fix(kuma-cp) ensure all backends that are added one by one (#2991)

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>

pkg/plugins/ca/builtin/manager.go

@@ -35,6 +35,10 @@ var _ core_ca.Manager = &builtinCaManager{}
 func (b *builtinCaManager) EnsureBackends(ctx context.Context, mesh string, backends []*mesh_proto.CertificateAuthorityBackend) error {
 	for _, backend := range backends {
 		_, err := b.getCa(ctx, mesh, backend.Name)
+		if err == nil { // CA is there, nothing to ensure
+			continue
+		}
+
 		if !core_store.IsResourceNotFound(err) {
 			return err
 		}

pkg/plugins/ca/builtin/manager_test.go

@@ -111,6 +111,40 @@ var _ = Describe("Builtin CA Manager", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(cert.NotAfter).To(Equal(core.Now().UTC().Add(time.Minute).Truncate(time.Second)))
 		})
+
+		It("should ensure first backend and then second", func() {
+			// given
+			mesh := "default"
+			backends := []*mesh_proto.CertificateAuthorityBackend{{
+				Name: "builtin-1",
+				Type: "builtin",
+			}}
+
+			// when
+			err := caManager.EnsureBackends(context.Background(), mesh, backends)
+
+			// then
+			Expect(err).ToNot(HaveOccurred())
+
+			// when second one is added AFTER the CA for the first one was created
+			backends = append(backends, &mesh_proto.CertificateAuthorityBackend{
+				Name: "builtin-2",
+				Type: "builtin",
+			})
+			err = caManager.EnsureBackends(context.Background(), mesh, backends)
+
+			// then
+			Expect(err).ToNot(HaveOccurred())
+
+			// and both CAs have their keys
+			secretRes := system.NewSecretResource()
+			err = secretManager.Get(context.Background(), secretRes, core_store.GetByKey("default.ca-builtin-cert-builtin-1", "default"))
+			Expect(err).ToNot(HaveOccurred())
+
+			secretRes = system.NewSecretResource()
+			err = secretManager.Get(context.Background(), secretRes, core_store.GetByKey("default.ca-builtin-cert-builtin-2", "default"))
+			Expect(err).ToNot(HaveOccurred())
+		})
 	})
 
 	Context("GetRootCert", func() {