test: add task validation when using vault secret provider (#26517)

client/allocrunner/taskrunner/secrets/nomad_provider.go

@@ -13,6 +13,8 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
+const SecretProviderNomad = "nomad"
+
 type nomadProviderConfig struct {
 	Namespace string `mapstructure:"namespace"`
 }

client/allocrunner/taskrunner/secrets/vault_provider.go

@@ -14,6 +14,8 @@ import (
 )
 
 const (
+	SecretProviderVault = "vault"
+
 	VAULT_KV    = "kv"
 	VAULT_KV_V2 = "kv_v2"
 )

client/allocrunner/taskrunner/secrets_hook.go

@@ -185,13 +185,13 @@ func (h *secretsHook) buildSecretProviders(secretDir string) ([]TemplateProvider
 
 		tmplFile := fmt.Sprintf("temp-%d", idx)
 		switch s.Provider {
-		case "nomad":
+		case secrets.SecretProviderNomad:
 			if p, err := secrets.NewNomadProvider(s, secretDir, tmplFile, h.nomadNamespace); err != nil {
 				multierror.Append(mErr, err)
 			} else {
 				tmplProvider = append(tmplProvider, p)
 			}
-		case "vault":
+		case secrets.SecretProviderVault:
 			if p, err := secrets.NewVaultProvider(s, secretDir, tmplFile); err != nil {
 				multierror.Append(mErr, err)
 			} else {

nomad/structs/structs.go

@@ -219,6 +219,9 @@ const (
 	RateMetricRead  = "read"
 	RateMetricList  = "list"
 	RateMetricWrite = "write"
+
+	// Vault secret provider used in task validation
+	SecretProviderVault = "vault"
 )
 
 var (
@@ -8329,6 +8332,10 @@ func (t *Task) Validate(jobType string, tg *TaskGroup) error {
 			secrets[s.Name] = true
 		}
 
+		if s.Provider == SecretProviderVault && t.Vault == nil {
+			mErr.Errors = append(mErr.Errors, fmt.Errorf("Secret %q has provider \"vault\" but no vault block", s.Name))
+		}
+
 		if err := s.Validate(); err != nil {
 			mErr.Errors = append(mErr.Errors, fmt.Errorf("Secret %q is invalid: %w", s.Name, err))
 		}

nomad/structs/structs_test.go

@@ -6459,6 +6459,56 @@ func TestVault_Canonicalize(t *testing.T) {
 	require.Equal(t, VaultChangeModeRestart, v.ChangeMode)
 }
 
+func TestTask_Validate_Secret(t *testing.T) {
+	cases := []struct {
+		name   string
+		task   *Task
+		expErr bool
+	}{
+		{
+			name: "errors with vault provider and no vault block",
+			task: &Task{
+				Secrets: []*Secret{
+					{
+						Name:     "test",
+						Provider: "vault",
+					},
+				},
+			},
+			expErr: true,
+		},
+		{
+			name: "succeeds with vault provider and vault block",
+			task: &Task{
+				Vault: &Vault{},
+				Secrets: []*Secret{
+					{
+						Name:     "test",
+						Provider: "vault",
+					},
+				},
+			},
+			expErr: false,
+		},
+	}
+
+	vaultProviderErr := "has provider \"vault\" but no vault block"
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.task.Validate(JobTypeService, &TaskGroup{})
+
+			// Validate will return errors here, we just want to validate
+			// it contains the above vaultProviderErr or not
+			if tc.expErr {
+				must.ErrorContains(t, err, vaultProviderErr)
+			} else {
+				// no ErrorNotContains so use string matching
+				must.StrNotContains(t, err.Error(), vaultProviderErr)
+			}
+		})
+	}
+}
+
 func TestSecrets_Copy(t *testing.T) {
 	ci.Parallel(t)
 	s := &Secret{