From 42e996d327700c18d0a4247c0ee2a6dc90a96e99 Mon Sep 17 00:00:00 2001 From: Luiz Aoqui Date: Fri, 25 Aug 2023 10:24:27 -0400 Subject: [PATCH 1/3] nds: add validation to tls_skip_verify --- nomad/structs/services.go | 5 +++++ nomad/structs/services_test.go | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/nomad/structs/services.go b/nomad/structs/services.go index 90fae9921b98..f8c6d8f79c66 100644 --- a/nomad/structs/services.go +++ b/nomad/structs/services.go @@ -388,6 +388,11 @@ func (sc *ServiceCheck) validateNomad() error { return fmt.Errorf("tls_server_name may only be set for Consul service checks") } + // tls_skip_verify is consul only + if sc.TLSSkipVerify { + return fmt.Errorf("tls_skip_verify may only be set for Consul service checks") + } + return nil } diff --git a/nomad/structs/services_test.go b/nomad/structs/services_test.go index 85f25e613388..440553d037c7 100644 --- a/nomad/structs/services_test.go +++ b/nomad/structs/services_test.go @@ -1811,6 +1811,21 @@ func TestService_Validate(t *testing.T) { }, expErr: true, }, + { + name: "provider nomad with tls skip verify", + input: &Service{ + Name: "testservice", + Provider: "nomad", + Checks: []*ServiceCheck{ + { + Name: "servicecheck", + Type: "http", + TLSSkipVerify: true, + }, + }, + }, + expErr: true, + }, { name: "provider nomad with connect", input: &Service{ From e0d0e7d94b52600c8dca34256b75ac9bbb9537fa Mon Sep 17 00:00:00 2001 From: Luiz Aoqui Date: Fri, 25 Aug 2023 10:27:00 -0400 Subject: [PATCH 2/3] changelog: add entry for #18333 --- .changelog/18333.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/18333.txt diff --git a/.changelog/18333.txt b/.changelog/18333.txt new file mode 100644 index 000000000000..8b8effb71ec5 --- /dev/null +++ b/.changelog/18333.txt @@ -0,0 +1,3 @@ +```release-note:bug +services: Add validation message when `tls_skip_verify` is set to `true` on a Nomad service +``` From 37b9a2d4614b69bc0b58d4ac930201db782ebe98 Mon Sep 17 00:00:00 2001 From: Luiz Aoqui Date: Fri, 25 Aug 2023 10:51:49 -0400 Subject: [PATCH 3/3] nsd: use errors.New when possible --- nomad/structs/services.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nomad/structs/services.go b/nomad/structs/services.go index f8c6d8f79c66..5cbe4c83dcfc 100644 --- a/nomad/structs/services.go +++ b/nomad/structs/services.go @@ -344,12 +344,12 @@ func (sc *ServiceCheck) validateNomad() error { // expose is connect (consul) specific if sc.Expose { - return fmt.Errorf("expose may only be set for Consul service checks") + return errors.New("expose may only be set for Consul service checks") } // nomad checks do not have warnings if sc.OnUpdate == OnUpdateIgnoreWarn { - return fmt.Errorf("on_update may only be set to ignore_warnings for Consul service checks") + return errors.New("on_update may only be set to ignore_warnings for Consul service checks") } // below are temporary limitations on checks in nomad @@ -358,13 +358,13 @@ func (sc *ServiceCheck) validateNomad() error { // check_restart.ignore_warnings is not a thing in Nomad (which has no warnings in checks) if sc.CheckRestart != nil { if sc.CheckRestart.IgnoreWarnings { - return fmt.Errorf("ignore_warnings on check_restart only supported for Consul service checks") + return errors.New("ignore_warnings on check_restart only supported for Consul service checks") } } // address_mode="driver" not yet supported on nomad if sc.AddressMode == "driver" { - return fmt.Errorf("address_mode = driver may only be set for Consul service checks") + return errors.New("address_mode = driver may only be set for Consul service checks") } if sc.Type == "http" { @@ -375,22 +375,22 @@ func (sc *ServiceCheck) validateNomad() error { // success_before_passing is consul only if sc.SuccessBeforePassing != 0 { - return fmt.Errorf("success_before_passing may only be set for Consul service checks") + return errors.New("success_before_passing may only be set for Consul service checks") } // failures_before_critical is consul only if sc.FailuresBeforeCritical != 0 { - return fmt.Errorf("failures_before_critical may only be set for Consul service checks") + return errors.New("failures_before_critical may only be set for Consul service checks") } // tls_server_name is consul only if sc.TLSServerName != "" { - return fmt.Errorf("tls_server_name may only be set for Consul service checks") + return errors.New("tls_server_name may only be set for Consul service checks") } // tls_skip_verify is consul only if sc.TLSSkipVerify { - return fmt.Errorf("tls_skip_verify may only be set for Consul service checks") + return errors.New("tls_skip_verify may only be set for Consul service checks") } return nil