Auto fetch agent consul token

[jorgemarey]

Proposal

With the addition of workload identities nomad would fetch automatically consul tokens for services and tasks, but we still need to provide a consul token for nomad to be able to perform other operations in consul.

Maybe nomad servers could also issue a jwt for clients that this use for login and retrieval of the consul token used by the agent.

A configuration option could be provided as agent_auth_method, similar to the ones present currently for tasks and services

The issued jwt could have the node_class, node_pool and name.

This would avoid needing to set a consul token on configuration.

I don't know if this is possible by how nomad currently starts and connects with the servers. But if it's possible I think it would be an improvement.

[pkazmierczak]

Hi @jorgemarey, thanks for a suggestion. Indeed we do have future plans of improving Consul integration based on WI tokens, but it's not currently on our next release roadmap and it's hard for us to commit to a timeline here. It's definitely something we will be revisiting in the future though.

[tgross]

I also wanted to leave a note here that this rolls up into a concept we've been talking about internally as Node Identity. See also https://github.com/hashicorp/nomad/issues/16574 for related ideas.