From 5429e56d1d5c6f2fad86eb924239377a07dbe668 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Mon, 31 Jul 2023 09:31:52 -0400 Subject: [PATCH] Backport of Stop JWT provider from being written in non default namespace into release/1.16.x (#18331) backport of commit f15be60e488a77cf80f78a84c35a4a1154637d03 Co-authored-by: Ronald Ekambi --- .changelog/18325.txt | 3 +++ agent/structs/config_entry_jwt_provider.go | 2 +- agent/structs/config_entry_jwt_provider_oss.go | 7 ++++++- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 .changelog/18325.txt diff --git a/.changelog/18325.txt b/.changelog/18325.txt new file mode 100644 index 000000000..b2870352b --- /dev/null +++ b/.changelog/18325.txt @@ -0,0 +1,3 @@ +```release-note:bug +mesh: **(Enterprise Only)** Require that `jwt-provider` config entries are created in the `default` namespace. +``` \ No newline at end of file diff --git a/agent/structs/config_entry_jwt_provider.go b/agent/structs/config_entry_jwt_provider.go index cc9a37be0..7336027d7 100644 --- a/agent/structs/config_entry_jwt_provider.go +++ b/agent/structs/config_entry_jwt_provider.go @@ -509,7 +509,7 @@ func (e *JWTProviderConfigEntry) Validate() error { return err } - if err := e.validatePartition(); err != nil { + if err := e.validatePartitionAndNamespace(); err != nil { return err } diff --git a/agent/structs/config_entry_jwt_provider_oss.go b/agent/structs/config_entry_jwt_provider_oss.go index 2152f139f..533f349c0 100644 --- a/agent/structs/config_entry_jwt_provider_oss.go +++ b/agent/structs/config_entry_jwt_provider_oss.go @@ -12,9 +12,14 @@ import ( "github.com/hashicorp/consul/acl" ) -func (e *JWTProviderConfigEntry) validatePartition() error { +func (e *JWTProviderConfigEntry) validatePartitionAndNamespace() error { if !acl.IsDefaultPartition(e.PartitionOrDefault()) { return fmt.Errorf("Partitions are an enterprise only feature") } + + if acl.DefaultNamespaceName != e.NamespaceOrDefault() { + return fmt.Errorf("Namespaces are an enterprise only feature") + } + return nil }