From 356b29bf358eb77db934d8ad7ec3ad3bf1d8b581 Mon Sep 17 00:00:00 2001 From: Ronald Date: Mon, 31 Jul 2023 09:13:16 -0400 Subject: [PATCH] Stop JWT provider from being written in non default namespace (#18325) --- .changelog/18325.txt | 3 +++ agent/structs/config_entry_jwt_provider.go | 2 +- agent/structs/config_entry_jwt_provider_oss.go | 7 ++++++- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 .changelog/18325.txt diff --git a/.changelog/18325.txt b/.changelog/18325.txt new file mode 100644 index 0000000000..b2870352b6 --- /dev/null +++ b/.changelog/18325.txt @@ -0,0 +1,3 @@ +```release-note:bug +mesh: **(Enterprise Only)** Require that `jwt-provider` config entries are created in the `default` namespace. +``` \ No newline at end of file diff --git a/agent/structs/config_entry_jwt_provider.go b/agent/structs/config_entry_jwt_provider.go index cc9a37be0c..7336027d70 100644 --- a/agent/structs/config_entry_jwt_provider.go +++ b/agent/structs/config_entry_jwt_provider.go @@ -509,7 +509,7 @@ func (e *JWTProviderConfigEntry) Validate() error { return err } - if err := e.validatePartition(); err != nil { + if err := e.validatePartitionAndNamespace(); err != nil { return err } diff --git a/agent/structs/config_entry_jwt_provider_oss.go b/agent/structs/config_entry_jwt_provider_oss.go index 2152f139f0..533f349c01 100644 --- a/agent/structs/config_entry_jwt_provider_oss.go +++ b/agent/structs/config_entry_jwt_provider_oss.go @@ -12,9 +12,14 @@ import ( "github.com/hashicorp/consul/acl" ) -func (e *JWTProviderConfigEntry) validatePartition() error { +func (e *JWTProviderConfigEntry) validatePartitionAndNamespace() error { if !acl.IsDefaultPartition(e.PartitionOrDefault()) { return fmt.Errorf("Partitions are an enterprise only feature") } + + if acl.DefaultNamespaceName != e.NamespaceOrDefault() { + return fmt.Errorf("Namespaces are an enterprise only feature") + } + return nil }