docs: warn about Consul auth method locality (#24275)

* docs: warn about Consul auth method locality The locality of Consul tokens we mint via Workload Identity is governed by the Consul auth method configuration. By default tokens are local to the Consul datacenter, which typically maps 1:1 with a Nomad region. Cluster administrators who need cross-datacenter tokens can get them by setting the locality to global, at the risk of placement problems if the primary DC isn't available. Ref: hashicorp/consul#21863 Fixes: #23505
hashicorp · Oct 23, 2024 · 10358cc · 10358cc
1 parent 6a2e1e4
commit 10358cc
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/website/content/docs/integrations/consul/acl.mdx b/website/content/docs/integrations/consul/acl.mdx
@@ -109,7 +109,10 @@ Nomad uses to sign workload identities. With these keys, Consul is able to
 validate their origin and confirm that they were actually created by Nomad.
 
 Nomad cannot recreate Consul tokens that have been deleted. The auth method
-configuration should never set the `MaxTokenTTL` field.
+configuration should never set the `MaxTokenTTL` field. Consul tokens are
+local to the Consul datacenter unless you set `TokenLocality: "global"` in the
+auth method. We recommend using local tokens, which is the default. Global tokens
+require that the primary Consul datacenter is available when allocations start.
 
 <CodeBlockConfig highlight="2" filename="auth-method.json">