Do not rotate JWT keys if X509 preparation failed during initializati…

…on (#5064) * Do not rotate JWT keys if X509 preparation failed Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com> * Address PR comment Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com> --------- Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
spiffe · Apr 17, 2024 · 8e8f747 · 8e8f747
1 parent 9ec534a
commit 8e8f747
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/pkg/server/ca/manager/journal.go b/pkg/server/ca/manager/journal.go
@@ -231,6 +231,10 @@ func (j *Journal) saveInDatastore(ctx context.Context, entriesBytes []byte) (caJ
 	// Check if we already identified what's the CA journal for this server in
 	// the datastore. If not, log that we are creating a new CA journal entry.
 	if j.caJournalID == 0 {
+		if j.activeX509AuthorityID == "" {
+			j.config.log.Debug("There is no active X.509 authority yet. Can't save CA journal in the datastore")
+			return 0, nil
+		}
 		j.config.log.Info("Creating a new CA journal entry")
 	}
 

diff --git a/pkg/server/ca/rotator/rotator.go b/pkg/server/ca/rotator/rotator.go
@@ -124,6 +124,12 @@ func (r *Rotator) rotate(ctx context.Context) error {
 	if x509CAErr != nil {
 		atomic.AddUint64(&r.failedRotationNum, 1)
 		r.c.Log.WithError(x509CAErr).Error("Unable to rotate X509 CA")
+		if r.c.Manager.GetCurrentX509CASlot().IsEmpty() {
+			// Preparation of the X509 CA failed, and there is no active X509
+			// authority. We will be unable to store the JWT authority, so we
+			// don't try to rotate the JWT key in this case.
+			return x509CAErr
+		}
 	}
 
 	jwtKeyErr := r.rotateJWTKey(ctx)