From 53ea1f634ac8c6e8e4c3cf36e96c5f1d04a44ee6 Mon Sep 17 00:00:00 2001 From: freddygv Date: Thu, 14 Oct 2021 08:32:45 -0600 Subject: [PATCH 1/2] Ensure partition is handled by auto-encrypt --- agent/auto-config/tls.go | 2 +- agent/connect/uri_agent_oss.go | 12 +++++++++++- agent/consul/connect_ca_endpoint.go | 4 ++-- agent/consul/leader_connect_ca.go | 3 +-- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/agent/auto-config/tls.go b/agent/auto-config/tls.go index c152203082..ab647b515b 100644 --- a/agent/auto-config/tls.go +++ b/agent/auto-config/tls.go @@ -216,7 +216,7 @@ func (ac *AutoConfig) generateCSR() (csr string, key string, err error) { Host: unknownTrustDomain, Datacenter: ac.config.Datacenter, Agent: ac.config.NodeName, - // TODO(rb)(partitions): populate the partition field from the agent config + Partition: ac.config.PartitionOrDefault(), } caConfig, err := ac.config.ConnectCAConfiguration() diff --git a/agent/connect/uri_agent_oss.go b/agent/connect/uri_agent_oss.go index bf13697ee3..0936d680a2 100644 --- a/agent/connect/uri_agent_oss.go +++ b/agent/connect/uri_agent_oss.go @@ -2,7 +2,17 @@ package connect -import "fmt" +import ( + "fmt" + + "github.com/hashicorp/consul/agent/structs" +) + +// GetEnterpriseMeta will synthesize an EnterpriseMeta struct from the SpiffeIDAgent. +// in OSS this just returns an empty (but never nil) struct pointer +func (id SpiffeIDAgent) GetEnterpriseMeta() *structs.EnterpriseMeta { + return &structs.EnterpriseMeta{} +} func (id SpiffeIDAgent) uriPath() string { return fmt.Sprintf("/agent/client/dc/%s/id/%s", id.Datacenter, id.Agent) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index c1f6a19be9..3df8068809 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -186,8 +186,8 @@ func (s *ConnectCA) Sign( "we are %s", serviceID.Datacenter, s.srv.config.Datacenter) } } else if isAgent { - // TODO(partitions): support auto-config in different partitions - structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext) + entMeta := structs.DefaultEnterpriseMetaInPartition(agentID.PartitionOrDefault()) + entMeta.FillAuthzContext(&authzContext) if authz.NodeWrite(agentID.Agent, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index ed4f30c6cc..78753b1541 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -1438,8 +1438,7 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne csr.URIs = uris } - // TODO(partitions): support auto-config in different partitions - entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition()) + entMeta.Merge(agentID.GetEnterpriseMeta()) } commonCfg, err := config.GetCommonConfig() From e22f0cc033e85f92d1eccc0d89a9decf4bf9fbc4 Mon Sep 17 00:00:00 2001 From: freddygv Date: Thu, 14 Oct 2021 08:57:40 -0600 Subject: [PATCH 2/2] Use stored entmeta to fill authzContext --- agent/consul/connect_ca_endpoint.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index 3df8068809..a08cf27cc5 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -186,8 +186,7 @@ func (s *ConnectCA) Sign( "we are %s", serviceID.Datacenter, s.srv.config.Datacenter) } } else if isAgent { - entMeta := structs.DefaultEnterpriseMetaInPartition(agentID.PartitionOrDefault()) - entMeta.FillAuthzContext(&authzContext) + agentID.GetEnterpriseMeta().FillAuthzContext(&authzContext) if authz.NodeWrite(agentID.Agent, &authzContext) != acl.Allow { return acl.ErrPermissionDenied }