From f5b0a9f0f8c231d70289040eba3a54a9db7221a5 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Wed, 27 Nov 2024 21:47:09 -0500 Subject: [PATCH] Backport of Fix duplicate key in connect-inject ACL policy into release/1.5.x (#4436) * backport of commit 8852d073be11586f3825c741e8818285b44f631f * backport of commit 10a2592175ef9bd61a51757f93d901bfc3fb237a * backport of commit f420441c1034bc304dd0d2ef8a9d33a1360f96bf * backport of commit 9babfc109b7b2877da72c180c97f2203bccb2205 --------- Co-authored-by: Nathan Coleman --- .changelog/4434.txt | 3 + .../subcommand/server-acl-init/rules.go | 2 +- .../subcommand/server-acl-init/rules_test.go | 81 +++++++++++++++++-- 3 files changed, 78 insertions(+), 8 deletions(-) create mode 100644 .changelog/4434.txt diff --git a/.changelog/4434.txt b/.changelog/4434.txt new file mode 100644 index 0000000000..e87e04cc21 --- /dev/null +++ b/.changelog/4434.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled. +``` diff --git a/control-plane/subcommand/server-acl-init/rules.go b/control-plane/subcommand/server-acl-init/rules.go index 1f00e1019c..99581e3b5f 100644 --- a/control-plane/subcommand/server-acl-init/rules.go +++ b/control-plane/subcommand/server-acl-init/rules.go @@ -310,11 +310,11 @@ partition "{{ .PartitionName }}" { } {{- if .EnableNamespaces }} namespace_prefix "" { + acl = "write" {{- end }} {{- if .EnablePartitions }} policy = "write" {{- end }} - acl = "write" service_prefix "" { policy = "write" intentions = "write" diff --git a/control-plane/subcommand/server-acl-init/rules_test.go b/control-plane/subcommand/server-acl-init/rules_test.go index bb727968f3..ea61d885db 100644 --- a/control-plane/subcommand/server-acl-init/rules_test.go +++ b/control-plane/subcommand/server-acl-init/rules_test.go @@ -883,7 +883,6 @@ func TestInjectRules(t *testing.T) { node_prefix "" { policy = "write" } - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -917,7 +916,30 @@ func TestInjectRules(t *testing.T) { }`, }, { - EnableNamespaces: true, + EnableNamespaces: false, + EnablePartitions: true, + EnablePeering: false, + PartitionName: "part-1", + Expected: ` +partition "part-1" { + mesh = "write" + acl = "write" + node_prefix "" { + policy = "write" + } + policy = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } +}`, + }, + { + EnableNamespaces: false, EnablePartitions: false, EnablePeering: true, Expected: ` @@ -928,8 +950,6 @@ func TestInjectRules(t *testing.T) { node_prefix "" { policy = "write" } - namespace_prefix "" { - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -937,8 +957,7 @@ func TestInjectRules(t *testing.T) { identity_prefix "" { policy = "write" intentions = "write" - } - }`, + }`, }, { EnableNamespaces: true, @@ -953,7 +972,32 @@ partition "part-1" { policy = "write" } namespace_prefix "" { + acl = "write" policy = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } + } +}`, + }, + { + EnableNamespaces: true, + EnablePartitions: false, + EnablePeering: true, + Expected: ` + mesh = "write" + operator = "write" + acl = "write" + peering = "write" + node_prefix "" { + policy = "write" + } + namespace_prefix "" { acl = "write" service_prefix "" { policy = "write" @@ -963,7 +1007,30 @@ partition "part-1" { policy = "write" intentions = "write" } + }`, + }, + { + EnableNamespaces: false, + EnablePartitions: true, + EnablePeering: true, + PartitionName: "part-1", + Expected: ` +partition "part-1" { + mesh = "write" + acl = "write" + peering = "write" + node_prefix "" { + policy = "write" } + policy = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } }`, }, { @@ -980,8 +1047,8 @@ partition "part-1" { policy = "write" } namespace_prefix "" { - policy = "write" acl = "write" + policy = "write" service_prefix "" { policy = "write" intentions = "write"