local: default to the agent token instead of the user token

When de-registering in anti-entropy sync, when there is no service or check token. The agent token will fall back to the default (aka user) token if no agent token is set, so the existing behaviour still works, but it will prefer the agent token over the user token if both are set. ref: https://www.consul.io/docs/agent/options#acl_tokens The agent token seems more approrpiate in this case, since this is an "internal operation", not something initiated by the user.
2021-02-01 17:40:21 -05:00 · 2021-02-01 17:40:21 -05:00 · 76a365d410
parent 74c3b69632
commit 76a365d410
2 changed files with 5 additions and 2 deletions
--- a/.changelog/9683.txt
+++ b/.changelog/9683.txt
@ -0,0 +1,3 @@
+```release-notes:improvement
+client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token.
+```
--- a/agent/local/state.go
+++ b/agent/local/state.go
@ -243,7 +243,7 @@ func (l *State) serviceToken(id structs.ServiceID) string {
 		token = s.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }
@ -457,7 +457,7 @@ func (l *State) checkToken(id structs.CheckID) string {
 		token = c.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }