From 10358cc911ee35eeebc412fa25271def71de5af0 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 23 Oct 2024 11:44:03 -0400 Subject: [PATCH] docs: warn about Consul auth method locality (#24275) * docs: warn about Consul auth method locality The locality of Consul tokens we mint via Workload Identity is governed by the Consul auth method configuration. By default tokens are local to the Consul datacenter, which typically maps 1:1 with a Nomad region. Cluster administrators who need cross-datacenter tokens can get them by setting the locality to global, at the risk of placement problems if the primary DC isn't available. Ref: https://github.com/hashicorp/consul/issues/21863 Fixes: https://github.com/hashicorp/nomad/issues/23505 --- website/content/docs/integrations/consul/acl.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/website/content/docs/integrations/consul/acl.mdx b/website/content/docs/integrations/consul/acl.mdx index 5b474134b49..7db0abac221 100644 --- a/website/content/docs/integrations/consul/acl.mdx +++ b/website/content/docs/integrations/consul/acl.mdx @@ -109,7 +109,10 @@ Nomad uses to sign workload identities. With these keys, Consul is able to validate their origin and confirm that they were actually created by Nomad. Nomad cannot recreate Consul tokens that have been deleted. The auth method -configuration should never set the `MaxTokenTTL` field. +configuration should never set the `MaxTokenTTL` field. Consul tokens are +local to the Consul datacenter unless you set `TokenLocality: "global"` in the +auth method. We recommend using local tokens, which is the default. Global tokens +require that the primary Consul datacenter is available when allocations start.