Updates for Nomad 1.11.3, Consul 1.22.5

[aimeeu]

Update Nomad to 1.11.3, Consul to 1.22.5. The original tutorial uses Nomad 1.8 and does not work with the latest Nomad version. Nomad removed Consul token auth in 1.10, so we need to update for using workload identity.

• setup.sh: Update Consul, Vault, Nomad, Consul template versions. Remove ENVOYVERSION because it's not used anywhere in the script. Remove TODO comments at end of script.
• Add service_identity and task_identity blocks to consul block of Nomad server and client configs
• 04.api-gateway.config.sh: Create workload identity artifacts in Consul: binding rules, ACL policy, ACL role
• 04.api-gateway.nomad.hcl: Update Consul and Envoy versions. The log indicated that Consul no longer supports Envoy version 1.29.7 so I updated to 1.35.3.

Binding Rules
04.api-gateway.config.sh script creates the JWT and adds a binding rule for the api-gateway service running in the 'ingress' namespace. I added a binding rule for Nomad services not running in the 'ingress' namespace and a second rule for Nomad tasks not running in the 'ingress' namespace. HashiCups job spec does not declare a namespace and is therefore deployed to the default namespace.

Policy and Role
Service mesh integration requires Consul ACL policy and role for Nomad tasks.

References

• https://developer.hashicorp.com/nomad/tutorials/integrate-consul/consul-acl#configure-consul-for-tasks-workload-identities
• https://developer.hashicorp.com/nomad/commands/setup/consul

Testing
I modified my running infrastructure with these change, but I have not yet done an end-to-end test to create the infrastructure.

[hashicorp-cla]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

1 out of 3 committers have signed the CLA.

• aimeeu
• boruszak
• danielehc

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[aimeeu]

Testing with commit 7e21ab5

the "Integrate service discovery" page no longer works due to adding the service_identity and task_identity to the Nomad config file's consul block in cluster setup. Now with just plain service discovery, Nomad-Consul integration is looking for the "nomad-workloads" auth method in order to deploy the HashiCups services that use Consul service discovery (but not service mesh).

The fix I'm testing is moving the "nomad-workloads" auth method and related ACL policy/role creation to setup. So the 04.api-gateway.config.sh script only adds the builtin/api-gateway binding rule to an existing "nomad-workloads" auth method.