diff --git a/CHANGELOG.md b/CHANGELOG.md index 71d5d4a22e..9f99bf92a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## UNRELEASED +BUG FIXES: +* Federation: ensure replication ACL token can replicate policies and tokens in Consul namespaces other than `default` (Consul-enterprise only). [[GH-364](https://github.com/hashicorp/consul-k8s/issues/364)] + ## 0.19.0 (October 12, 2020) FEATURES: diff --git a/subcommand/server-acl-init/rules.go b/subcommand/server-acl-init/rules.go index 89501f2e0b..15cf7917df 100644 --- a/subcommand/server-acl-init/rules.go +++ b/subcommand/server-acl-init/rules.go @@ -222,7 +222,6 @@ func (c *Command) aclReplicationRules() (string, error) { // datacenters during federation since in order to start ACL replication, // we need a token with both replication and agent permissions. aclReplicationRulesTpl := ` -acl = "write" operator = "write" agent_prefix "" { policy = "read" @@ -233,6 +232,7 @@ node_prefix "" { {{- if .EnableNamespaces }} namespace_prefix "" { {{- end }} + acl = "write" service_prefix "" { policy = "read" intentions = "read" diff --git a/subcommand/server-acl-init/rules_test.go b/subcommand/server-acl-init/rules_test.go index 4155f9c5df..20ccda60b7 100644 --- a/subcommand/server-acl-init/rules_test.go +++ b/subcommand/server-acl-init/rules_test.go @@ -537,14 +537,14 @@ func TestReplicationTokenRules(t *testing.T) { { "Namespaces are disabled", false, - `acl = "write" -operator = "write" + `operator = "write" agent_prefix "" { policy = "read" } node_prefix "" { policy = "write" } + acl = "write" service_prefix "" { policy = "read" intentions = "read" @@ -553,8 +553,7 @@ node_prefix "" { { "Namespaces are enabled", true, - `acl = "write" -operator = "write" + `operator = "write" agent_prefix "" { policy = "read" } @@ -562,6 +561,7 @@ node_prefix "" { policy = "write" } namespace_prefix "" { + acl = "write" service_prefix "" { policy = "read" intentions = "read"