cli: setup consul proper ns handling (#19237)

In order to correctly handle Consul namespaces, auth methods and binding rules must always be created in the default namespace only. --------- Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
2026-01-01 16:05:42 +03:00 · 2023-11-30 20:09:19 +01:00
parent e57dcdf106
commit 67bbcc4a4f
2 changed files with 50 additions and 11 deletions
--- a/command/asset/consul-wi-default-auth-method-config.json
+++ b/command/asset/consul-wi-default-auth-method-config.json
@@ -1,8 +1,13 @@
 {
  "JWKSURL": "http://localhost:4646/.well-known/jwks.json",
-  "JWTSupportedAlgs": ["ES256"],
-  "BoundAudiences": ["consul.io"],
+  "JWTSupportedAlgs": [
+    "ES256"
+  ],
+  "BoundAudiences": [
+    "consul.io"
+  ],
  "ClaimMappings": {
+    "consul_namespace": "consul_namespace",
    "nomad_namespace": "nomad_namespace",
    "nomad_job_id": "nomad_job_id",
    "nomad_task": "nomad_task",
--- a/command/setup_consul.go
+++ b/command/setup_consul.go
@@ -407,7 +407,13 @@ consul {
 }

 func (s *SetupConsulCommand) authMethodExists(authMethodName string) bool {
-	existingMethods, _, _ := s.client.ACL().AuthMethodList(nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		// auth methods are created in the default ns
+		qo.Namespace = "default"
+	}
+
+	existingMethods, _, _ := s.client.ACL().AuthMethodList(qo)
 	return slices.ContainsFunc(
 		existingMethods,
 		func(m *api.ACLAuthMethodListEntry) bool { return m.Name == authMethodName })
@@ -432,10 +438,10 @@ func (s *SetupConsulCommand) renderAuthMethod(name string, desc string) (*api.AC
 		TokenLocality: "local",
 		Config:        authConfig,
 	}
-	if s.consulEnt && (s.clientCfg.Namespace == "" || s.clientCfg.Namespace == "default") {
+	if s.consulEnt {
 		method.NamespaceRules = []*api.ACLAuthMethodNamespaceRule{{
 			Selector:      "",
-			BindNamespace: "${value.nomad_namespace}",
+			BindNamespace: "${value.consul_namespace}",
 		}}
 	}

@@ -443,7 +449,13 @@ func (s *SetupConsulCommand) renderAuthMethod(name string, desc string) (*api.AC
 }

 func (s *SetupConsulCommand) createAuthMethod(authMethod *api.ACLAuthMethod) error {
-	_, _, err := s.client.ACL().AuthMethodCreate(authMethod, nil)
+	wo := &api.WriteOptions{}
+	if s.consulEnt {
+		// auth methods are created in the default ns
+		wo.Namespace = "default"
+	}
+
+	_, _, err := s.client.ACL().AuthMethodCreate(authMethod, wo)
 	if err != nil {
 		if strings.Contains(err.Error(), "error checking JWKSURL") {
 			s.Ui.Error(fmt.Sprintf(
@@ -485,7 +497,12 @@ func (s *SetupConsulCommand) createNamespace(ns string) error {
 }

 func (s *SetupConsulCommand) bindingRuleExists(rule *api.ACLBindingRule) bool {
-	existingRules, _, _ := s.client.ACL().BindingRuleList("", nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		// binding rules are created in the default ns
+		qo.Namespace = "default"
+	}
+	existingRules, _, _ := s.client.ACL().BindingRuleList("", qo)
 	return slices.ContainsFunc(
 		existingRules,
 		func(r *api.ACLBindingRule) bool {
@@ -497,7 +514,12 @@ func (s *SetupConsulCommand) bindingRuleExists(rule *api.ACLBindingRule) bool {
 }

 func (s *SetupConsulCommand) createBindingRules(rule *api.ACLBindingRule) error {
-	_, _, err := s.client.ACL().BindingRuleCreate(rule, nil)
+	wo := &api.WriteOptions{}
+	if s.consulEnt {
+		// binding rules are created in the default ns
+		wo.Namespace = "default"
+	}
+	_, _, err := s.client.ACL().BindingRuleCreate(rule, wo)
 	if err != nil {
 		return fmt.Errorf("[✘] Could not create Consul binding rule: %w", err)
 	}
@@ -601,7 +623,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		componentsToRemove["Auth method"] = []string{consulAuthMethodName}
 	}

-	authMethodRules, _, err := s.client.ACL().BindingRuleList(consulAuthMethodName, nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		qo.Namespace = "default"
+	}
+	authMethodRules, _, err := s.client.ACL().BindingRuleList(consulAuthMethodName, qo)
 	if err != nil {
 		s.Ui.Error(fmt.Sprintf("[✘] Failed to fetch binding rules for method: %q", consulAuthMethodName))
 		exitCode = 1
@@ -682,7 +708,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		}

 		for _, b := range authMethodRules {
-			_, err := s.client.ACL().BindingRuleDelete(b.ID, nil)
+			wo := &api.WriteOptions{}
+			if s.consulEnt {
+				wo.Namespace = "default"
+			}
+			_, err := s.client.ACL().BindingRuleDelete(b.ID, wo)
 			if err != nil {
 				s.Ui.Error(fmt.Sprintf("[✘] Failed to delete binding rule %q: %v", b.ID, err.Error()))
 				exitCode = 1
@@ -692,7 +722,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		}

 		for _, authMethod := range componentsToRemove["Auth method"] {
-			_, err := s.client.ACL().AuthMethodDelete(authMethod, nil)
+			wo := &api.WriteOptions{}
+			if s.consulEnt {
+				wo.Namespace = "default"
+			}
+			_, err := s.client.ACL().AuthMethodDelete(authMethod, wo)
 			if err != nil {
 				s.Ui.Error(fmt.Sprintf("[✘] Failed to delete auth method %q: %v", authMethod, err.Error()))
 				exitCode = 1