cli: Test API access using /status/leader in consul watch (#10795)

Replace call to /agent/self with /status/leader to verify agent reachability before initializing a watch. This endpoint is not guarded by ACLs, and as such can be queried by any API client regardless of their permissions. Fixes #9353
hashicorp · Aug 9, 2021 · 9403e56 · 9403e56
1 parent 37527d9
commit 9403e56
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/.changelog/10795.txt b/.changelog/10795.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+cli: Fix a bug which prevented initializing a watch when using a namespaced
+token.
+```
diff --git a/command/watch/watch.go b/command/watch/watch.go
@@ -158,13 +158,19 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}
 
-	// Create and test the HTTP client
+	// Create and test that the API is accessible before starting a blocking
+	// loop for the watch.
+	//
+	// Consul does not have a /ping endpoint, so the /status/leader endpoint
+	// will be used as a substitute since it does not require an ACL token to
+	// query, and will always return a response to the client, unless there is a
+	// network communication error.
 	client, err := c.http.APIClient()
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
 		return 1
 	}
-	_, err = client.Agent().NodeName()
+	_, err = client.Status().Leader()
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error querying Consul agent: %s", err))
 		return 1