docs: Consul Workload Identity integration

website/content/docs/configuration/consul.mdx

@@ -131,6 +131,15 @@ value for the [`name`](#name) field.
   Consul service name defined in the `server_service_name` option. This search
   only happens if the server does not have a leader.
 
+- `service_auth_method` `(string: "nomad-workloads")` - Specifies the name of the
+  Consul [authentication method][auth-method] that will be used to login with a
+  Nomad JWT for services.
+
+- `service_identity` <code>([Identity][identity_block]: nil)</code> - Specifies
+  a default Workload Identity to use when obtaining Service Identity tokens from
+  Consul to register services. Refer to [Workload Identity](#workload-identity)
+  for a recommended configuration.
+
 - `share_ssl` `(bool: true)` - Specifies whether the Nomad client should share
   its Consul SSL configuration with Connect Native applications. Includes values
   of `ca_file`, `cert_file`, `key_file`, `ssl`, and `verify_ssl`. Does not include
@@ -144,6 +153,15 @@ value for the [`name`](#name) field.
 - `tags` `(array<string>: [])` - Specifies optional Consul tags to be
   registered with the Nomad server and agent services.
 
+- `task_auth_method` `(string: "nomad-tasks")` - Specifies the name of the
+  Consul [authentication method][auth-method] that will be used to login with a
+  Nomad JWT for tasks.
+
+- `task_identity` <code>([Identity][identity_block]: nil)</code> - Specifies a
+  default Workload Identity to use when obtaining Consul tokens from Consul to
+  support [`template`][] blocks. Refer to [Workload
+  Identity](#workload-identity) for a recommended configuration.
+
 - `timeout` `(string: "5s")` - Specifies a time limit for requests made against
   Consul. This is specified using a label suffix like "10s".
 
@@ -179,6 +197,33 @@ consul {
 }
 ```
 
+### Workload Identity
+
+The `service_identity` and `task_identity` blocks accept all the same values as
+the job specification's [`identity`][identity_block]. By ensuring these blocks
+are set on the Nomad servers, you can automatically migrate your existing jobs
+to use Workload Identity without modifying the job specification and
+resubmitting them.
+
+The recommended configuration for `service_identity` and `task_identity` is as
+follows. See [Migrating to Using Workload Identity with Consul][] for details on
+how to configure Consul to accept these identities. Note that the `ttl` field
+here refers to the TTL of the Nomad identity and not the Consul token.
+
+```hcl
+consul {
+  service_identity {
+    aud = ["consul.io"]
+    ttl = "1h"
+  }
+
+  task_identity {
+    aud = ["consul.io"]
+    ttl = "1h"
+  }
+}
+```
+
 ### Custom Address and Port
 
 This example shows pointing the Nomad agent at a different Consul address. Note
@@ -217,7 +262,7 @@ as a `namespace` block with the other relevant permissions for running Nomad
 in the intended namespace. The Consul policy below shows an example policy
 configuration for a Nomad server:
 
-```
+```hcl
 agent_prefix "" {
   policy = "read"
 }
@@ -239,10 +284,15 @@ namespace "nomad-ns" {
 }
 ```
 
+
 [consul]: https://www.consul.io/ 'Consul by HashiCorp'
 [bootstrap]: /nomad/tutorials/manage-clusters/clustering 'Automatic Bootstrapping'
 [go-sockaddr/template]: https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template
 [grpc_port]: /consul/docs/agent/config/config-files#grpc_port
 [grpctls_port]: /consul/docs/agent/config/config-files#grpc_tls_port
 [`consul.cluster`]: /nomad/docs/job-specification/group#cluster
 [`service.cluster`]: /nomad/docs/job-specification/service#cluster
+[identity_block]: /nomad/docs/job-specification/identity
+[`template`]: /nomad/docs/job-specification/template
+[Migrating to Using Workload Identity with Consul]: /nomad/docs/integrations/consul-integration#migrating-to-using-workload-identity-with-consul
+[auth-method]: /consul/docs/security/acl/auth-methods/jwt