Ensure partition is handled by auto-encrypt

agent/auto-config/tls.go

@@ -216,7 +216,7 @@ func (ac *AutoConfig) generateCSR() (csr string, key string, err error) {
 		Host:       unknownTrustDomain,
 		Datacenter: ac.config.Datacenter,
 		Agent:      ac.config.NodeName,
-		// TODO(rb)(partitions): populate the partition field from the agent config
+		Partition:  ac.config.PartitionOrDefault(),
 	}
 
 	caConfig, err := ac.config.ConnectCAConfiguration()

agent/connect/uri_agent_oss.go

@@ -2,7 +2,17 @@
 
 package connect
 
-import "fmt"
+import (
+	"fmt"
+
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+// GetEnterpriseMeta will synthesize an EnterpriseMeta struct from the SpiffeIDAgent.
+// in OSS this just returns an empty (but never nil) struct pointer
+func (id SpiffeIDAgent) GetEnterpriseMeta() *structs.EnterpriseMeta {
+	return &structs.EnterpriseMeta{}
+}
 
 func (id SpiffeIDAgent) uriPath() string {
 	return fmt.Sprintf("/agent/client/dc/%s/id/%s", id.Datacenter, id.Agent)

agent/consul/connect_ca_endpoint.go

@@ -186,8 +186,8 @@ func (s *ConnectCA) Sign(
 				"we are %s", serviceID.Datacenter, s.srv.config.Datacenter)
 		}
 	} else if isAgent {
-		// TODO(partitions): support auto-config in different partitions
-		structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
+		entMeta := structs.DefaultEnterpriseMetaInPartition(agentID.PartitionOrDefault())
+		entMeta.FillAuthzContext(&authzContext)
 		if authz.NodeWrite(agentID.Agent, &authzContext) != acl.Allow {
 			return acl.ErrPermissionDenied
 		}

agent/consul/leader_connect_ca.go

@@ -1438,8 +1438,7 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne
 
 			csr.URIs = uris
 		}
-		// TODO(partitions): support auto-config in different partitions
-		entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
+		entMeta.Merge(agentID.GetEnterpriseMeta())
 	}
 
 	commonCfg, err := config.GetCommonConfig()