auto-config: ensure the feature works properly with partitions (#11699)

2021-12-01 13:32:34 -06:00 · 2021-12-01 13:32:34 -06:00 · 70b143ddc5
parent 1e8a83d100
commit 70b143ddc5
18 changed files with 284 additions and 112 deletions
--- a/.changelog/11699.txt
+++ b/.changelog/11699.txt
@ -0,0 +1,3 @@
 ```release-note:improvement
 auto-config: ensure the feature works properly with partitions
 ```
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@ -5117,6 +5117,9 @@ func TestAutoConfig_Integration(t *testing.T) {
 	// verify_incoming config on the server would not let it work.
 	testrpc.WaitForTestAgent(t, client.RPC, "dc1", testrpc.WithToken(TestDefaultMasterToken))
 	// spot check that we now have an ACL token
 	require.NotEmpty(t, client.tokens.AgentToken())
 	// grab the existing cert
 	cert1 := client.Agent.tlsConfigurator.Cert()
 	require.NotNil(t, cert1)
@ -5159,9 +5162,6 @@ func TestAutoConfig_Integration(t *testing.T) {
 		require.NoError(r, err)
 		require.Equal(r, client.Agent.tlsConfigurator.Cert(), &actual)
 	})
 	// spot check that we now have an ACL token
 	require.NotEmpty(t, client.tokens.AgentToken())
 }
 func TestAgent_AutoEncrypt(t *testing.T) {
@ -5351,3 +5351,10 @@ func uniqueAddrs(srvs []apiServer) map[string]struct{} {
 	}
 	return result
 }
 func runStep(t *testing.T, name string, fn func(t *testing.T)) {
 	t.Helper()
 	if !t.Run(name, fn) {
 		t.FailNow()
 	}
 }
--- a/agent/auto-config/auto_config.go
+++ b/agent/auto-config/auto_config.go
@ -279,6 +279,7 @@ func (ac *AutoConfig) getInitialConfigurationOnce(ctx context.Context, csr strin
 		Datacenter: ac.config.Datacenter,
 		Node:       ac.config.NodeName,
 		Segment:    ac.config.SegmentName,
 		Partition:  ac.config.PartitionOrEmpty(),
 		JWT:        token,
 		CSR:        csr,
 	}
--- a/agent/auto-config/config_translate.go
+++ b/agent/auto-config/config_translate.go
@ -26,9 +26,12 @@ func translateConfig(c *pbconfig.Config) config.Config {
 		Datacenter:        stringPtrOrNil(c.Datacenter),
 		PrimaryDatacenter: stringPtrOrNil(c.PrimaryDatacenter),
 		NodeName:          stringPtrOrNil(c.NodeName),
-		// only output the SegmentName in the configuration if its non-empty
+		// only output the SegmentName in the configuration if it's non-empty
 		// this will avoid a warning later when parsing the persisted configuration
 		SegmentName: stringPtrOrNil(c.SegmentName),
 		// only output the Partition in the configuration if it's non-empty
 		// this will avoid a warning later when parsing the persisted configuration
 		Partition: stringPtrOrNil(c.Partition),
 	}
 	if a := c.AutoEncrypt; a != nil {
--- a/agent/auto-config/tls.go
+++ b/agent/auto-config/tls.go
@ -192,11 +192,12 @@ func (ac *AutoConfig) caRootsRequest() structs.DCSpecificRequest {
 func (ac *AutoConfig) leafCertRequest() cachetype.ConnectCALeafRequest {
 	return cachetype.ConnectCALeafRequest{
-		Datacenter: ac.config.Datacenter,
+		Datacenter:     ac.config.Datacenter,
-		Agent:      ac.config.NodeName,
+		Agent:          ac.config.NodeName,
-		DNSSAN:     ac.getDNSSANs(),
+		DNSSAN:         ac.getDNSSANs(),
-		IPSAN:      ac.getIPSANs(),
+		IPSAN:          ac.getIPSANs(),
-		Token:      ac.acConfig.Tokens.AgentToken(),
+		Token:          ac.acConfig.Tokens.AgentToken(),
 		EnterpriseMeta: *structs.NodeEnterpriseMetaInPartition(ac.config.PartitionOrEmpty()),
 	}
 }
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -2374,8 +2374,9 @@ func validateAutoConfigAuthorizer(rt RuntimeConfig) error {
 	// create a blank identity for use to validate the claim assertions.
 	blankID := validator.NewIdentity()
 	varMap := map[string]string{
-		"node":    "fake",
+		"node":      "fake",
-		"segment": "fake",
+		"segment":   "fake",
 		"partition": "fake",
 	}
 	// validate all the claim assertions
--- a/agent/connect/uri.go
+++ b/agent/connect/uri.go
@ -76,6 +76,10 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
 			}
 		}
 		if ap == "" {
 			ap = "default"
 		}
 		return &SpiffeIDService{
 			Host:       input.Host,
 			Partition:  ap,
@ -103,6 +107,10 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
 			}
 		}
 		if ap == "" {
 			ap = "default"
 		}
 		return &SpiffeIDAgent{
 			Host:       input.Host,
 			Partition:  ap,
--- a/agent/connect/uri_test.go
+++ b/agent/connect/uri_test.go
@ -5,10 +5,13 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/testutil"
 )
 func TestParseCertURIFromString(t *testing.T) {
 	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
 	var cases = []struct {
 		Name       string
 		URI        string
@ -26,6 +29,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/ns/default/dc/dc01/svc/web",
 			&SpiffeIDService{
 				Host:       "1234.consul",
 				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Namespace:  "default",
 				Datacenter: "dc01",
 				Service:    "web",
@ -49,6 +53,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/agent/client/dc/dc1/id/uuid",
 			&SpiffeIDAgent{
 				Host:       "1234.consul",
 				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Datacenter: "dc1",
 				Agent:      "uuid",
 			},
@ -70,6 +75,7 @@ func TestParseCertURIFromString(t *testing.T) {
 			"spiffe://1234.consul/ns/foo%2Fbar/dc/bar%2Fbaz/svc/baz%2Fqux",
 			&SpiffeIDService{
 				Host:       "1234.consul",
 				Partition:  defaultEntMeta.PartitionOrDefault(),
 				Namespace:  "foo/bar",
 				Datacenter: "bar/baz",
 				Service:    "baz/qux",
--- a/agent/consul/auto_config_backend.go
+++ b/agent/consul/auto_config_backend.go
@ -31,13 +31,16 @@ func (b autoConfigBackend) GetCARoots() (*structs.IndexedCARoots, error) {
 // DatacenterJoinAddresses will return all the strings suitable for usage in
 // retry join operations to connect to the the LAN or LAN segment gossip pool.
-func (b autoConfigBackend) DatacenterJoinAddresses(segment string) ([]string, error) {
+func (b autoConfigBackend) DatacenterJoinAddresses(partition, segment string) ([]string, error) {
 	members, err := b.Server.LANMembers(LANMemberFilter{
 		Segment:   segment,
-		Partition: "", // TODO(partitions): figure out what goes here
+		Partition: partition,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("Failed to retrieve members for segment %s - %w", segment, err)
+		if segment != "" {
 			return nil, fmt.Errorf("Failed to retrieve members for segment %s: %w", segment, err)
 		}
 		return nil, fmt.Errorf("Failed to retrieve members for partition %s: %w", structs.PartitionOrDefault(partition), err)
 	}
 	var joinAddrs []string
--- a/agent/consul/auto_config_backend_test.go
+++ b/agent/consul/auto_config_backend_test.go
@ -27,7 +27,7 @@ func TestAutoConfigBackend_DatacenterJoinAddresses(t *testing.T) {
 	}
 	backend := autoConfigBackend{Server: nodes.Servers[0]}
-	actual, err := backend.DatacenterJoinAddresses("")
+	actual, err := backend.DatacenterJoinAddresses("", "")
 	require.NoError(t, err)
 	require.ElementsMatch(t, expected, actual)
 }
--- a/agent/consul/auto_config_endpoint.go
+++ b/agent/consul/auto_config_endpoint.go
@ -25,11 +25,16 @@ import (
 type AutoConfigOptions struct {
 	NodeName    string
 	SegmentName string
 	Partition   string
 	CSR      *x509.CertificateRequest
 	SpiffeID *connect.SpiffeIDAgent
 }
 func (opts AutoConfigOptions) PartitionOrDefault() string {
 	return structs.PartitionOrDefault(opts.Partition)
 }
 type AutoConfigAuthorizer interface {
 	// Authorizes the request and returns a struct containing the various
 	// options for how to generate the configuration.
@ -57,8 +62,9 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 	}
 	varMap := map[string]string{
-		"node":    req.Node,
+		"node":      req.Node,
-		"segment": req.Segment,
+		"segment":   req.Segment,
 		"partition": req.PartitionOrDefault(),
 	}
 	for _, raw := range a.claimAssertions {
@ -86,6 +92,7 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 	opts := AutoConfigOptions{
 		NodeName:    req.Node,
 		SegmentName: req.Segment,
 		Partition:   req.Partition,
 	}
 	if req.CSR != "" {
@ -94,8 +101,12 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 			return AutoConfigOptions{}, err
 		}
-		if id.Agent != req.Node {
+		if id.Agent != req.Node || !structs.EqualPartitions(id.Partition, req.Partition) {
-			return AutoConfigOptions{}, fmt.Errorf("Spiffe ID agent name (%s) of the certificate signing request is not for the correct node (%s)", id.Agent, req.Node)
+			return AutoConfigOptions{},
 				fmt.Errorf("Spiffe ID agent name (%s) of the certificate signing request is not for the correct node (%s)",
 					printNodeName(id.Agent, id.Partition),
 					printNodeName(req.Node, req.Partition),
 				)
 		}
 		opts.CSR = csr
@ -107,7 +118,7 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 type AutoConfigBackend interface {
 	CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error)
-	DatacenterJoinAddresses(segment string) ([]string, error)
+	DatacenterJoinAddresses(partition, segment string) ([]string, error)
 	ForwardRPC(method string, info structs.RPCInfo, reply interface{}) (bool, error)
 	GetCARoots() (*structs.IndexedCARoots, error)
 	SignCertificate(csr *x509.CertificateRequest, id connect.CertURI) (*structs.IssuedCert, error)
@ -200,7 +211,7 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 	if ac.config.ACLsEnabled {
 		// set up the token template - the ids and create
 		template := structs.ACLToken{
-			Description: fmt.Sprintf("Auto Config Token for Node %q", opts.NodeName),
+			Description: fmt.Sprintf("Auto Config Token for Node %q", printNodeName(opts.NodeName, opts.Partition)),
 			Local:       true,
 			NodeIdentities: []*structs.ACLNodeIdentity{
 				{
@ -208,13 +219,12 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 					Datacenter: ac.config.Datacenter,
 				},
 			},
-			// TODO(partitions): support auto-config in different partitions
+			EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(opts.PartitionOrDefault()),
 			EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
 		}
 		token, err := ac.backend.CreateACLToken(&template)
 		if err != nil {
-			return fmt.Errorf("Failed to generate an ACL token for node %q - %w", opts.NodeName, err)
+			return fmt.Errorf("Failed to generate an ACL token for node %q: %w", printNodeName(opts.NodeName, opts.Partition), err)
 		}
 		acl.Tokens = &pbconfig.ACLTokens{Agent: token.SecretID}
@ -227,7 +237,7 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautocon
 // updateJoinAddressesInConfig determines the correct gossip endpoints that clients should
 // be connecting to for joining the cluster based on the segment given in the opts parameter.
 func (ac *AutoConfig) updateJoinAddressesInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error {
-	joinAddrs, err := ac.backend.DatacenterJoinAddresses(opts.SegmentName)
+	joinAddrs, err := ac.backend.DatacenterJoinAddresses(opts.Partition, opts.SegmentName)
 	if err != nil {
 		return err
 	}
@ -299,6 +309,7 @@ func (ac *AutoConfig) baseConfig(opts AutoConfigOptions, resp *pbautoconf.AutoCo
 	resp.Config.PrimaryDatacenter = ac.config.PrimaryDatacenter
 	resp.Config.NodeName = opts.NodeName
 	resp.Config.SegmentName = opts.SegmentName
 	resp.Config.Partition = opts.Partition
 	return nil
 }
@ -422,3 +433,10 @@ func mapstructureTranslateToProtobuf(in interface{}, out interface{}) error {
 	return decoder.Decode(in)
 }
 func printNodeName(nodeName, partition string) string {
 	if structs.IsDefaultPartition(partition) {
 		return nodeName
 	}
 	return partition + "/" + nodeName
 }
--- a/agent/consul/auto_config_endpoint_test.go
+++ b/agent/consul/auto_config_endpoint_test.go
@ -38,8 +38,8 @@ func (m *mockAutoConfigBackend) CreateACLToken(template *structs.ACLToken) (*str
 	return token, ret.Error(1)
 }
-func (m *mockAutoConfigBackend) DatacenterJoinAddresses(segment string) ([]string, error) {
+func (m *mockAutoConfigBackend) DatacenterJoinAddresses(partition, segment string) ([]string, error) {
-	ret := m.Called(segment)
+	ret := m.Called(partition, segment)
 	// this handles converting an untyped nil to a typed nil
 	addrs, _ := ret.Get(0).([]string)
 	return addrs, ret.Error(1)
@ -215,6 +215,8 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 		err           string
 	}
 	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
 	cases := map[string]testCase{
 		"wrong-datacenter": {
 			request: pbautoconf.AutoConfigRequest{
@ -304,6 +306,7 @@ func TestAutoConfigInitialConfiguration(t *testing.T) {
 				expectedID := connect.SpiffeIDAgent{
 					Host:       roots.TrustDomain,
 					Agent:      "test-node",
 					Partition:  defaultEntMeta.PartitionOrDefault(),
 					Datacenter: "dc1",
 				}
@ -836,7 +839,7 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
 func TestAutoConfig_updateJoinAddressesInConfig(t *testing.T) {
 	addrs := []string{"198.18.0.7:8300", "198.18.0.1:8300"}
 	backend := &mockAutoConfigBackend{}
-	backend.On("DatacenterJoinAddresses", "").Return(addrs, nil).Once()
+	backend.On("DatacenterJoinAddresses", "", "").Return(addrs, nil).Once()
 	ac := AutoConfig{backend: backend}
--- a/proto/pbautoconf/auto_config.pb.go
+++ b/proto/pbautoconf/auto_config.pb.go
@ -37,6 +37,8 @@ type AutoConfigRequest struct {
 	Node string `protobuf:"bytes,2,opt,name=Node,proto3" json:"Node,omitempty"`
 	// Segment is the network segment that the requester would like to join
 	Segment string `protobuf:"bytes,4,opt,name=Segment,proto3" json:"Segment,omitempty"`
 	// Partition is the partition that the requester would like to join
 	Partition string `protobuf:"bytes,8,opt,name=Partition,proto3" json:"Partition,omitempty"`
 	// JWT is a signed JSON Web Token used to authorize the request
 	JWT string `protobuf:"bytes,5,opt,name=JWT,proto3" json:"JWT,omitempty"`
 	// ConsulToken is a Consul ACL token that the agent requesting the
@ -104,6 +106,13 @@ func (m *AutoConfigRequest) GetSegment() string {
 	return ""
 }
 func (m *AutoConfigRequest) GetPartition() string {
 	if m != nil {
 		return m.Partition
 	}
 	return ""
 }
 func (m *AutoConfigRequest) GetJWT() string {
 	if m != nil {
 		return m.JWT
@ -212,29 +221,30 @@ func init() {
 }
 var fileDescriptor_ccc5af992e5daf69 = []byte{
-	// 347 bytes of a gzipped FileDescriptorProto
+	// 361 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xc1, 0x4a, 0xc3, 0x30,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x92, 0xcf, 0x4a, 0xc3, 0x40,
-	0x18, 0xc7, 0x8d, 0x9b, 0x9b, 0x4b, 0x41, 0x66, 0x76, 0x09, 0x13, 0xcb, 0xd8, 0x41, 0x86, 0x48,
+	0x10, 0xc6, 0x8d, 0xad, 0xfd, 0xb3, 0x01, 0xa9, 0xdb, 0xcb, 0x52, 0x35, 0x94, 0x1e, 0xa4, 0x88,
-	0x2b, 0x13, 0xaf, 0xc2, 0x8c, 0x1e, 0xf4, 0xe0, 0x21, 0x1b, 0x08, 0x5e, 0xa4, 0xeb, 0xb2, 0xad,
+	0x24, 0x52, 0xf1, 0x2a, 0xd4, 0xe8, 0x41, 0x0f, 0x22, 0xdb, 0x82, 0xe0, 0x45, 0xd2, 0x74, 0xdb,
-	0xb8, 0x25, 0xb5, 0xf9, 0x02, 0x3e, 0x8a, 0x6f, 0xe0, 0xab, 0x78, 0xd4, 0x37, 0x90, 0xf9, 0x22,
+	0x06, 0xdb, 0x9d, 0x98, 0x9d, 0x80, 0x8f, 0xe2, 0x0b, 0x09, 0x1e, 0xf5, 0x0d, 0xa4, 0xbe, 0x88,
-	0xd2, 0xb4, 0x95, 0x20, 0x9e, 0xfa, 0xef, 0xff, 0xf7, 0xfb, 0xe0, 0x6b, 0x13, 0xdc, 0x4f, 0x33,
+	0x64, 0x93, 0xe8, 0x22, 0x9e, 0xf2, 0xe5, 0xf7, 0xfb, 0xe6, 0x30, 0x93, 0x90, 0x5e, 0x9c, 0x00,
-	0x05, 0x2a, 0x4c, 0xa7, 0x91, 0x01, 0x15, 0x2b, 0x39, 0x0f, 0xf3, 0xf0, 0x98, 0xa7, 0x64, 0x11,
+	0x82, 0x17, 0x4f, 0x82, 0x14, 0x21, 0x04, 0x39, 0xf3, 0xb2, 0xf0, 0x90, 0xa5, 0x68, 0xee, 0x6a,
-	0x58, 0x48, 0x76, 0x2b, 0xd6, 0x3d, 0xa8, 0xec, 0x82, 0x87, 0xae, 0xd6, 0x3d, 0x74, 0xa0, 0x14,
+	0x49, 0x1b, 0xa5, 0xeb, 0xec, 0x96, 0xed, 0xdc, 0x7b, 0x66, 0xad, 0xb3, 0x6f, 0x48, 0x29, 0x42,
-	0x31, 0x84, 0xe5, 0xb3, 0xc0, 0xfd, 0x37, 0x84, 0xf7, 0x47, 0x06, 0x14, 0xb3, 0x33, 0x5c, 0x3c,
+	0xf4, 0x8a, 0x67, 0xae, 0x7b, 0xaf, 0x16, 0xd9, 0x19, 0xa6, 0x08, 0xbe, 0x9e, 0xe1, 0xe2, 0x29,
-	0x1b, 0xa1, 0x81, 0xf8, 0x18, 0x5f, 0x45, 0x10, 0xc5, 0x42, 0x82, 0xc8, 0x28, 0xea, 0xa1, 0x41,
+	0x15, 0x0a, 0xa9, 0x43, 0xc8, 0x45, 0x80, 0x41, 0x28, 0x24, 0x8a, 0x84, 0x59, 0x5d, 0xab, 0xdf,
-	0x8b, 0x3b, 0x0d, 0x21, 0xb8, 0x7e, 0xa7, 0x66, 0x82, 0x6e, 0x5b, 0x62, 0x33, 0xa1, 0xb8, 0x39,
+	0xe4, 0x06, 0xa1, 0x94, 0x54, 0x6f, 0x60, 0x2a, 0xd8, 0xa6, 0x36, 0x3a, 0x53, 0x46, 0xea, 0x23,
-	0x16, 0x8b, 0xb5, 0x90, 0x40, 0xeb, 0xb6, 0xae, 0x5e, 0x49, 0x1b, 0xd7, 0x6e, 0xef, 0x27, 0x74,
+	0x31, 0x5f, 0x09, 0x89, 0xac, 0xaa, 0x71, 0xf9, 0x4a, 0xf7, 0x48, 0xf3, 0x36, 0x48, 0x30, 0xc2,
-	0xc7, 0xb6, 0x79, 0x24, 0x3d, 0xec, 0x31, 0x25, 0xb5, 0x59, 0x4d, 0xd4, 0x93, 0x90, 0xb4, 0x61,
+	0x08, 0x24, 0x6b, 0x68, 0xf7, 0x0b, 0x68, 0x8b, 0x54, 0xae, 0xef, 0xc6, 0x6c, 0x4b, 0xf3, 0x2c,
-	0x89, 0x5b, 0xe5, 0x33, 0x6c, 0xcc, 0x69, 0xb3, 0x98, 0x61, 0x63, 0xde, 0xff, 0x44, 0x98, 0xb8,
+	0xd2, 0x2e, 0xb1, 0x7d, 0x90, 0x2a, 0x5d, 0x8e, 0xe1, 0x51, 0x48, 0x56, 0xd3, 0xc6, 0x44, 0xd9,
-	0x9b, 0xea, 0x54, 0x49, 0x2d, 0xc8, 0x11, 0x6e, 0x14, 0x8d, 0x5d, 0xd3, 0x1b, 0xee, 0x05, 0xe5,
+	0x8c, 0x3f, 0xe2, 0xac, 0x9e, 0xcf, 0xf8, 0x23, 0xde, 0xfb, 0xb0, 0x08, 0x35, 0xf7, 0x50, 0x31,
-	0xe7, 0x97, 0x5e, 0x49, 0xc9, 0x31, 0x6e, 0xb2, 0x11, 0x57, 0x0a, 0xb4, 0xdd, 0xda, 0x1b, 0xb6,
+	0x48, 0x25, 0xe8, 0x01, 0xa9, 0xe5, 0x44, 0x2f, 0x61, 0x0f, 0xb6, 0xdd, 0xe2, 0x38, 0x45, 0xaf,
-	0x83, 0xea, 0x4f, 0x94, 0x3d, 0xaf, 0x04, 0x72, 0x8e, 0x3d, 0x26, 0x32, 0x48, 0xe6, 0x49, 0x1c,
+	0xb0, 0xf4, 0x90, 0xd4, 0xfd, 0x21, 0x07, 0x40, 0xa5, 0x77, 0xb2, 0x07, 0x2d, 0xb7, 0xbc, 0x53,
-	0x81, 0xa0, 0x35, 0xeb, 0x77, 0x7e, 0xfd, 0x1b, 0xad, 0x8d, 0x98, 0xe5, 0x06, 0x77, 0x3d, 0x72,
+	0xc1, 0x79, 0x59, 0xa0, 0xa7, 0xc4, 0xf6, 0x45, 0x82, 0xd1, 0x2c, 0x0a, 0x03, 0x14, 0xac, 0xa2,
-	0x8a, 0x3b, 0xd7, 0x2f, 0x90, 0x45, 0x6c, 0xe4, 0xb4, 0x9a, 0xd6, 0x7b, 0xb5, 0x41, 0x8b, 0xff,
+	0xfb, 0xed, 0x9f, 0xfe, 0x95, 0x52, 0xa9, 0x98, 0x66, 0x0d, 0x6e, 0xf6, 0xe8, 0x31, 0x69, 0x5f,
-	0x87, 0x2e, 0x2f, 0xde, 0x37, 0x3e, 0xfa, 0xd8, 0xf8, 0xe8, 0x6b, 0xe3, 0xa3, 0xd7, 0x6f, 0x7f,
+	0x3e, 0x63, 0x12, 0xf8, 0x43, 0x83, 0x2a, 0x56, 0xed, 0x56, 0xfa, 0x4d, 0xfe, 0x9f, 0x3a, 0x3f,
-	0xeb, 0xe1, 0x64, 0x91, 0xc0, 0xd2, 0x4c, 0x83, 0x58, 0xad, 0xc3, 0x65, 0xa4, 0x97, 0x49, 0xac,
+	0x7b, 0x5b, 0x3b, 0xd6, 0xfb, 0xda, 0xb1, 0x3e, 0xd7, 0x8e, 0xf5, 0xf2, 0xe5, 0x6c, 0xdc, 0x1f,
-	0xb2, 0x34, 0x3f, 0x33, 0x6d, 0x56, 0xe1, 0xdf, 0x5b, 0x31, 0x6d, 0xd8, 0xe6, 0xec, 0x27, 0x00,
+	0xcd, 0x23, 0x5c, 0xa4, 0x13, 0x37, 0x84, 0x95, 0xb7, 0x08, 0xd4, 0x22, 0x0a, 0x21, 0x89, 0xb3,
-	0x00, 0xff, 0xff, 0xe2, 0x1d, 0x6e, 0x48, 0x30, 0x02, 0x00, 0x00,
+	0x2f, 0xaa, 0xd2, 0xa5, 0xf7, 0xf7, 0x9f, 0x99, 0xd4, 0x34, 0x39, 0xf9, 0x0e, 0x00, 0x00, 0xff,
 	0xff, 0x65, 0x57, 0x2e, 0x30, 0x4e, 0x02, 0x00, 0x00,
 }
 func (m *AutoConfigRequest) Marshal() (dAtA []byte, err error) {
@ -261,6 +271,13 @@ func (m *AutoConfigRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
 	if len(m.Partition) > 0 {
 		i -= len(m.Partition)
 		copy(dAtA[i:], m.Partition)
 		i = encodeVarintAutoConfig(dAtA, i, uint64(len(m.Partition)))
 		i--
 		dAtA[i] = 0x42
 	}
 	if len(m.CSR) > 0 {
 		i -= len(m.CSR)
 		copy(dAtA[i:], m.CSR)
@ -419,6 +436,10 @@ func (m *AutoConfigRequest) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovAutoConfig(uint64(l))
 	}
 	l = len(m.Partition)
 	if l > 0 {
 		n += 1 + l + sovAutoConfig(uint64(l))
 	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@ -682,6 +703,38 @@ func (m *AutoConfigRequest) Unmarshal(dAtA []byte) error {
 			}
 			m.CSR = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 8:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowAutoConfig
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
 				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
 			intStringLen := int(stringLen)
 			if intStringLen < 0 {
 				return ErrInvalidLengthAutoConfig
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthAutoConfig
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
 			m.Partition = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipAutoConfig(dAtA[iNdEx:])
--- a/proto/pbautoconf/auto_config.proto
+++ b/proto/pbautoconf/auto_config.proto
@ -7,7 +7,7 @@ option go_package = "github.com/hashicorp/consul/proto/pbautoconf";
 import "proto/pbconfig/config.proto";
 import "proto/pbconnect/connect.proto";
-// AutoConfigRequest is the data structure to be sent along with the 
+// AutoConfigRequest is the data structure to be sent along with the
 // AutoConfig.InitialConfiguration RPC
 message AutoConfigRequest {
   // Datacenter is the local datacenter name. This wont actually be set by clients
@ -15,21 +15,24 @@ message AutoConfigRequest {
   // the leader. If it ever happens to be set and differs from the local datacenters
   // name then an error should be returned.
   string Datacenter = 1;
-   
+
   // Node is the node name that the requester would like to assume
   // the identity of.
   string Node = 2;
-   
+
   // Segment is the network segment that the requester would like to join
   string Segment = 4;
   // Partition is the partition that the requester would like to join
   string Partition = 8;
   // JWT is a signed JSON Web Token used to authorize the request
   string JWT = 5;
-   
+
   // ConsulToken is a Consul ACL token that the agent requesting the
   // configuration already has.
   string ConsulToken = 6;
-   
+
   // CSR is a certificate signing request to be used when generating the
   // agents TLS certificate
   string CSR = 7;
@ -39,13 +42,13 @@ message AutoConfigRequest {
 message AutoConfigResponse {
   // Config is the partial Consul configuration to inject into the agents own configuration
   config.Config Config = 1;
-   
+
   // CARoots is the current list of Connect CA Roots
   connect.CARoots CARoots = 2;
   // Certificate is the TLS certificate issued for the agent
   connect.IssuedCert Certificate = 3;
-   
+
   // ExtraCACertificates holds non-Connect certificates that may be necessary
   // to verify TLS connections with the Consul servers
   repeated string ExtraCACertificates = 4;
-}
+}
--- a/proto/pbautoconf/auto_config_oss.go
+++ b/proto/pbautoconf/auto_config_oss.go
@ -0,0 +1,8 @@
 //go:build !consulent
 // +build !consulent
 package pbautoconf
 func (req *AutoConfigRequest) PartitionOrDefault() string {
 	return ""
 }
--- a/proto/pbconfig/config.pb.go
+++ b/proto/pbconfig/config.pb.go
@ -27,6 +27,7 @@ type Config struct {
 	PrimaryDatacenter    string       `protobuf:"bytes,2,opt,name=PrimaryDatacenter,proto3" json:"PrimaryDatacenter,omitempty"`
 	NodeName             string       `protobuf:"bytes,3,opt,name=NodeName,proto3" json:"NodeName,omitempty"`
 	SegmentName          string       `protobuf:"bytes,4,opt,name=SegmentName,proto3" json:"SegmentName,omitempty"`
 	Partition            string       `protobuf:"bytes,9,opt,name=Partition,proto3" json:"Partition,omitempty"`
 	ACL                  *ACL         `protobuf:"bytes,5,opt,name=ACL,proto3" json:"ACL,omitempty"`
 	AutoEncrypt          *AutoEncrypt `protobuf:"bytes,6,opt,name=AutoEncrypt,proto3" json:"AutoEncrypt,omitempty"`
 	Gossip               *Gossip      `protobuf:"bytes,7,opt,name=Gossip,proto3" json:"Gossip,omitempty"`
@ -97,6 +98,13 @@ func (m *Config) GetSegmentName() string {
 	return ""
 }
 func (m *Config) GetPartition() string {
 	if m != nil {
 		return m.Partition
 	}
 	return ""
 }
 func (m *Config) GetACL() *ACL {
 	if m != nil {
 		return m.ACL
@ -679,58 +687,58 @@ func init() {
 func init() { proto.RegisterFile("proto/pbconfig/config.proto", fileDescriptor_aefa824db7b74d77) }
 var fileDescriptor_aefa824db7b74d77 = []byte{
-	// 802 bytes of a gzipped FileDescriptorProto
+	// 811 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdd, 0x8e, 0x22, 0x45,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x55, 0xdb, 0x8e, 0xe3, 0x44,
-	0x14, 0xb6, 0xa7, 0x77, 0x7a, 0x86, 0x83, 0x6e, 0x76, 0x6b, 0x57, 0xec, 0xf8, 0x83, 0xa4, 0x63,
+	0x10, 0xc5, 0xe3, 0x1d, 0xcf, 0xa4, 0x02, 0xab, 0xdd, 0xde, 0x25, 0x58, 0x5c, 0x42, 0x64, 0xa1,
-	0x36, 0xa3, 0x31, 0x83, 0xc1, 0x68, 0xd4, 0x78, 0xc3, 0xc0, 0x46, 0x71, 0x01, 0x49, 0x37, 0xae,
+	0xd5, 0x80, 0xd0, 0x0c, 0x1a, 0x04, 0x02, 0xc4, 0x4b, 0x26, 0x59, 0x41, 0xd8, 0x24, 0x44, 0x76,
-	0x89, 0x37, 0xa6, 0x69, 0x0e, 0x50, 0xb1, 0xa9, 0xea, 0x54, 0x17, 0x3b, 0xe1, 0x4d, 0x7c, 0x0d,
+	0x58, 0x24, 0x5e, 0x90, 0xe3, 0x54, 0x92, 0x16, 0x4e, 0xb7, 0xd5, 0xee, 0xec, 0x28, 0x7f, 0xc2,
-	0xaf, 0x7d, 0x01, 0x2f, 0x7d, 0x04, 0x1d, 0x5f, 0xc0, 0x47, 0x30, 0xf5, 0xd3, 0x4d, 0xf7, 0x08,
+	0xbf, 0xf0, 0x03, 0xbc, 0xc1, 0x27, 0xc0, 0xf0, 0x03, 0x7c, 0x02, 0xea, 0x8b, 0x6f, 0x43, 0xf2,
-	0x57, 0x70, 0xbe, 0xef, 0xab, 0x53, 0xe7, 0xaf, 0x4e, 0xc3, 0x3b, 0x99, 0xe0, 0x92, 0x77, 0xb3,
+	0x94, 0xd4, 0x39, 0xa7, 0xab, 0xab, 0xba, 0x2e, 0x86, 0x77, 0x32, 0xc1, 0x25, 0xbf, 0xca, 0x16,
-	0x45, 0xc2, 0xd9, 0x8a, 0xae, 0xbb, 0xe6, 0xe7, 0x5a, 0xa3, 0xc4, 0x33, 0x56, 0xf0, 0xdb, 0x19,
+	0x09, 0x67, 0x2b, 0xba, 0xbe, 0x32, 0x3f, 0x97, 0x1a, 0x25, 0x9e, 0xb1, 0x82, 0x3f, 0x4e, 0xc0,
-	0x78, 0x03, 0xfd, 0x97, 0xb4, 0x01, 0x86, 0xb1, 0x8c, 0x13, 0x64, 0x12, 0x85, 0xef, 0x74, 0x9c,
+	0x1b, 0xe8, 0xbf, 0xa4, 0x0b, 0x30, 0x8c, 0x65, 0x9c, 0x20, 0x93, 0x28, 0x7c, 0xa7, 0xe7, 0x5c,
-	0xab, 0x46, 0x58, 0x41, 0xc8, 0xc7, 0xf0, 0x78, 0x26, 0xe8, 0x36, 0x16, 0xfb, 0x8a, 0xec, 0x4c,
+	0xb4, 0xc2, 0x1a, 0x42, 0x3e, 0x86, 0xc7, 0x33, 0x41, 0xb7, 0xb1, 0xd8, 0xd7, 0x64, 0x27, 0x5a,
-	0xcb, 0xfe, 0x4f, 0x90, 0xb7, 0xe1, 0x72, 0xca, 0x97, 0x38, 0x8d, 0xb7, 0xe8, 0xbb, 0x5a, 0x54,
+	0xf6, 0x7f, 0x82, 0xbc, 0x0d, 0xe7, 0x53, 0xbe, 0xc4, 0x69, 0xbc, 0x45, 0xdf, 0xd5, 0xa2, 0xd2,
-	0xda, 0xa4, 0x03, 0xcd, 0x08, 0xd7, 0x5b, 0x64, 0x52, 0xd3, 0x0f, 0x34, 0x5d, 0x85, 0xc8, 0x7b,
+	0x26, 0x3d, 0x68, 0x47, 0xb8, 0xde, 0x22, 0x93, 0x9a, 0x7e, 0xa0, 0xe9, 0x3a, 0x44, 0xde, 0x85,
-	0xe0, 0xf6, 0x07, 0x63, 0xff, 0xbc, 0xe3, 0x5c, 0x35, 0x7b, 0xcd, 0x6b, 0x1b, 0x7a, 0x7f, 0x30,
+	0xd6, 0x2c, 0x16, 0x92, 0x4a, 0xca, 0x99, 0xdf, 0xd2, 0x7c, 0x05, 0x90, 0xf7, 0xc0, 0xed, 0x0f,
-	0x0e, 0x15, 0x4e, 0x3e, 0x83, 0x66, 0x7f, 0x27, 0xf9, 0x73, 0x96, 0x88, 0x7d, 0x26, 0x7d, 0x4f,
+	0xc6, 0xfe, 0x69, 0xcf, 0xb9, 0x68, 0x5f, 0xb7, 0x2f, 0x6d, 0x62, 0xfd, 0xc1, 0x38, 0x54, 0x38,
-	0xcb, 0x9e, 0x94, 0xb2, 0x03, 0x15, 0x56, 0x75, 0xe4, 0x19, 0x78, 0xdf, 0xf0, 0x3c, 0xa7, 0x99,
+	0xf9, 0x0c, 0xda, 0xfd, 0x9d, 0xe4, 0xcf, 0x59, 0x22, 0xf6, 0x99, 0xf4, 0x3d, 0x2d, 0x7b, 0x52,
-	0x7f, 0xa1, 0x4f, 0x3c, 0x2c, 0x4e, 0x18, 0x34, 0xb4, 0xac, 0xba, 0x7d, 0x3e, 0x8e, 0xfc, 0xcb,
+	0xca, 0x2a, 0x2a, 0xac, 0xeb, 0xc8, 0x33, 0xf0, 0xbe, 0xe1, 0x79, 0x4e, 0x33, 0xff, 0x4c, 0x9f,
-	0xfa, 0xed, 0xf3, 0x71, 0x14, 0x2a, 0x3c, 0x58, 0x15, 0x6e, 0xc8, 0x17, 0x00, 0xd6, 0x37, 0xe5,
+	0x78, 0x58, 0x9c, 0x30, 0x68, 0x68, 0x59, 0x75, 0xfb, 0x7c, 0x1c, 0xf9, 0xe7, 0xcd, 0xdb, 0xe7,
-	0x4c, 0x97, 0xac, 0xd9, 0xf3, 0xeb, 0x4e, 0x0f, 0x7c, 0x58, 0xd1, 0x92, 0x00, 0x5e, 0x0f, 0x51,
+	0xe3, 0x28, 0x54, 0x78, 0xb0, 0x2a, 0xdc, 0x90, 0x2f, 0x00, 0xac, 0x6f, 0x95, 0x85, 0xa3, 0xf5,
-	0x8a, 0xfd, 0x77, 0x9c, 0xb2, 0x71, 0x7f, 0xea, 0x9f, 0x75, 0xdc, 0xab, 0x46, 0x58, 0xc3, 0x02,
+	0x7e, 0xd3, 0x69, 0xc5, 0x87, 0x35, 0x2d, 0x09, 0xe0, 0xf5, 0x10, 0xa5, 0xd8, 0x7f, 0xc7, 0x29,
-	0x09, 0x8f, 0xee, 0xfb, 0x20, 0x8f, 0xc0, 0x7d, 0x81, 0x7b, 0xdb, 0x1d, 0xf5, 0x97, 0x3c, 0x83,
+	0x1b, 0xf7, 0xa7, 0xfe, 0x49, 0xcf, 0xbd, 0x68, 0x85, 0x0d, 0x2c, 0x90, 0xf0, 0xe8, 0xbe, 0x0f,
-	0x87, 0x2f, 0x51, 0xd0, 0xd5, 0x7e, 0xc4, 0x12, 0xbe, 0xa5, 0x6c, 0xad, 0x7b, 0x72, 0x19, 0xde,
+	0xf2, 0x08, 0xdc, 0x17, 0xb8, 0xb7, 0xb5, 0x53, 0x7f, 0xc9, 0x33, 0x78, 0xf8, 0x12, 0x05, 0x5d,
-	0x43, 0x0f, 0xba, 0xef, 0x77, 0x72, 0xcd, 0x95, 0xce, 0xad, 0xea, 0x0a, 0x34, 0xf8, 0xdb, 0xd1,
+	0xed, 0x47, 0x2c, 0xe1, 0x5b, 0xca, 0xd6, 0xba, 0x62, 0xe7, 0xe1, 0x3d, 0xb4, 0xd2, 0x7d, 0xbf,
-	0xd9, 0x1f, 0xd1, 0x3b, 0xc7, 0xf4, 0xa4, 0x07, 0x4f, 0x0d, 0x12, 0xa1, 0x78, 0x85, 0xe2, 0x5b,
+	0x93, 0x6b, 0xae, 0x74, 0x6e, 0x5d, 0x57, 0xa0, 0xc1, 0xdf, 0x8e, 0xce, 0xfe, 0x80, 0xde, 0x39,
-	0x9e, 0x4b, 0xa6, 0xba, 0x6a, 0xa2, 0x38, 0xca, 0xa9, 0xec, 0x07, 0x34, 0xdb, 0xa0, 0x88, 0x76,
+	0xa4, 0x27, 0xd7, 0xf0, 0xd4, 0x20, 0x11, 0x8a, 0x57, 0x28, 0xbe, 0xe5, 0xb9, 0x64, 0xaa, 0xe6,
-	0x54, 0x62, 0x6e, 0x07, 0xa4, 0x86, 0xa9, 0x71, 0x9c, 0x50, 0xf6, 0x12, 0x45, 0xae, 0x6a, 0x6b,
+	0x26, 0x8a, 0x83, 0x9c, 0xca, 0x7e, 0x40, 0xb3, 0x0d, 0x8a, 0x68, 0x47, 0x25, 0xe6, 0xb6, 0x7d,
-	0x66, 0xa4, 0x82, 0x90, 0xaf, 0xc0, 0x9f, 0x09, 0x5c, 0xa1, 0x30, 0xbe, 0x6b, 0xfe, 0xce, 0xf5,
+	0x1a, 0x98, 0x6a, 0xd6, 0x09, 0x65, 0x2f, 0x51, 0xe4, 0xea, 0x6d, 0x4d, 0x07, 0xd5, 0x10, 0xf2,
-	0xdd, 0x27, 0xf9, 0xe0, 0x77, 0x57, 0xcf, 0x17, 0xf1, 0xe1, 0xe2, 0x39, 0x8b, 0x17, 0x29, 0x2e,
+	0x15, 0xf8, 0x33, 0x81, 0x2b, 0x14, 0xc6, 0x77, 0xc3, 0xdf, 0xa9, 0xbe, 0xfb, 0x28, 0x1f, 0xfc,
-	0x6d, 0x72, 0x85, 0x49, 0xde, 0x85, 0xc6, 0x8c, 0xa7, 0x34, 0xd9, 0xcf, 0xe7, 0x63, 0x3b, 0xe4,
+	0xe6, 0xea, 0xfe, 0x22, 0x3e, 0x9c, 0x3d, 0x67, 0xf1, 0x22, 0xc5, 0xa5, 0x4d, 0xae, 0x30, 0x75,
-	0x07, 0x40, 0x9d, 0x0b, 0x79, 0x8a, 0x8a, 0x33, 0xa1, 0x17, 0xa6, 0x1a, 0xfb, 0x39, 0xff, 0x05,
+	0x7b, 0xf2, 0x94, 0x26, 0xfb, 0xf9, 0x7c, 0x6c, 0x47, 0xa0, 0x02, 0xd4, 0xb9, 0x90, 0xa7, 0xa8,
-	0x99, 0xa2, 0x4c, 0xcc, 0xa5, 0xad, 0x1f, 0x18, 0xbf, 0x65, 0xc6, 0x8d, 0x8e, 0x51, 0x3d, 0xb0,
+	0x38, 0x13, 0x7a, 0x61, 0xaa, 0xa1, 0x98, 0xf3, 0x5f, 0x90, 0x29, 0xca, 0xc4, 0x5c, 0xda, 0x7a,
-	0x12, 0x21, 0x1f, 0xc0, 0x1b, 0x43, 0x5c, 0xc5, 0xbb, 0x54, 0x5a, 0x89, 0xa7, 0x25, 0x75, 0x90,
+	0xfc, 0xf8, 0x2d, 0x33, 0x6e, 0x74, 0x8c, 0x6a, 0xfc, 0x4a, 0x84, 0x7c, 0x00, 0x6f, 0x0c, 0x71,
-	0x7c, 0x02, 0x4f, 0x4c, 0x90, 0x2f, 0x70, 0x3f, 0xa6, 0x79, 0xa1, 0xbd, 0xd0, 0xf1, 0x1f, 0xa3,
+	0x15, 0xef, 0x52, 0x69, 0x25, 0x9e, 0x96, 0x34, 0x41, 0xf2, 0x09, 0x3c, 0x31, 0x41, 0xbe, 0xc0,
-	0xc8, 0x87, 0xe0, 0xe9, 0x18, 0x72, 0x3b, 0xd1, 0x8f, 0x2b, 0xef, 0xc9, 0x10, 0xa1, 0x15, 0x90,
+	0xfd, 0x98, 0xe6, 0x85, 0xf6, 0x4c, 0xc7, 0x7f, 0x88, 0x22, 0x1f, 0x82, 0xa7, 0x63, 0xc8, 0x6d,
-	0x2f, 0xa1, 0x35, 0xc4, 0x4c, 0x60, 0x12, 0x4b, 0x5c, 0xfe, 0x3c, 0xa4, 0xb9, 0xae, 0x86, 0x4a,
+	0x47, 0x3f, 0xae, 0xcd, 0x93, 0x21, 0x42, 0x2b, 0x20, 0x5f, 0x42, 0x67, 0x88, 0x99, 0xc0, 0x24,
-	0xa6, 0xa1, 0x62, 0xb9, 0x39, 0xf3, 0x9d, 0xf0, 0xcd, 0x83, 0xa2, 0x22, 0x20, 0x9f, 0x43, 0xcb,
+	0x96, 0xb8, 0xfc, 0x79, 0x48, 0x73, 0xfd, 0x1a, 0x2a, 0x19, 0x3d, 0xa2, 0x37, 0x27, 0xbe, 0x13,
-	0x5c, 0xae, 0x5d, 0xcd, 0x54, 0x97, 0x72, 0x89, 0x2c, 0x41, 0x1f, 0x74, 0x68, 0x27, 0x58, 0x95,
+	0xbe, 0x59, 0x29, 0x6a, 0x02, 0xf2, 0x39, 0x74, 0xcc, 0xe5, 0xda, 0xd5, 0x4c, 0x55, 0x29, 0x97,
-	0xcf, 0x24, 0x9a, 0x59, 0x4f, 0x37, 0x9c, 0xcb, 0x5c, 0x8a, 0x38, 0xf3, 0x9b, 0x26, 0x9f, 0x23,
+	0xc8, 0x12, 0xf4, 0x41, 0x87, 0x76, 0x84, 0x55, 0xf9, 0x4c, 0xa2, 0x99, 0xf5, 0x74, 0xc3, 0xb9,
-	0x54, 0xf0, 0xaf, 0x03, 0x8d, 0x32, 0x74, 0xd2, 0x02, 0x6f, 0x12, 0xe7, 0x87, 0x95, 0x65, 0x2d,
+	0xcc, 0xa5, 0x88, 0x33, 0xbf, 0x6d, 0xf2, 0x39, 0x40, 0x05, 0xff, 0x3a, 0xd0, 0x2a, 0x43, 0x27,
-	0xb5, 0x64, 0x42, 0xcc, 0x52, 0x9a, 0xc4, 0xfa, 0x71, 0x9a, 0x1e, 0x56, 0x21, 0xa5, 0xe8, 0xaf,
+	0x1d, 0xf0, 0x26, 0x71, 0x5e, 0x2d, 0x34, 0x6b, 0xa9, 0x15, 0x14, 0x62, 0x96, 0xd2, 0x24, 0xd6,
-	0x91, 0x49, 0x7b, 0xdc, 0x74, 0xb2, 0x0a, 0xa9, 0x3e, 0xdb, 0xe2, 0xdb, 0x66, 0x16, 0x26, 0x79,
+	0xc3, 0x69, 0x6a, 0x58, 0x87, 0x94, 0xa2, 0xbf, 0x46, 0x26, 0xed, 0x71, 0x53, 0xc9, 0x3a, 0xa4,
-	0x0a, 0xe7, 0x5a, 0x68, 0xdb, 0x68, 0x0c, 0xf2, 0x23, 0xb4, 0x26, 0x31, 0x8b, 0xd7, 0xb8, 0x54,
+	0xea, 0x6c, 0x1f, 0xdf, 0x16, 0xb3, 0x30, 0xc9, 0x53, 0x38, 0xd5, 0x42, 0x5b, 0x46, 0x63, 0x90,
-	0x43, 0x47, 0x13, 0x9c, 0x09, 0xfe, 0x8a, 0x2e, 0x51, 0xf8, 0x5e, 0xc7, 0xbd, 0x6a, 0xf6, 0xde,
+	0x1f, 0xa1, 0x33, 0x89, 0x59, 0xbc, 0xc6, 0xa5, 0x6a, 0x3a, 0x9a, 0xe0, 0x4c, 0xf0, 0x57, 0x74,
-	0xaf, 0x54, 0xfe, 0x9e, 0x42, 0x67, 0x13, 0x9e, 0x38, 0x1e, 0xfc, 0x00, 0x6f, 0x9d, 0x38, 0xa2,
+	0x89, 0xc2, 0xf7, 0x7a, 0xee, 0x45, 0xfb, 0xfa, 0xfd, 0xda, 0xcb, 0xdf, 0x53, 0xe8, 0x6c, 0xc2,
-	0xa6, 0xaa, 0x9f, 0x24, 0x98, 0xe7, 0x5c, 0x8c, 0x86, 0xc5, 0xda, 0x3e, 0x20, 0x6a, 0x22, 0x23,
+	0x23, 0xc7, 0x83, 0x1f, 0xe0, 0xad, 0x23, 0x47, 0x54, 0x57, 0xf5, 0x93, 0x04, 0xf3, 0x9c, 0x8b,
-	0x4c, 0x04, 0xca, 0xd1, 0xd0, 0x16, 0xa1, 0xb4, 0x03, 0x5a, 0xdb, 0xa3, 0x6a, 0xb9, 0xa8, 0xbd,
+	0xd1, 0xb0, 0x58, 0xea, 0x15, 0xa2, 0x3a, 0x32, 0xc2, 0x44, 0xa0, 0x1c, 0x0d, 0xed, 0x23, 0x94,
-	0x67, 0x9e, 0x82, 0x5e, 0x02, 0x2d, 0xf0, 0x86, 0xd3, 0x28, 0x2a, 0x17, 0x94, 0xb5, 0x54, 0xfa,
+	0x76, 0x40, 0x1b, 0x7b, 0x54, 0x2d, 0x17, 0xb5, 0xf7, 0xcc, 0x28, 0xe8, 0x25, 0xd0, 0x01, 0x6f,
-	0xa3, 0x99, 0x82, 0x5d, 0x0d, 0x1b, 0x43, 0x5d, 0xd5, 0x4f, 0x53, 0x7e, 0xab, 0x9c, 0x3c, 0xd0,
+	0x38, 0x8d, 0xa2, 0x72, 0x41, 0x59, 0x4b, 0xa5, 0x3f, 0x9a, 0x29, 0xd8, 0xd5, 0xb0, 0x31, 0xd4,
-	0x4e, 0x4a, 0xfb, 0xe6, 0xeb, 0x3f, 0xee, 0xda, 0xce, 0x9f, 0x77, 0x6d, 0xe7, 0xaf, 0xbb, 0xb6,
+	0x55, 0xfd, 0x34, 0xe5, 0xb7, 0xca, 0xc9, 0x03, 0xed, 0xa4, 0xb4, 0x6f, 0xbe, 0xfe, 0xfd, 0xae,
-	0xf3, 0xeb, 0x3f, 0xed, 0xd7, 0x7e, 0xfa, 0x68, 0x4d, 0xe5, 0x66, 0xb7, 0xb8, 0x4e, 0xf8, 0xb6,
+	0xeb, 0xfc, 0x79, 0xd7, 0x75, 0xfe, 0xba, 0xeb, 0x3a, 0xbf, 0xfe, 0xd3, 0x7d, 0xed, 0xa7, 0x8f,
-	0xbb, 0x89, 0xf3, 0x0d, 0x4d, 0xb8, 0xc8, 0xd4, 0x57, 0x2a, 0xdf, 0xa5, 0xdd, 0xfa, 0xb7, 0x6b,
+	0xd6, 0x54, 0x6e, 0x76, 0x8b, 0xcb, 0x84, 0x6f, 0xaf, 0x36, 0x71, 0xbe, 0xa1, 0x09, 0x17, 0x99,
-	0xe1, 0x69, 0xfb, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0x54, 0x4a, 0x4e, 0xf1, 0xd4, 0x06,
+	0xfa, 0x86, 0xe5, 0xbb, 0xf4, 0xaa, 0xf9, 0x65, 0x5b, 0x78, 0xda, 0xfe, 0xf4, 0xbf, 0x00, 0x00,
-	0x00, 0x00,
+	0x00, 0xff, 0xff, 0x2f, 0xdd, 0x30, 0x50, 0xf2, 0x06, 0x00, 0x00,
 }
 func (m *Config) Marshal() (dAtA []byte, err error) {
@ -757,6 +765,13 @@ func (m *Config) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
 	if len(m.Partition) > 0 {
 		i -= len(m.Partition)
 		copy(dAtA[i:], m.Partition)
 		i = encodeVarintConfig(dAtA, i, uint64(len(m.Partition)))
 		i--
 		dAtA[i] = 0x4a
 	}
 	if m.TLS != nil {
 		{
 			size, err := m.TLS.MarshalToSizedBuffer(dAtA[:i])
@ -1361,6 +1376,10 @@ func (m *Config) Size() (n int) {
 		l = m.TLS.Size()
 		n += 1 + l + sovConfig(uint64(l))
 	}
 	l = len(m.Partition)
 	if l > 0 {
 		n += 1 + l + sovConfig(uint64(l))
 	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@ -1887,6 +1906,38 @@ func (m *Config) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
 		case 9:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowConfig
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
 				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
 			intStringLen := int(stringLen)
 			if intStringLen < 0 {
 				return ErrInvalidLengthConfig
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthConfig
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
 			m.Partition = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipConfig(dAtA[iNdEx:])
--- a/proto/pbconfig/config.proto
+++ b/proto/pbconfig/config.proto
@ -9,6 +9,7 @@ message Config {
   string      PrimaryDatacenter = 2;
   string      NodeName = 3;
   string      SegmentName = 4;
   string      Partition = 9;
   ACL         ACL = 5;
   AutoEncrypt AutoEncrypt = 6;
   Gossip      Gossip = 7;
@ -69,4 +70,4 @@ message AutoEncrypt {
   repeated string DNSSAN = 2;
   repeated string IPSAN = 3;
   bool            AllowTLS = 4;
-}
+}
--- a/website/content/docs/agent/options.mdx
+++ b/website/content/docs/agent/options.mdx
@ -1065,6 +1065,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
        - `segment` <EnterpriseAlert inline /> - The network segment name the client is requesting.
        - `partition` <EnterpriseAlert inline /> - The admin partition name the client is requesting.
 - `auto_encrypt` This object allows setting options for the `auto_encrypt` feature.
  The following sub-keys are available: