Fix v9 trusted cluster DB CA sync

gravitational · Jun 30, 2022 · be72e33 · be72e33
1 parent 9def3b5
commit be72e33
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/lib/cache/collections.go b/lib/cache/collections.go
@@ -805,8 +805,14 @@ func (c *certAuthority) fetch(ctx context.Context) (apply func(ctx context.Conte
 		return nil, trace.Wrap(err)
 	}
 
+	// DELETE IN 11.0.
+	// missingDatabaseCA is needed only when leaf cluster v9 is connected
+	// to root cluster v10.
+	missingDatabaseCA := false
 	applyDatabaseCAs, err := c.fetchCertAuthorities(ctx, types.DatabaseCA)
-	if err != nil {
+	if trace.IsBadParameter(err) {
+		missingDatabaseCA = true
+	} else if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -822,8 +828,10 @@ func (c *certAuthority) fetch(ctx context.Context) (apply func(ctx context.Conte
 		if err := applyUserCAs(ctx); err != nil {
 			return trace.Wrap(err)
 		}
-		if err := applyDatabaseCAs(ctx); err != nil {
-			return trace.Wrap(err)
+		if !missingDatabaseCA {
+			if err := applyDatabaseCAs(ctx); err != nil {
+				return trace.Wrap(err)
+			}
 		}
 		return trace.Wrap(applyJWTSigners(ctx))
 	}, nil