From bbebfeb5a4b2956ee1cff0d815fabda068ec1733 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dennis=20Sch=C3=B6n?= <mail@dennis-schoen.de>
Date: Wed, 20 Jan 2021 20:34:23 +0100
Subject: [PATCH] validate connect block allowed only within group.service

---
 command/agent/job_endpoint.go | 6 ++++++
 nomad/structs/structs.go      | 5 +++++
 nomad/structs/structs_test.go | 7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/command/agent/job_endpoint.go b/command/agent/job_endpoint.go
index 396916627dd0..a1015b058c6d 100644
--- a/command/agent/job_endpoint.go
+++ b/command/agent/job_endpoint.go
@@ -1088,6 +1088,12 @@ func ApiTaskToStructsTask(job *structs.Job, group *structs.TaskGroup,
 					}
 				}
 			}
+
+			// Task services can't have a connect block. We still convert it so that
+			// we can later return a validation error.
+			if service.Connect != nil {
+				structsTask.Services[i].Connect = ApiConsulConnectToStructs(service.Connect)
+			}
 		}
 	}
 
diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
index ec905c06e230..e8824371dc53 100644
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -6954,6 +6954,11 @@ func validateServices(t *Task, tgNetworks Networks) error {
 			}
 		}
 
+		// connect block is only allowed on group level
+		if service.Connect != nil {
+			mErr.Errors = append(mErr.Errors, fmt.Errorf("service %q cannot have \"connect\" block, only services defined in a \"group\" block can", service.Name))
+		}
+
 		// Ensure that check names are unique and have valid ports
 		knownChecks := make(map[string]struct{})
 		for _, check := range service.Checks {
diff --git a/nomad/structs/structs_test.go b/nomad/structs/structs_test.go
index a313a73b3ff0..0ed2bf5c101a 100644
--- a/nomad/structs/structs_test.go
+++ b/nomad/structs/structs_test.go
@@ -1933,6 +1933,13 @@ func TestTask_Validate_Service_Check_AddressMode(t *testing.T) {
 			},
 			ErrContains: `invalid: check requires a port but neither check nor service`,
 		},
+		{
+			Service: &Service{
+				Name:    "conect-block-on-task-level",
+				Connect: &ConsulConnect{SidecarService: &ConsulSidecarService{}},
+			},
+			ErrContains: `cannot have "connect" block`,
+		},
 	}
 
 	for _, tc := range cases {