Validate that Connect ingress gateway ports are configured properly

[schmichael]

Nomad version

Nomad v1.1.3 (8c0c814)
Consul v1.10.1

Problem

ingress.listener.port accepts an integer port instead of a named port. When using bridge networking (network.mode = "bridge") this is fine as the port is within the network namespace and therefore cannot collide with other tasks.

However, when using host network (network.mode = "host") to avoid the overhead of forwarding ports from the host to the ingress gateway's network namespace, the scheduler does not track the ingress gateway's port usage which can trivially cause port collisions at runtime. See job files below for an example.

Solution: Validate ingress listener ports

Nomad could validate that when using host networking the ingress listener's ports are defined in the network stanza.

Stretch goal: Accept named ingress listener ports

Similar to service.port, ingress listener ports could optionally accept a string with the name of a port defined in the group's network stanza. This would remove the need for users to define the same port number twice and reduce the chance of forgetting to define the network.port stanza for an ingress listener.

Job Files

Using sudo nomad agent -dev-connect and a Consul dev agent, running the following jobs will cause the second to fail at runtime instead of causing a port collision in the scheduler:

https://gist.github.com/schmichael/e80be2426ca04859e9b34d6fe251f01f