Backport of Stop JWT provider from being written in non default namespace into release/1.16.x (#18331)

backport of commit f15be60e488a77cf80f78a84c35a4a1154637d03 Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
2023-07-31 09:31:52 -04:00 · 2023-07-31 09:31:52 -04:00 · 5429e56d1d
parent 5114b031a7
commit 5429e56d1d
3 changed files with 10 additions and 2 deletions
--- a/.changelog/18325.txt
+++ b/.changelog/18325.txt
@ -0,0 +1,3 @@
+```release-note:bug
+mesh: **(Enterprise Only)** Require that `jwt-provider` config entries are created in the `default` namespace.
+```
--- a/agent/structs/config_entry_jwt_provider.go
+++ b/agent/structs/config_entry_jwt_provider.go
@ -509,7 +509,7 @@ func (e *JWTProviderConfigEntry) Validate() error {
 		return err
 	}

-	if err := e.validatePartition(); err != nil {
+	if err := e.validatePartitionAndNamespace(); err != nil {
 		return err
 	}

--- a/agent/structs/config_entry_jwt_provider_oss.go
+++ b/agent/structs/config_entry_jwt_provider_oss.go
@ -12,9 +12,14 @@ import (
 	"github.com/hashicorp/consul/acl"
 )

-func (e *JWTProviderConfigEntry) validatePartition() error {
+func (e *JWTProviderConfigEntry) validatePartitionAndNamespace() error {
 	if !acl.IsDefaultPartition(e.PartitionOrDefault()) {
 		return fmt.Errorf("Partitions are an enterprise only feature")
 	}
+
+	if acl.DefaultNamespaceName != e.NamespaceOrDefault() {
+		return fmt.Errorf("Namespaces are an enterprise only feature")
+	}
+
 	return nil
 }