validate connect block allowed only within group.service

command/agent/job_endpoint.go

@@ -1088,6 +1088,12 @@ func ApiTaskToStructsTask(job *structs.Job, group *structs.TaskGroup,
 					}
 				}
 			}
+
+			// Task services can't have a connect block. We still convert it so that
+			// we can later return a validation error.
+			if service.Connect != nil {
+				structsTask.Services[i].Connect = ApiConsulConnectToStructs(service.Connect)
+			}
 		}
 	}
 

nomad/structs/structs.go

@@ -6954,6 +6954,11 @@ func validateServices(t *Task, tgNetworks Networks) error {
 			}
 		}
 
+		// connect block is only allowed on group level
+		if service.Connect != nil {
+			mErr.Errors = append(mErr.Errors, fmt.Errorf("service %q cannot have \"connect\" block, only services defined in a \"group\" block can", service.Name))
+		}
+
 		// Ensure that check names are unique and have valid ports
 		knownChecks := make(map[string]struct{})
 		for _, check := range service.Checks {

nomad/structs/structs_test.go

@@ -1933,6 +1933,13 @@ func TestTask_Validate_Service_Check_AddressMode(t *testing.T) {
 			},
 			ErrContains: `invalid: check requires a port but neither check nor service`,
 		},
+		{
+			Service: &Service{
+				Name:    "conect-block-on-task-level",
+				Connect: &ConsulConnect{SidecarService: &ConsulSidecarService{}},
+			},
+			ErrContains: `cannot have "connect" block`,
+		},
 	}
 
 	for _, tc := range cases {