From d12dc36c3ba707cfb1ecc2bb3d1202a94f383289 Mon Sep 17 00:00:00 2001
From: Luiz Aoqui <luiz@hashicorp.com>
Date: Fri, 1 Dec 2023 09:29:08 -0500
Subject: [PATCH] cli: add Consul namespace selector (#19251)

Update the `nomad setup consul` command to include a `Selector` for the
`NamespaceRule` so the logic is only applied when the token has a claim
for `consul_namespace`.

Jobs without an explicit `consul.namespace` value receive a JWT without
the `consul_namespace` claim because Nomad is unable to determine which
Consul namespace should be used.

By using `NamespaceRules`, cluster operators are able to set a default
value for these jobs.
---
 command/setup_consul.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/command/setup_consul.go b/command/setup_consul.go
index b703d092c..087f26337 100644
--- a/command/setup_consul.go
+++ b/command/setup_consul.go
@@ -440,7 +440,7 @@ func (s *SetupConsulCommand) renderAuthMethod(name string, desc string) (*api.AC
 	}
 	if s.consulEnt {
 		method.NamespaceRules = []*api.ACLAuthMethodNamespaceRule{{
-			Selector:      "",
+			Selector:      `"consul_namespace" in value`,
 			BindNamespace: "${value.consul_namespace}",
 		}}
 	}