Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix duplicate key in connect-inject ACL policy #4434

Merged
merged 4 commits into from
Nov 27, 2024
Merged

Fix duplicate key in connect-inject ACL policy #4434

merged 4 commits into from
Nov 27, 2024

Conversation

nathancoleman
Copy link
Member

@nathancoleman nathancoleman commented Nov 27, 2024
edited
Loading

Changes proposed in this PR

Stop including a duplicate acl = "write" rule at the root level of the connect-inject ACL policy when namespaces are not enabled. The security patch in hashicorp/consul#21908 led to the connect-injector being unable to start up as its ACL policy is rejected by Consul.

How I've tested this PR

  1. Expanded the test matrix to cover all possible flag combinations w/ current policy output
  2. Fixed policy generation
  3. Updated the test assertions to account for the bug fix, verifying that acl = "write" never appears twice at the root level of the policy with any combination of flags

How I expect reviewers to test this PR

Review commit-by-commit observing the above

Checklist

@nathancoleman nathancoleman requested a review from a team as a code owner November 27, 2024 22:21
This was referenced Nov 27, 2024
Merged
Merged
@nathancoleman nathancoleman added pr/no-changelog PR does not need a corresponding .changelog entry and removed pr/no-changelog PR does not need a corresponding .changelog entry labels Nov 27, 2024
nathancoleman
nathancoleman commented Nov 27, 2024
View reviewed changes
control-plane/subcommand/server-acl-init/rules_test.go Outdated
Comment on lines 925 to 940
partition "part-1" {
mesh = "write"
acl = "write"
node_prefix "" {
policy = "write"
}
policy = "write"
acl = "write"
service_prefix "" {
policy = "write"
intentions = "write"
}
identity_prefix "" {
policy = "write"
intentions = "write"
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can see the bug here where acl = "write" winds up being included twice in the root of the policy whenever namespaces are disabled.

The later commit in this PR that adjusts the test assertions after the fix should indicate no scenario in which acl or any other type of rule is included twice at the same level.

@sarahalsmiller sarahalsmiller added backport/1.1.x Backport to release/1.1.x branch backport/1.4.x backport/1.5.x backport/1.6.x Changes are backported to 1.6 labels Nov 27, 2024
@sarahalsmiller sarahalsmiller enabled auto-merge (squash) November 27, 2024 22:59
@sarahalsmiller sarahalsmiller added backport/1.4.x and removed backport/1.1.x Backport to release/1.1.x branch backport/1.4.x labels Nov 27, 2024
@sarahalsmiller sarahalsmiller merged commit 3a0b862 into main Nov 27, 2024
64 of 66 checks passed
@sarahalsmiller sarahalsmiller deleted the fix-duplicate-key-in-acl-policy branch November 27, 2024 23:52
This was referenced Nov 27, 2024
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarahalsmiller sarahalsmiller sarahalsmiller approved these changes

Assignees
No one assigned
Labels
backport/1.4.x backport/1.5.x backport/1.6.x Changes are backported to 1.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nathancoleman @sarahalsmiller