intro: Add node introduction flow for Nomad client registration. (#26405)

This change implements the client -> server workflow for Nomad
node introduction. A Nomad node can optionally be started with an
introduction token, which is a signed JWT containing claims for
the node registration. The server handles this according to the
enforcement configuration.

The introduction token can be provided by env var, cli flag, or
by placing it within a default filesystem location. The latter
option does not override the CLI or env var.

The region claims has been removed from the initial claims set of
the intro identity. This boundary is guarded by mTLS and aligns
with the node identity.

command/agent/command.go

@@ -118,6 +118,7 @@ func (c *Command) readConfig() *Config {
 	flags.StringVar(&cmdConfig.Client.NetworkInterface, "network-interface", "", "")
 	flags.StringVar((*string)(&cmdConfig.Client.PreferredAddressFamily), "preferred-address-family", "", "ipv4 or ipv6")
 	flags.IntVar(&cmdConfig.Client.NetworkSpeed, "network-speed", 0, "")
+	flags.StringVar(&cmdConfig.Client.IntroToken, "client-intro-token", "", "")
 
 	// General options
 	flags.Var((*flaghelper.StringFlag)(&configPath), "config", "config")
@@ -220,6 +221,12 @@ func (c *Command) readConfig() *Config {
 		}
 	}
 
+	// Perform an environment look for the client bootstrap token. If this is
+	// present, it will override the CLI flag.
+	if envToken, found := os.LookupEnv("NOMAD_CLIENT_INTRO_TOKEN"); found {
+		cmdConfig.Client.IntroToken = envToken
+	}
+
 	// Load the configuration
 	var config *Config