From b08edf385ad79c129f2f817fe32afbf7cb7a53e2 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Wed, 5 Apr 2023 14:43:45 -0400
Subject: [PATCH] agent: add top-level warning if mTLS is not configured
 (#16800)

Nomad's security model requires mTLS in order to secure client-to-server and
server-to-server communications. Configuring ACLs alone is not enough. Loudly
warn the user if mTLS is not configured in non-dev modes.
---
 command/agent/command.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/command/agent/command.go b/command/agent/command.go
index a8b773871..3b58dc77c 100644
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -328,6 +328,10 @@ func (c *Command) IsValidConfig(config, cmdConfig *Config) bool {
 			c.Ui.Error(fmt.Sprintf("WARNING: Error when parsing TLS configuration: %v", err))
 		}
 	}
+	if !config.DevMode && (config.TLSConfig == nil ||
+		!config.TLSConfig.EnableHTTP || !config.TLSConfig.EnableRPC) {
+		c.Ui.Error("WARNING: mTLS is not configured - Nomad is not secure without mTLS!")
+	}
 
 	if config.Server.EncryptKey != "" {
 		if _, err := config.Server.EncryptBytes(); err != nil {