From b6dd1e6fea94b43f08c611ef7b864d8437827513 Mon Sep 17 00:00:00 2001
From: hc-github-team-nomad-core
 <82989552+hc-github-team-nomad-core@users.noreply.github.com>
Date: Fri, 25 Aug 2023 21:05:49 -0500
Subject: [PATCH] nds: add validation for `tls_skip_verify` (#18333) (#18336)

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
---
 .changelog/18333.txt           |  3 +++
 nomad/structs/services.go      | 17 +++++++++++------
 nomad/structs/services_test.go | 15 +++++++++++++++
 3 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 .changelog/18333.txt

diff --git a/.changelog/18333.txt b/.changelog/18333.txt
new file mode 100644
index 000000000000..8b8effb71ec5
--- /dev/null
+++ b/.changelog/18333.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+services: Add validation message when `tls_skip_verify` is set to `true` on a Nomad service
+```
diff --git a/nomad/structs/services.go b/nomad/structs/services.go
index 2c6e1ac32186..2c9088e27f2f 100644
--- a/nomad/structs/services.go
+++ b/nomad/structs/services.go
@@ -336,12 +336,12 @@ func (sc *ServiceCheck) validateNomad() error {
 
 	// expose is connect (consul) specific
 	if sc.Expose {
-		return fmt.Errorf("expose may only be set for Consul service checks")
+		return errors.New("expose may only be set for Consul service checks")
 	}
 
 	// nomad checks do not have warnings
 	if sc.OnUpdate == OnUpdateIgnoreWarn {
-		return fmt.Errorf("on_update may only be set to ignore_warnings for Consul service checks")
+		return errors.New("on_update may only be set to ignore_warnings for Consul service checks")
 	}
 
 	// below are temporary limitations on checks in nomad
@@ -350,13 +350,13 @@ func (sc *ServiceCheck) validateNomad() error {
 	// check_restart.ignore_warnings is not a thing in Nomad (which has no warnings in checks)
 	if sc.CheckRestart != nil {
 		if sc.CheckRestart.IgnoreWarnings {
-			return fmt.Errorf("ignore_warnings on check_restart only supported for Consul service checks")
+			return errors.New("ignore_warnings on check_restart only supported for Consul service checks")
 		}
 	}
 
 	// address_mode="driver" not yet supported on nomad
 	if sc.AddressMode == "driver" {
-		return fmt.Errorf("address_mode = driver may only be set for Consul service checks")
+		return errors.New("address_mode = driver may only be set for Consul service checks")
 	}
 
 	if sc.Type == "http" {
@@ -367,12 +367,17 @@ func (sc *ServiceCheck) validateNomad() error {
 
 	// success_before_passing is consul only
 	if sc.SuccessBeforePassing != 0 {
-		return fmt.Errorf("success_before_passing may only be set for Consul service checks")
+		return errors.New("success_before_passing may only be set for Consul service checks")
 	}
 
 	// failures_before_critical is consul only
 	if sc.FailuresBeforeCritical != 0 {
-		return fmt.Errorf("failures_before_critical may only be set for Consul service checks")
+		return errors.New("failures_before_critical may only be set for Consul service checks")
+	}
+
+	// tls_skip_verify is consul only
+	if sc.TLSSkipVerify {
+		return errors.New("tls_skip_verify may only be set for Consul service checks")
 	}
 
 	return nil
diff --git a/nomad/structs/services_test.go b/nomad/structs/services_test.go
index b0e3d1d66059..c788e0834613 100644
--- a/nomad/structs/services_test.go
+++ b/nomad/structs/services_test.go
@@ -1797,6 +1797,21 @@ func TestService_Validate(t *testing.T) {
 			},
 			expErr: true,
 		},
+		{
+			name: "provider nomad with tls skip verify",
+			input: &Service{
+				Name:     "testservice",
+				Provider: "nomad",
+				Checks: []*ServiceCheck{
+					{
+						Name:          "servicecheck",
+						Type:          "http",
+						TLSSkipVerify: true,
+					},
+				},
+			},
+			expErr: true,
+		},
 		{
 			name: "provider nomad with connect",
 			input: &Service{