structs: prohibit config entries from referencing more than one partition at a time (#10478)

affected kinds: service-defaults, ingress-gateway, terminating-gateway, service-intentions

.changelog/10478.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+structs: prohibit config entries from referencing more than one partition at a time
+```

agent/structs/config_entry.go

@@ -169,6 +169,10 @@ func (e *ServiceConfigEntry) Validate() error {
 			if err != nil {
 				validationErr = multierror.Append(validationErr, fmt.Errorf("error in upstream override for %s: %v", override.ServiceName(), err))
 			}
+
+			if err := validateInnerEnterpriseMeta(&override.EnterpriseMeta, &e.EnterpriseMeta); err != nil {
+				validationErr = multierror.Append(validationErr, fmt.Errorf("error in upstream override for %s: %v", override.ServiceName(), err))
+			}
 		}
 
 		if e.UpstreamConfig.Defaults != nil {
@@ -802,6 +806,9 @@ func (cfg UpstreamConfig) validate(named bool) error {
 		if cfg.EnterpriseMeta.NamespaceOrEmpty() != "" {
 			return fmt.Errorf("Namespace must be empty")
 		}
+		if cfg.EnterpriseMeta.PartitionOrEmpty() != "" {
+			return fmt.Errorf("Partition must be empty")
+		}
 	}
 
 	var validationErr error

agent/structs/config_entry_discoverychain.go

@@ -379,6 +379,8 @@ type ServiceRouteDestination struct {
 	// splitting.
 	Namespace string `json:",omitempty"`
 
+	// NOTE: Partition is not represented here by design. Do not add it.
+
 	// PrefixRewrite allows for the proxied request to have its matching path
 	// prefix modified before being sent to the destination. Described more
 	// below in the envoy implementation section.
@@ -658,6 +660,8 @@ type ServiceSplit struct {
 	// If this field is specified then this route is ineligible for further
 	// splitting.
 	Namespace string `json:",omitempty"`
+
+	// NOTE: Partition is not represented here by design. Do not add it.
 }
 
 // ServiceResolverConfigEntry defines which instances of a service should
@@ -1048,6 +1052,8 @@ type ServiceResolverRedirect struct {
 	// Datacenter is the datacenter to resolve the service from instead of the
 	// current one (optional).
 	Datacenter string `json:",omitempty"`
+
+	// NOTE: Partition is not represented here by design. Do not add it.
 }
 
 // There are some restrictions on what is allowed in here:
@@ -1082,6 +1088,8 @@ type ServiceResolverFailover struct {
 	//
 	// This is a DESTINATION during failover.
 	Datacenters []string `json:",omitempty"`
+
+	// NOTE: Partition is not represented here by design. Do not add it.
 }
 
 // LoadBalancer determines the load balancing policy and configuration for services
@@ -1336,6 +1344,8 @@ type DiscoveryChainRequest struct {
 	EvaluateInDatacenter string
 	EvaluateInNamespace  string
 
+	// NOTE: Partition is not represented here by design. Do not add it.
+
 	// OverrideMeshGateway allows for the mesh gateway setting to be overridden
 	// for any resolver in the compiled chain.
 	OverrideMeshGateway MeshGatewayConfig

agent/structs/config_entry_gateways.go

@@ -164,7 +164,11 @@ func (e *IngressGatewayConfigEntry) Validate() error {
 		}
 
 		declaredHosts := make(map[string]bool)
-		for _, s := range listener.Services {
+		for i, s := range listener.Services {
+			if err := validateInnerEnterpriseMeta(&s.EnterpriseMeta, &e.EnterpriseMeta); err != nil {
+				return fmt.Errorf("Services[%d].%v", i, err)
+			}
+
 			if listener.Protocol == "tcp" {
 				if s.Name == WildcardSpecifier {
 					return fmt.Errorf("Wildcard service name is only valid for protocol = 'http' (listener on port %d)", listener.Port)
@@ -377,8 +381,13 @@ func (e *TerminatingGatewayConfigEntry) Validate() error {
 			return fmt.Errorf("Wildcard namespace is not supported for terminating gateway services")
 		}
 
-		// Check for duplicates within the entry
 		cid := NewServiceID(svc.Name, &svc.EnterpriseMeta)
+
+		if err := validateInnerEnterpriseMeta(&svc.EnterpriseMeta, &e.EnterpriseMeta); err != nil {
+			return fmt.Errorf("Service %q: %v", cid.String(), err)
+		}
+
+		// Check for duplicates within the entry
 		if ok := seen[cid]; ok {
 			return fmt.Errorf("Service %q was specified more than once within a namespace", cid.String())
 		}

agent/structs/config_entry_intentions.go

@@ -567,7 +567,7 @@ func (e *ServiceIntentionsConfigEntry) validate(legacyWrite bool) error {
 			return fmt.Errorf("Sources[%d].%v", i, err)
 		}
 
-		if err := validateSourceIntentionEnterpriseMeta(&src.EnterpriseMeta); err != nil {
+		if err := validateSourceIntentionEnterpriseMeta(&src.EnterpriseMeta, &e.EnterpriseMeta); err != nil {
 			return fmt.Errorf("Sources[%d].%v", i, err)
 		}
 

agent/structs/config_entry_intentions_oss.go

@@ -2,6 +2,6 @@
 
 package structs
 
-func validateSourceIntentionEnterpriseMeta(_ *EnterpriseMeta) error {
+func validateSourceIntentionEnterpriseMeta(_, _ *EnterpriseMeta) error {
 	return nil
 }

agent/structs/config_entry_intentions_test.go

@@ -6,10 +6,11 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/sdk/testutil"
 )
 
 func generateUUID() (ret string) {

agent/structs/config_entry_oss.go

@@ -30,3 +30,7 @@ func validateUnusedKeys(unused []string) error {
 	}
 	return err
 }
+
+func validateInnerEnterpriseMeta(_, _ *EnterpriseMeta) error {
+	return nil
+}