || statusResponse.Status.State == api.IssuanceStateRotate): if statusResponse.Certificate == nil { conn.Close(false) return nil, errors.New("no certificate in CertificateStatus response")