Stop JWT provider from being written in non default namespace (#18325)

hashicorp · Jul 31, 2023 · 356b29b · 356b29b
1 parent 6ada2e0
commit 356b29b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/.changelog/18325.txt b/.changelog/18325.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+mesh: **(Enterprise Only)** Require that `jwt-provider` config entries are created in the `default` namespace.
+```
diff --git a/agent/structs/config_entry_jwt_provider.go b/agent/structs/config_entry_jwt_provider.go
@@ -509,7 +509,7 @@ func (e *JWTProviderConfigEntry) Validate() error {
 		return err
 	}
 
-	if err := e.validatePartition(); err != nil {
+	if err := e.validatePartitionAndNamespace(); err != nil {
 		return err
 	}
 

diff --git a/agent/structs/config_entry_jwt_provider_oss.go b/agent/structs/config_entry_jwt_provider_oss.go
@@ -12,9 +12,14 @@ import (
 	"github.com/hashicorp/consul/acl"
 )
 
-func (e *JWTProviderConfigEntry) validatePartition() error {
+func (e *JWTProviderConfigEntry) validatePartitionAndNamespace() error {
 	if !acl.IsDefaultPartition(e.PartitionOrDefault()) {
 		return fmt.Errorf("Partitions are an enterprise only feature")
 	}
+
+	if acl.DefaultNamespaceName != e.NamespaceOrDefault() {
+		return fmt.Errorf("Namespaces are an enterprise only feature")
+	}
+
 	return nil
 }