Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Net 12039 terminating gateway acl policy fix #4468

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Net 12039 terminating gateway acl policy fix #4468

wants to merge 4 commits into from

Conversation

natemollica-nm
Copy link
Contributor

@natemollica-nm natemollica-nm commented Jan 24, 2025
edited
Loading

Changes proposed in this PR

  • Introduce handling of Consul AdminPartition ACL policy rules when global.adminPartitions.enabled: true

Current workflow requires end users to manually update the Terminating Gateway policies applied by the TerminatingGateway resource controller when AdminPartitions are enabled from:

namespace "default" {
  service_prefix "" {
    policy = "write"
  }
}

to

partition "default" {
  namespace "default" {
    service_prefix "" {
      policy    = "write"
      intention = "read"
    }
  }
}

How I've tested this PR

Test Matrix for ACL Policies and Admin Partitions with Terminating Gateway

Test Case Admin Partitions Enabled Partition Name Service Type Expected ACL Policy
Default Partition, Wildcard Yes default Wildcard (*) partition "default" { namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } } }
Default Partition, Specific Yes default Specific (static-server) partition "default" { namespace "default" { service "static-server" { policy = "write"; intention = "read"; } } }
Non-Default Partition, Wildcard Yes dev Wildcard (*) partition "dev" { namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } } }
Non-Default Partition, Specific Yes dev Specific (static-server) partition "dev" { namespace "default" { service "static-server" { policy = "write"; intention = "read"; } } }
No Partition, Wildcard No N/A Wildcard (*) namespace "default" { service_prefix "" { policy = "write"; intention = "read"; } }
No Partition, Specific No N/A Specific (static-server) namespace "default" { service "static-server" { policy = "write"; intention = "read"; } }

How I expect reviewers to test this PR

👀

Checklist

@natemollica-nm natemollica-nm added area/acls Related to ACLs theme/terminating-gateway Related to Consul Terminating Gateway Development labels Jan 24, 2025
@natemollica-nm natemollica-nm requested a review from a team as a code owner January 24, 2025 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/acls Related to ACLs backport/1.4.x backport/1.5.x backport/1.6.x Changes are backported to 1.6 theme/terminating-gateway Related to Consul Terminating Gateway Development
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@natemollica-nm