client: Add client identity API, CLI, and RPC workflow. (#26543)

The Nomad clients store their Nomad identity in memory and within their state store. While active, it is not possible to dump the state to view the stored identity token, so having a way to view the current claims while running aids debugging and operations. This change adds a client identity workflow, allowing operators to view the current claims of the nodes identity. It does not return any of the signing key material.
2026-01-01 16:05:42 +03:00 · 2025-08-19 08:25:51 +01:00
parent f3e08d8aa9
commit 3b0b7db1a1
14 changed files with 722 additions and 3 deletions
--- a/api/node_identity.go
+++ b/api/node_identity.go
@@ -3,6 +3,18 @@

 package api

+// NodeIdentityGetRequest represents the request to retrieve the node identity
+// claims for a specific node.
+type NodeIdentityGetRequest struct {
+	NodeID string
+}
+
+// NodeIdentityGetResponse represents the response containing the node identity
+// claims.
+type NodeIdentityGetResponse struct {
+	Claims map[string]any
+}
+
 type NodeIdentityRenewRequest struct {
 	NodeID string
 }
@@ -17,6 +29,34 @@ func (n *Nodes) Identity() *NodeIdentity {
 	return &NodeIdentity{client: n.client}
 }

+// Get retrieves the node identity claims for the node specified within the
+// request object.
+//
+// The request uses query options to control the forwarding behavior of the
+// request only. Parameters such as Filter, WaitTime, and WaitIndex are not used
+// and ignored.
+func (n *NodeIdentity) Get(req *NodeIdentityGetRequest, qo *QueryOptions) (*NodeIdentityGetResponse, error) {
+
+	if qo == nil {
+		qo = &QueryOptions{}
+	}
+
+	if qo.Params == nil {
+		qo.Params = make(map[string]string)
+	}
+
+	if req.NodeID != "" {
+		qo.Params["node_id"] = req.NodeID
+	}
+
+	var out NodeIdentityGetResponse
+
+	if _, err := n.client.query("/v1/client/identity", &out, qo); err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
 // Renew instructs the node to request a new identity from the server at its
 // next heartbeat.
 //
--- a/api/node_identity_test.go
+++ b/api/node_identity_test.go
@@ -10,6 +10,25 @@ import (
 	"github.com/shoenig/test/must"
 )

+func TestNodeIdentity_Get(t *testing.T) {
+	testutil.Parallel(t)
+
+	configCallback := func(c *testutil.TestServerConfig) { c.DevMode = true }
+	testClient, testServer := makeClient(t, nil, configCallback)
+	defer testServer.Stop()
+
+	nodeID := oneNodeFromNodeList(t, testClient.Nodes()).ID
+
+	req := NodeIdentityGetRequest{
+		NodeID: nodeID,
+	}
+
+	resp, err := testClient.Nodes().Identity().Get(&req, nil)
+	must.NoError(t, err)
+	must.NotNil(t, resp)
+	must.MapLen(t, 9, resp.Claims)
+}
+
 func TestNodeIdentity_Renew(t *testing.T) {
 	testutil.Parallel(t)