intro: Add node introduction flow for Nomad client registration. (#26405)

This change implements the client -> server workflow for Nomad node introduction. A Nomad node can optionally be started with an introduction token, which is a signed JWT containing claims for the node registration. The server handles this according to the enforcement configuration. The introduction token can be provided by env var, cli flag, or by placing it within a default filesystem location. The latter option does not override the CLI or env var. The region claims has been removed from the initial claims set of the intro identity. This boundary is guarded by mTLS and aligns with the node identity.
2026-01-06 18:35:44 +03:00 · 2025-08-05 09:23:44 +02:00
parent 20251b675d
commit 80a26306bf
17 changed files with 1063 additions and 22 deletions
--- a/command/agent/command_test.go
+++ b/command/agent/command_test.go
@@ -618,6 +618,34 @@ vault {
 	}
 }

+func TestCommand_readConfig_clientIntroToken(t *testing.T) {
+
+	t.Run("env var", func(t *testing.T) {
+		t.Setenv("NOMAD_CLIENT_INTRO_TOKEN", "test-intro-token")
+
+		cmd := &Command{Ui: cli.NewMockUi(), args: []string{"-dev"}}
+		outputConfig := cmd.readConfig()
+		must.Eq(t, "test-intro-token", outputConfig.Client.IntroToken)
+	})
+
+	t.Run("cli flag", func(t *testing.T) {
+		cmd := &Command{Ui: cli.NewMockUi(), args: []string{
+			"-dev",
+			"-client-intro-token=test-intro-token",
+		}}
+		outputConfig := cmd.readConfig()
+		must.Eq(t, "test-intro-token", outputConfig.Client.IntroToken)
+	})
+
+	t.Run("none", func(t *testing.T) {
+		cmd := &Command{Ui: cli.NewMockUi(), args: []string{
+			"-dev",
+		}}
+		outputConfig := cmd.readConfig()
+		must.Eq(t, "", outputConfig.Client.IntroToken)
+	})
+}
+
 func Test_setupLoggers_logFile(t *testing.T) {

 	// Generate a mock UI and temporary log file location to write to.