secrets: Add secrets block to job spec (#26076)

api/tasks.go

@@ -786,6 +786,7 @@ type Task struct {
 	KillSignal      string                 `mapstructure:"kill_signal" hcl:"kill_signal,optional"`
 	Kind            string                 `hcl:"kind,optional"`
 	ScalingPolicies []*ScalingPolicy       `hcl:"scaling,block"`
+	Secrets         []*Secret              `hcl:"secret,block"`
 
 	// Identity is the default Nomad Workload Identity and will be added to
 	// Identities with the name "default"
@@ -825,6 +826,9 @@ func (t *Task) Canonicalize(tg *TaskGroup, job *Job) {
 	for _, tmpl := range t.Templates {
 		tmpl.Canonicalize()
 	}
+	for _, s := range t.Secrets {
+		s.Canonicalize()
+	}
 	for _, s := range t.Services {
 		s.Canonicalize(t, tg, job)
 	}
@@ -1042,6 +1046,19 @@ func (v *Vault) Canonicalize() {
 	}
 }
 
+type Secret struct {
+	Name     string         `hcl:"name,label"`
+	Provider string         `hcl:"provider,optional"`
+	Path     string         `hcl:"path,optional"`
+	Config   map[string]any `hcl:"config,block"`
+}
+
+func (s *Secret) Canonicalize() {
+	if len(s.Config) == 0 {
+		s.Config = nil
+	}
+}
+
 // NewTask creates and initializes a new Task.
 func NewTask(name, driver string) *Task {
 	return &Task{

api/tasks_test.go

@@ -506,6 +506,27 @@ func TestTask_Canonicalize_Vault(t *testing.T) {
 	}
 }
 
+func TestTask_Canonicalize_Secret(t *testing.T) {
+	testutil.Parallel(t)
+
+	testSecret := &Secret{
+		Name:     "test-secret",
+		Provider: "test-provider",
+		Path:     "/test/path",
+		Config:   make(map[string]any),
+	}
+
+	expected := &Secret{
+		Name:     "test-secret",
+		Provider: "test-provider",
+		Path:     "/test/path",
+		Config:   nil,
+	}
+
+	testSecret.Canonicalize()
+	must.Eq(t, expected, testSecret)
+}
+
 // Ensures no regression on https://github.com/hashicorp/nomad/issues/3132
 func TestTaskGroup_Canonicalize_Update(t *testing.T) {
 	testutil.Parallel(t)