docs: Add node identity concepts page and other missing items. (#26830)

Co-authored-by: Aimee Ukasick <aimee.ukasick@hashicorp.com>
2026-01-06 18:35:44 +03:00 · 2025-09-26 07:44:58 +01:00
parent bdf08e1461
commit 61a4a02166
7 changed files with 122 additions and 2 deletions
--- a/website/content/commands/node-pool/apply.mdx
+++ b/website/content/commands/node-pool/apply.mdx
@@ -40,6 +40,8 @@ node_pool "prod" {
    env = "prod"
  }

+  node_pool_identity = "720h"
+
  # Available only in Nomad Enterprise.
  scheduler_config {
    scheduler_algorithm = "spread"
--- a/website/content/commands/node-pool/info.mdx
+++ b/website/content/commands/node-pool/info.mdx
@@ -31,8 +31,9 @@ Retrieve information on a node pool:

 ```shell-session
 $ nomad node pool info prod
-Name        = prod
-Description = Node pool for production workloads.
+Name              = prod
+Description       = Node pool for production workloads.
+Node Identity TTL = "24h0m0s"

 Metadata
 env = production
@@ -53,6 +54,7 @@ $ nomad node pool info -json prod
    },
    "ModifyIndex": 39,
    "Name": "prod",
+    "NodeIdentityTTL": "24h0m0s",
    "SchedulerConfiguration": {
        "SchedulerAlgorithm": "spread"
    }
--- a/website/content/commands/node/identity/get.mdx
+++ b/website/content/commands/node/identity/get.mdx
@@ -0,0 +1,40 @@
+---
+layout: docs
+page_title: 'nomad node identity get command reference'
+description: |
+  The `nomad node identity get` command returns the identity claims for a specific node.
+---
+
+# `nomad node identity get` command reference
+
+Get the identity claims for a node. This command only applies to client agents.
+
+If ACLs are enabled, this command requires a token with the `node:read` capability.
+
+## Usage
+
+```plaintext
+nomad node identity get [options] <node_id>
+```
+
+## Examples
+
+Get the identity claims of a specific node.
+
+```shell-session
+$ nomad node identity renew da86421c-7de9-85e4-2f50-3b2bf95102c1
+Claim Key              Claim Value
+aud                    nomadproject.io
+exp                    2025-09-23T10:37:39+01:00
+iat                    2025-09-22T10:37:39+01:00
+jti                    6b3ccaac-9e23-088f-405b-23797ca64c1a
+nbf                    2025-09-22T10:37:39+01:00
+sub                    node:global:default:da86421c-7de9-85e4-2f50-3b2bf95102c1:default
+nomad_node_datacenter  dc1
+nomad_node_id          da86421c-7de9-85e4-2f50-3b2bf95102c1
+nomad_node_pool        default
+```
+
+## General options
+
+@include 'general_options.mdx'
--- a/website/content/docs/architecture/cluster/node-identity.mdx
+++ b/website/content/docs/architecture/cluster/node-identity.mdx
@@ -0,0 +1,58 @@
+---
+layout: docs
+page_title: Node identity
+description: Nomad's node identity feature uniquely identities each Nomad client node and provides an authentication mechanism for nodes to make RPC calls to the Nomad servers.
+---
+
+# Node identity
+
+This page provides conceptual information about Nomad's node identity feature,
+which uniquely identities each Nomad client node and provides an authentication
+mechanism for nodes to make RPC calls to the Nomad servers.
+
+The Nomad cluster gives every node a default identity once the cluster is able
+to fully support the feature with a defined lifetime. This node identity is a
+[JSON Web Token (JWT)][] that has been signed by the leader's keyring and is
+generated as part of the node's registration and heartbeat process.
+
+## Node identity claims
+
+Alongside the standard JWT claims such as `exp` (expiration time), `iat` (issued
+at time), and `aud` (audience), Nomad node identity includes the
+`nomad_node_id`, `nomad_node_pool`, and `nomad_node_datacenter` identity claims.
+
+```json
+{
+  "nomad_node_id": "f6e8c9d4-5b6a-4c3d-8e2f-1a2b3c4d5e6f",
+  "nomad_node_pool": "default",
+  "nomad_node_datacenter": "dc1"
+}
+```
+
+To review all identity claims for a specific node, run the
+[`node identity get` command][cli_node_identity_get].
+
+## Node identity renewal
+
+The node pool specification's [`node_identity_ttl`][config_node_identity_ttl]
+parameter dictates the identity's expiration, which defaults to 24 hours. When a
+node's identity exceeds 67% of its lifetime, the Nomad server issues a new
+identity to the node at its next heartbeat.
+
+You may force a node to renew its identity at its next heartbeat by running the
+[`node identity renew` command][cli_node_identity_renew], which ensure the 67%
+lifetime check is bypassed.
+
+## Node identity persistence
+
+A node's identity is stored within its local database, which is persisted within the
+configured [`data_dir`][client_cfg_state_dir]. To view the stored identity,
+along with other state resouces, run the
+[`operator client-state` command][cli_operattor_client_state].
+
+[JSON Web Token (JWT)]: https://datatracker.ietf.org/doc/html/rfc7519
+[config_node_identity_ttl]: /nomad/docs/other-specifications/node-pool#node_identity_ttl
+[cli_node_identity_get]: /nomad/commands/node/identity/get
+[cli_node_identity_renew]: /nomad/commands/node/identity/renew
+[client_cfg_state_dir]: /nomad/docs/configuration/client#state_dir
+[cli_operattor_client_state]: /nomad/commands/operator/client-state
--- a/website/content/docs/other-specifications/node-pool.mdx
+++ b/website/content/docs/other-specifications/node-pool.mdx
@@ -28,6 +28,12 @@ node_pool "example" {
    owner       = "sre"
  }

+  # node_identity_ttl is an optional parameter that sets the TTL for all node
+  # identities issued to nodes in this node pool. The value must be a valid
+  # duration string (e.g. "30m", "1h", "24h"). If not set, the default value is
+  # "24h".
+  # node_identity_ttl = "24h"
+
  # The scheduler configuration options specific to this node pool. This block
  # supports a subset of the fields supported in the global scheduler
  # configuration as described at:
@@ -60,6 +66,10 @@ Successfully applied node pool "example"!
  pool, defined as key-value pairs. The scheduler does not use node pool
  metadata as part of scheduling.

+- `node_identity_ttl` `(string: <optional>)` - Sets the TTL for node identities
+  issued to nodes in this node pool. The value must be a valid duration string
+  (e.g. "30m", "1h", "24h"). If not set, the default value is "24h".
+
 - `scheduler_config` <code>([SchedulerConfig][sched-config]: nil)</code> <EnterpriseAlert inline /> -
  Sets scheduler configuration options specific to the node pool. If not
  defined, the global scheduler configurations are used.
--- a/website/data/commands-nav-data.json
+++ b/website/data/commands-nav-data.json
@@ -475,6 +475,10 @@
            "title": "Overview",
            "path": "node/identity"
          },
+          {
+            "title": "get",
+            "path": "node/identity/get"
+          },
          {
            "title": "renew",
            "path": "node/identity/renew"
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -32,6 +32,10 @@
            "title": "Multi-cluster federation",
            "path": "architecture/cluster/federation"
          },
+          {
+            "title": "Node identity",
+            "path": "architecture/cluster/node-identity"
+          },
          {
            "title": "Node pools",
            "path": "architecture/cluster/node-pools"