diff --git a/CHANGELOG.md b/CHANGELOG.md index 71d5d4a22e..d2af43cc8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ IMPROVEMENTS: BUG FIXES: * Connect: use the first secret of type `kubernetes.io/service-account-token` when creating/updating auth method. [[GH-350](https://github.com/hashicorp/consul-k8s/pull/321)] +* Federation: ensure replication ACL token can replicate policies and tokens in Consul namespaces other than `default` (Consul-enterprise only). [[GH-364](https://github.com/hashicorp/consul-k8s/issues/364)] ## 0.18.1 (August 10, 2020) diff --git a/subcommand/server-acl-init/rules.go b/subcommand/server-acl-init/rules.go index 89501f2e0b..15cf7917df 100644 --- a/subcommand/server-acl-init/rules.go +++ b/subcommand/server-acl-init/rules.go @@ -222,7 +222,6 @@ func (c *Command) aclReplicationRules() (string, error) { // datacenters during federation since in order to start ACL replication, // we need a token with both replication and agent permissions. aclReplicationRulesTpl := ` -acl = "write" operator = "write" agent_prefix "" { policy = "read" @@ -233,6 +232,7 @@ node_prefix "" { {{- if .EnableNamespaces }} namespace_prefix "" { {{- end }} + acl = "write" service_prefix "" { policy = "read" intentions = "read" diff --git a/subcommand/server-acl-init/rules_test.go b/subcommand/server-acl-init/rules_test.go index 4155f9c5df..20ccda60b7 100644 --- a/subcommand/server-acl-init/rules_test.go +++ b/subcommand/server-acl-init/rules_test.go @@ -537,14 +537,14 @@ func TestReplicationTokenRules(t *testing.T) { { "Namespaces are disabled", false, - `acl = "write" -operator = "write" + `operator = "write" agent_prefix "" { policy = "read" } node_prefix "" { policy = "write" } + acl = "write" service_prefix "" { policy = "read" intentions = "read" @@ -553,8 +553,7 @@ node_prefix "" { { "Namespaces are enabled", true, - `acl = "write" -operator = "write" + `operator = "write" agent_prefix "" { policy = "read" } @@ -562,6 +561,7 @@ node_prefix "" { policy = "write" } namespace_prefix "" { + acl = "write" service_prefix "" { policy = "read" intentions = "read"