consul/connect: avoid NPE from unset connect gateway proxy

Submitting a job with an ingress gateway in host networking mode with an absent gateway.proxy block would cause the Nomad client to panic on NPE. The consul registration bits would assume the proxy stanza was not nil, but it could be if the user does not supply any manually configured envoy proxy settings. Check the proxy field is not nil before using it. Fixes #9669
2026-01-06 02:15:43 +03:00 · 2021-01-05 09:27:01 -06:00
parent ae618ed689
commit 80d07f6e6c
3 changed files with 33 additions and 17 deletions
--- a/command/agent/consul/connect.go
+++ b/command/agent/consul/connect.go
@@ -45,29 +45,33 @@ func newConnectGateway(serviceName string, connect *structs.ConsulConnect) *api.
 		return nil
 	}

-	proxy := connect.Gateway.Proxy
+	var envoyConfig map[string]interface{}

-	envoyConfig := make(map[string]interface{})
+	// Populate the envoy configuration from the gateway.proxy stanza, if
+	// such configuration is provided.
+	if proxy := connect.Gateway.Proxy; proxy != nil {
+		envoyConfig = make(map[string]interface{})

-	if len(proxy.EnvoyGatewayBindAddresses) > 0 {
-		envoyConfig["envoy_gateway_bind_addresses"] = proxy.EnvoyGatewayBindAddresses
-	}
+		if len(proxy.EnvoyGatewayBindAddresses) > 0 {
+			envoyConfig["envoy_gateway_bind_addresses"] = proxy.EnvoyGatewayBindAddresses
+		}

-	if proxy.EnvoyGatewayNoDefaultBind {
-		envoyConfig["envoy_gateway_no_default_bind"] = true
-	}
+		if proxy.EnvoyGatewayNoDefaultBind {
+			envoyConfig["envoy_gateway_no_default_bind"] = true
+		}

-	if proxy.EnvoyGatewayBindTaggedAddresses {
-		envoyConfig["envoy_gateway_bind_tagged_addresses"] = true
-	}
+		if proxy.EnvoyGatewayBindTaggedAddresses {
+			envoyConfig["envoy_gateway_bind_tagged_addresses"] = true
+		}

-	if proxy.ConnectTimeout != nil {
-		envoyConfig["connect_timeout_ms"] = proxy.ConnectTimeout.Milliseconds()
-	}
+		if proxy.ConnectTimeout != nil {
+			envoyConfig["connect_timeout_ms"] = proxy.ConnectTimeout.Milliseconds()
+		}

-	if len(proxy.Config) > 0 {
-		for k, v := range proxy.Config {
-			envoyConfig[k] = v
+		if len(proxy.Config) > 0 {
+			for k, v := range proxy.Config {
+				envoyConfig[k] = v
+			}
 		}
 	}

--- a/command/agent/consul/connect_test.go
+++ b/command/agent/consul/connect_test.go
@@ -429,6 +429,17 @@ func TestConnect_newConnectGateway(t *testing.T) {
 		}, result)
 	})

+	t.Run("proxy undefined", func(t *testing.T) {
+		result := newConnectGateway("s1", &structs.ConsulConnect{
+			Gateway: &structs.ConsulGateway{
+				Proxy: nil,
+			},
+		})
+		require.Equal(t, &api.AgentServiceConnectProxyConfig{
+			Config: nil,
+		}, result)
+	})
+
 	t.Run("full", func(t *testing.T) {
 		result := newConnectGateway("s1", &structs.ConsulConnect{
 			Gateway: &structs.ConsulGateway{
--- a/nomad/structs/services.go
+++ b/nomad/structs/services.go
@@ -733,6 +733,7 @@ func (c *ConsulConnect) IsNative() bool {
 	return c != nil && c.Native
 }

+// IsGateway checks if the service is a Connect gateway.
 func (c *ConsulConnect) IsGateway() bool {
 	return c != nil && c.Gateway != nil
 }