ACLs: allow/deny/default config for Consul/Vault clusters by namespace (#18425)

In Nomad Enterprise when multiple Vault/Consul clusters are configured, cluster admins can control access to clusters for jobs via namespace ACLs, similar to how we've done so for node pools. This changeset updates the ACL configuration structs, but doesn't wire them up.
2026-01-06 18:35:44 +03:00 · 2023-09-08 11:37:20 -04:00
parent b022346575
commit 3ee6c31241
12 changed files with 348 additions and 0 deletions
--- a/command/namespace_apply.go
+++ b/command/namespace_apply.go
@@ -227,6 +227,8 @@ func parseNamespaceSpecImpl(result *api.Namespace, list *ast.ObjectList) error {
 	delete(m, "capabilities")
 	delete(m, "meta")
 	delete(m, "node_pool_config")
+	delete(m, "vault")
+	delete(m, "consul")

 	// Decode the rest
 	if err := mapstructure.WeakDecode(m, result); err != nil {
@@ -265,6 +267,38 @@ func parseNamespaceSpecImpl(result *api.Namespace, list *ast.ObjectList) error {
 		}
 	}

+	vObj := list.Filter("vault")
+	if len(vObj.Items) > 0 {
+		for _, o := range vObj.Elem().Items {
+			ot, ok := o.Val.(*ast.ObjectType)
+			if !ok {
+				break
+			}
+			var vConfig *api.NamespaceVaultConfiguration
+			if err := hcl.DecodeObject(&vConfig, ot.List); err != nil {
+				return err
+			}
+			result.VaultConfiguration = vConfig
+			break
+		}
+	}
+
+	conObj := list.Filter("consul")
+	if len(conObj.Items) > 0 {
+		for _, o := range conObj.Elem().Items {
+			ot, ok := o.Val.(*ast.ObjectType)
+			if !ok {
+				break
+			}
+			var cConfig *api.NamespaceConsulConfiguration
+			if err := hcl.DecodeObject(&cConfig, ot.List); err != nil {
+				return err
+			}
+			result.ConsulConfiguration = cConfig
+			break
+		}
+	}
+
 	if metaO := list.Filter("meta"); len(metaO.Items) > 0 {
 		for _, o := range metaO.Elem().Items {
 			var m map[string]interface{}