From 8852d073be11586f3825c741e8818285b44f631f Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 27 Nov 2024 17:14:38 -0500 Subject: [PATCH 1/4] Expand connect-inject policy tests to include the entire matrix of flag values --- .../subcommand/server-acl-init/rules_test.go | 79 ++++++++++++++++++- 1 file changed, 75 insertions(+), 4 deletions(-) diff --git a/control-plane/subcommand/server-acl-init/rules_test.go b/control-plane/subcommand/server-acl-init/rules_test.go index a31ca5dcd5..fedc014f63 100644 --- a/control-plane/subcommand/server-acl-init/rules_test.go +++ b/control-plane/subcommand/server-acl-init/rules_test.go @@ -917,7 +917,31 @@ func TestInjectRules(t *testing.T) { }`, }, { - EnableNamespaces: true, + EnableNamespaces: false, + EnablePartitions: true, + EnablePeering: false, + PartitionName: "part-1", + Expected: ` +partition "part-1" { + mesh = "write" + acl = "write" + node_prefix "" { + policy = "write" + } + policy = "write" + acl = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } +}`, + }, + { + EnableNamespaces: false, EnablePartitions: false, EnablePeering: true, Expected: ` @@ -928,7 +952,6 @@ func TestInjectRules(t *testing.T) { node_prefix "" { policy = "write" } - namespace_prefix "" { acl = "write" service_prefix "" { policy = "write" @@ -937,8 +960,7 @@ func TestInjectRules(t *testing.T) { identity_prefix "" { policy = "write" intentions = "write" - } - }`, + }`, }, { EnableNamespaces: true, @@ -964,6 +986,55 @@ partition "part-1" { intentions = "write" } } +}`, + }, + { + EnableNamespaces: true, + EnablePartitions: false, + EnablePeering: true, + Expected: ` + mesh = "write" + operator = "write" + acl = "write" + peering = "write" + node_prefix "" { + policy = "write" + } + namespace_prefix "" { + acl = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } + }`, + }, + { + EnableNamespaces: false, + EnablePartitions: true, + EnablePeering: true, + PartitionName: "part-1", + Expected: ` +partition "part-1" { + mesh = "write" + acl = "write" + peering = "write" + node_prefix "" { + policy = "write" + } + policy = "write" + acl = "write" + service_prefix "" { + policy = "write" + intentions = "write" + } + identity_prefix "" { + policy = "write" + intentions = "write" + } }`, }, { From 10a2592175ef9bd61a51757f93d901bfc3fb237a Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 27 Nov 2024 17:17:50 -0500 Subject: [PATCH 2/4] Only include scoped acl="write" rule when namespaces are enabled --- control-plane/subcommand/server-acl-init/rules.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-plane/subcommand/server-acl-init/rules.go b/control-plane/subcommand/server-acl-init/rules.go index ae145fae43..3cbac881f5 100644 --- a/control-plane/subcommand/server-acl-init/rules.go +++ b/control-plane/subcommand/server-acl-init/rules.go @@ -310,11 +310,11 @@ partition "{{ .PartitionName }}" { } {{- if .EnableNamespaces }} namespace_prefix "" { + acl = "write" {{- end }} {{- if .EnablePartitions }} policy = "write" {{- end }} - acl = "write" service_prefix "" { policy = "write" intentions = "write" From f420441c1034bc304dd0d2ef8a9d33a1360f96bf Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 27 Nov 2024 17:19:21 -0500 Subject: [PATCH 3/4] Update test assertions to account for bug fix --- control-plane/subcommand/server-acl-init/rules_test.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/control-plane/subcommand/server-acl-init/rules_test.go b/control-plane/subcommand/server-acl-init/rules_test.go index fedc014f63..b57b511a2f 100644 --- a/control-plane/subcommand/server-acl-init/rules_test.go +++ b/control-plane/subcommand/server-acl-init/rules_test.go @@ -883,7 +883,6 @@ func TestInjectRules(t *testing.T) { node_prefix "" { policy = "write" } - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -929,7 +928,6 @@ partition "part-1" { policy = "write" } policy = "write" - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -952,7 +950,6 @@ partition "part-1" { node_prefix "" { policy = "write" } - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -975,8 +972,8 @@ partition "part-1" { policy = "write" } namespace_prefix "" { - policy = "write" acl = "write" + policy = "write" service_prefix "" { policy = "write" intentions = "write" @@ -1026,7 +1023,6 @@ partition "part-1" { policy = "write" } policy = "write" - acl = "write" service_prefix "" { policy = "write" intentions = "write" @@ -1051,8 +1047,8 @@ partition "part-1" { policy = "write" } namespace_prefix "" { - policy = "write" acl = "write" + policy = "write" service_prefix "" { policy = "write" intentions = "write" From 9babfc109b7b2877da72c180c97f2203bccb2205 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Wed, 27 Nov 2024 17:26:57 -0500 Subject: [PATCH 4/4] Add changelog entry --- .changelog/4434.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/4434.txt diff --git a/.changelog/4434.txt b/.changelog/4434.txt new file mode 100644 index 0000000000..e87e04cc21 --- /dev/null +++ b/.changelog/4434.txt @@ -0,0 +1,3 @@ +```release-note:bug +connect-inject: fix issue where the ACL policy for the connect-injector included the `acl = "write"` rule twice when namespaces were not enabled. +```