check: Add support for Consul field tls_server_name (#17334)

.changelog/17334.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+checks: Added support for Consul check field tls_server_name
+```

api/services.go

@@ -212,6 +212,7 @@ type ServiceCheck struct {
 	Interval               time.Duration       `hcl:"interval,optional"`
 	Timeout                time.Duration       `hcl:"timeout,optional"`
 	InitialStatus          string              `mapstructure:"initial_status" hcl:"initial_status,optional"`
+	TLSServerName          string              `mapstructure:"tls_server_name" hcl:"tls_server_name,optional"`
 	TLSSkipVerify          bool                `mapstructure:"tls_skip_verify" hcl:"tls_skip_verify,optional"`
 	Header                 map[string][]string `hcl:"header,block"`
 	Method                 string              `hcl:"method,optional"`

command/agent/consul/service_client.go

@@ -1164,6 +1164,7 @@ func apiCheckRegistrationToCheck(r *api.AgentCheckRegistration) *api.AgentServic
 		Body:                   r.Body,
 		TCP:                    r.TCP,
 		Status:                 r.Status,
+		TLSServerName:          r.TLSServerName,
 		TLSSkipVerify:          r.TLSSkipVerify,
 		GRPC:                   r.GRPC,
 		GRPCUseTLS:             r.GRPCUseTLS,
@@ -1653,6 +1654,7 @@ func createCheckReg(serviceID, checkID string, check *structs.ServiceCheck, host
 		if check.TLSSkipVerify {
 			chkReg.TLSSkipVerify = true
 		}
+		chkReg.TLSServerName = check.TLSServerName
 		base := url.URL{
 			Scheme: proto,
 			Host:   net.JoinHostPort(host, strconv.Itoa(port)),
@@ -1681,6 +1683,7 @@ func createCheckReg(serviceID, checkID string, check *structs.ServiceCheck, host
 		if check.TLSSkipVerify {
 			chkReg.TLSSkipVerify = true
 		}
+		chkReg.TLSServerName = check.TLSServerName
 
 	default:
 		return nil, fmt.Errorf("check type %+q not valid", check.Type)

command/agent/consul/unit_test.go

@@ -972,6 +972,7 @@ func TestCreateCheckReg_GRPC(t *testing.T) {
 		PortLabel:     "label",
 		GRPCService:   "foo.Bar",
 		GRPCUseTLS:    true,
+		TLSServerName: "localhost",
 		TLSSkipVerify: true,
 		Timeout:       time.Second,
 		Interval:      time.Minute,
@@ -988,13 +989,14 @@ func TestCreateCheckReg_GRPC(t *testing.T) {
 		AgentServiceCheck: api.AgentServiceCheck{
 			Timeout:       "1s",
 			Interval:      "1m0s",
-			GRPC:          "localhost:8080/foo.Bar",
+			GRPC:          "127.0.0.1:8080/foo.Bar",
 			GRPCUseTLS:    true,
+			TLSServerName: "localhost",
 			TLSSkipVerify: true,
 		},
 	}
 
-	actual, err := createCheckReg(serviceID, checkID, check, "localhost", 8080, "default")
+	actual, err := createCheckReg(serviceID, checkID, check, "127.0.0.1", 8080, "default")
 	must.NoError(t, err)
 	must.Eq(t, expected, actual)
 }

command/agent/job_endpoint.go

@@ -1484,6 +1484,7 @@ func ApiServicesToStructs(in []*api.Service, group bool) []*structs.Service {
 					Interval:               check.Interval,
 					Timeout:                check.Timeout,
 					InitialStatus:          check.InitialStatus,
+					TLSServerName:          check.TLSServerName,
 					TLSSkipVerify:          check.TLSSkipVerify,
 					Header:                 check.Header,
 					Method:                 check.Method,

nomad/structs/diff_test.go

@@ -3085,6 +3085,12 @@ func TestTaskGroupDiff(t *testing.T) {
 										Old:  "3",
 										New:  "5",
 									},
+									{
+										Type: DiffTypeNone,
+										Name: "TLSServerName",
+										Old:  "",
+										New:  "",
+									},
 									{
 										Type: DiffTypeNone,
 										Name: "TLSSkipVerify",
@@ -6625,6 +6631,12 @@ func TestTaskDiff(t *testing.T) {
 										Old:  "4",
 										New:  "4",
 									},
+									{
+										Type: DiffTypeNone,
+										Name: "TLSServerName",
+										Old:  "",
+										New:  "",
+									},
 									{
 										Type: DiffTypeNone,
 										Name: "TLSSkipVerify",

nomad/structs/services.go

@@ -68,7 +68,8 @@ type ServiceCheck struct {
 	Interval               time.Duration       // Interval of the check
 	Timeout                time.Duration       // Timeout of the response from the check before consul fails the check
 	InitialStatus          string              // Initial status of the check
-	TLSSkipVerify          bool                // Skip TLS verification when Protocol=https
+	TLSServerName          string              // ServerName to use for SNI and TLS verification when (Type=https and Protocol=https) or (Type=grpc and GRPCUseTLS=true)
+	TLSSkipVerify          bool                // Skip TLS verification when (type=https and Protocol=https) or (type=grpc and grpc_use_tls=true)
 	Method                 string              // HTTP Method to use (GET by default)
 	Header                 map[string][]string // HTTP Headers for Consul to set when making HTTP checks
 	CheckRestart           *CheckRestart       // If and when a task should be restarted based on checks
@@ -183,6 +184,10 @@ func (sc *ServiceCheck) Equal(o *ServiceCheck) bool {
 		return false
 	}
 
+	if sc.TLSServerName != o.TLSServerName {
+		return false
+	}
+
 	if sc.Timeout != o.Timeout {
 		return false
 	}
@@ -378,6 +383,11 @@ func (sc *ServiceCheck) validateNomad() error {
 		return fmt.Errorf("failures_before_critical may only be set for Consul service checks")
 	}
 
+	// tls_server_name is consul only
+	if sc.TLSServerName != "" {
+		return fmt.Errorf("tls_server_name may only be set for Consul service checks")
+	}
+
 	return nil
 }
 
@@ -465,6 +475,9 @@ func (sc *ServiceCheck) Hash(serviceID string) string {
 	// use name "true" to maintain ID stability
 	hashBool(h, sc.TLSSkipVerify, "true")
 
+	// Only include TLSServerName if set to maintain ID stability with Nomad <1.6.0
+	hashStringIfNonEmpty(h, sc.TLSServerName)
+
 	// maintain artisanal map hashing to maintain ID stability
 	hashHeader(h, sc.Header)
 

nomad/structs/services_test.go

@@ -353,6 +353,17 @@ func TestServiceCheck_validateNomad(t *testing.T) {
 				Body:     "this is a request payload!",
 			},
 		},
+		{
+			name: "http with tls_server_name",
+			sc: &ServiceCheck{
+				Type:          ServiceCheckHTTP,
+				Interval:      3 * time.Second,
+				Timeout:       1 * time.Second,
+				Path:          "/health",
+				TLSServerName: "foo",
+			},
+			exp: `tls_server_name may only be set for Consul service checks`,
+		},
 	}
 
 	for _, testCase := range testCases {

ui/stories/components/diff-viewer.stories.js

@@ -434,6 +434,13 @@ export let DiffViewerWithManyChanges = () => {
                             Old: '',
                             Type: 'None',
                           },
+                          {
+                            Annotations: null,
+                            Name: 'TLSServerName',
+                            New: '',
+                            Old: '',
+                            Type: 'None',
+                          },
                           {
                             Annotations: null,
                             Name: 'TLSSkipVerify',

website/content/docs/job-specification/check.mdx

@@ -81,6 +81,8 @@ job "example" {
 
 - `grpc_use_tls` `(bool: false)` - Use TLS to perform a gRPC health check. May
   be used with `tls_skip_verify` to use TLS but skip certificate verification.
+  May be used with `tls_server_name` to specify the ServerName to use for SNI
+  and validation of the certificate presented by the server being checked.
 
 - `initial_status` `(string: <enum>)` - Specifies the starting status of the
   service. Valid options are `passing`, `warning`, and `critical`. Omitting
@@ -157,8 +159,27 @@ job "example" {
   Nomad. For Consul service checks, valid options are `grpc`, `http`, `script`,
   and `tcp`. For Nomad service checks, valid options are `http` and `tcp`.
 
-- `tls_skip_verify` `(bool: false)` - Skip verifying TLS certificates for HTTPS
+- `tls_server_name` `(string: "")` - Indicates the ServerName to use for SNI and
-  checks. Only supported in the Consul service provider.
+  validation of the certificate presented by the server being checked, when
+  performing TLS enabled checks (`https` and `grpc` with `grpc_use_tls`). If left
+  unspecified, the ServerName will be inferred from the address of the server
+  being checked unless the address is an IP address. There are two common cases
+  where this is beneficial:
+
+    - When the check address contains an IP, `tls_server_name` can be specified
+      for SNI. Note: setting `tls_server_name` will also override the hostname
+      used to verify the certificate presented by the server being checked.
+
+    - When the check address contains a hostname which isn't be present in the
+      SAN (Subject Alternative Name) field of the certificate presented by the
+      server being checked. Note: setting `tls_server_name` will also override
+      the hostname used for SNI.
+
+  This field is only supported in the Consul service provider. 
+
+- `tls_skip_verify` `(bool: false)` - Skip verification of certificates for
+  `https` and `grpc` with `grpc_use_tls` checks . Only supported in the Consul
+  service provider.
 
 - `on_update` `(string: "require_healthy")` - Specifies how checks should be
   evaluated when determining deployment health (including a job's initial