Backport of Fix duplicate key in connect-inject ACL policy into relea…

…se/1.5.x (#4436) * backport of commit 8852d07 * backport of commit 10a2592 * backport of commit f420441 * backport of commit 9babfc1 --------- Co-authored-by: Nathan Coleman <[email protected]>
hashicorp · Nov 28, 2024 · f5b0a9f · f5b0a9f
1 parent 4e8cf61
commit f5b0a9f
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 8 deletions.
diff --git a/.changelog/4434.txt b/.changelog/4434.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled.
+```
diff --git a/control-plane/subcommand/server-acl-init/rules.go b/control-plane/subcommand/server-acl-init/rules.go
@@ -310,11 +310,11 @@ partition "{{ .PartitionName }}" {
   }
 {{- if .EnableNamespaces }}
   namespace_prefix "" {
+    acl = "write"
 {{- end }}
 {{- if .EnablePartitions }}
     policy = "write"
 {{- end }}
-    acl = "write"
     service_prefix "" {
       policy = "write"
       intentions = "write"

diff --git a/control-plane/subcommand/server-acl-init/rules_test.go b/control-plane/subcommand/server-acl-init/rules_test.go
@@ -883,7 +883,6 @@ func TestInjectRules(t *testing.T) {
   node_prefix "" {
     policy = "write"
   }
-    acl = "write"
     service_prefix "" {
       policy = "write"
       intentions = "write"
@@ -917,7 +916,30 @@ func TestInjectRules(t *testing.T) {
   }`,
 		},
 		{
-			EnableNamespaces: true,
+			EnableNamespaces: false,
+			EnablePartitions: true,
+			EnablePeering:    false,
+			PartitionName:    "part-1",
+			Expected: `
+partition "part-1" {
+  mesh = "write"
+  acl = "write"
+  node_prefix "" {
+    policy = "write"
+  }
+    policy = "write"
+    service_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
+    identity_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
+}`,
+		},
+		{
+			EnableNamespaces: false,
 			EnablePartitions: false,
 			EnablePeering:    true,
 			Expected: `
@@ -928,17 +950,14 @@ func TestInjectRules(t *testing.T) {
   node_prefix "" {
     policy = "write"
   }
-  namespace_prefix "" {
-    acl = "write"
     service_prefix "" {
       policy = "write"
       intentions = "write"
     }
     identity_prefix "" {
       policy = "write"
       intentions = "write"
-    }
-  }`,
+    }`,
 		},
 		{
 			EnableNamespaces: true,
@@ -953,7 +972,32 @@ partition "part-1" {
     policy = "write"
   }
   namespace_prefix "" {
+    acl = "write"
     policy = "write"
+    service_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
+    identity_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
+  }
+}`,
+		},
+		{
+			EnableNamespaces: true,
+			EnablePartitions: false,
+			EnablePeering:    true,
+			Expected: `
+  mesh = "write"
+  operator = "write"
+  acl = "write"
+  peering = "write"
+  node_prefix "" {
+    policy = "write"
+  }
+  namespace_prefix "" {
     acl = "write"
     service_prefix "" {
       policy = "write"
@@ -963,7 +1007,30 @@ partition "part-1" {
       policy = "write"
       intentions = "write"
     }
+  }`,
+		},
+		{
+			EnableNamespaces: false,
+			EnablePartitions: true,
+			EnablePeering:    true,
+			PartitionName:    "part-1",
+			Expected: `
+partition "part-1" {
+  mesh = "write"
+  acl = "write"
+  peering = "write"
+  node_prefix "" {
+    policy = "write"
   }
+    policy = "write"
+    service_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
+    identity_prefix "" {
+      policy = "write"
+      intentions = "write"
+    }
 }`,
 		},
 		{
@@ -980,8 +1047,8 @@ partition "part-1" {
     policy = "write"
   }
   namespace_prefix "" {
-    policy = "write"
     acl = "write"
+    policy = "write"
     service_prefix "" {
       policy = "write"
       intentions = "write"