From b1bca7bfc9a595df8437434f3083a6248f97973b Mon Sep 17 00:00:00 2001
From: Jorge Marey <jorge.marey.oton.next@bbva.com>
Date: Thu, 28 May 2020 15:20:15 +0200
Subject: [PATCH 1/2] Change consul SI tokens to be local

---
 nomad/consul.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nomad/consul.go b/nomad/consul.go
index 95b0e3ff9949..61a04816f3e2 100644
--- a/nomad/consul.go
+++ b/nomad/consul.go
@@ -290,6 +290,7 @@ func (c *consulACLsAPI) CreateToken(ctx context.Context, sir ServiceIdentityRequ
 		Description:       sir.Description(),
 		ServiceIdentities: []*api.ACLServiceIdentity{{ServiceName: service}},
 		Namespace:         sir.ConsulNamespace,
+		Local:             true,
 	}
 
 	// Ensure we are under our rate limit.

From ef95e7d5b5a0860ccd140296ce4cb4e1ebe55544 Mon Sep 17 00:00:00 2001
From: Seth Hoenig <seth.a.hoenig@gmail.com>
Date: Fri, 15 Apr 2022 15:10:06 -0500
Subject: [PATCH 2/2] docs: update documentation with connect acls changes

This PR updates the changelog, adds notes the 1.3 upgrade guide, and
updates the connect integration docs with documentation about the new
requirement on Consul ACL policies of Consul agent default anonymous ACL
tokens.
---
 .changelog/8068.txt                           | 10 +++++++
 nomad/job_endpoint_hook_connect.go            |  4 +--
 .../docs/integrations/consul-connect.mdx      | 26 ++++++++++++++++---
 .../content/docs/upgrade/upgrade-specific.mdx | 21 +++++++++++++++
 4 files changed, 55 insertions(+), 6 deletions(-)
 create mode 100644 .changelog/8068.txt

diff --git a/.changelog/8068.txt b/.changelog/8068.txt
new file mode 100644
index 000000000000..112b797db2a2
--- /dev/null
+++ b/.changelog/8068.txt
@@ -0,0 +1,10 @@
+```release-note:breaking-change
+connect: Consul Service Identity ACL tokens automatically generated for Connect services are now
+created as Local rather than Global tokens. Nomad clusters with Connect services making cross-Consul
+datacenter requests will need to ensure their Consul agents are configured with anonymous ACL tokens
+of sufficient node and service read permissions.
+```
+
+```release-note:breaking-change
+The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0.
+```
diff --git a/nomad/job_endpoint_hook_connect.go b/nomad/job_endpoint_hook_connect.go
index f0286ac9cc77..b2dc23a5c140 100644
--- a/nomad/job_endpoint_hook_connect.go
+++ b/nomad/job_endpoint_hook_connect.go
@@ -68,11 +68,11 @@ func connectGatewayDriverConfig(hostNetwork bool) map[string]interface{} {
 // connectSidecarVersionConstraint is used when building the sidecar task to ensure
 // the proper Consul version is used that supports the necessary Connect
 // features. This includes bootstrapping envoy with a unix socket for Consul's
-// gRPC xDS API.
+// gRPC xDS API, and support for generating local service identity tokens.
 func connectSidecarVersionConstraint() *structs.Constraint {
 	return &structs.Constraint{
 		LTarget: "${attr.consul.version}",
-		RTarget: ">= 1.6.0-beta1",
+		RTarget: ">= 1.8.0",
 		Operand: structs.ConstraintSemver,
 	}
 }
diff --git a/website/content/docs/integrations/consul-connect.mdx b/website/content/docs/integrations/consul-connect.mdx
index 645715fd01d1..171bbd72f119 100644
--- a/website/content/docs/integrations/consul-connect.mdx
+++ b/website/content/docs/integrations/consul-connect.mdx
@@ -8,9 +8,6 @@ description: >-
 
 # Consul Service Mesh
 
-~> **Note:** This guide requires Nomad 0.10.0 or later and Consul 1.6.0 or
-later.
-
 ~> **Note:** Nomad's service mesh integration requires Linux network namespaces.
 Consul service mesh will not run on Windows or macOS.
 
@@ -58,7 +55,7 @@ The Consul service mesh integration with Nomad requires [Consul 1.6 or
 later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be
 run in dev mode with the following command:
 
-**Note**: Nomad's Consul service mesh integration requires Consul in your `$PATH`
+~> **Note:** Nomad's Consul service mesh integration requires Consul in your `$PATH`
 
 ```shell-session
 $ consul agent -dev
@@ -96,6 +93,23 @@ For JSON configurations:
 }
 ```
 
+#### Consul ACLs
+
+~> **Note:** Starting in Nomad v1.3.0, Consul Service Identity ACL tokens automatically
+generated by Nomad on behalf of Connect enabled services are now created in [`Local`]
+rather than Global scope, and are no longer replicated globally.
+
+To facilitate cross-Consul datacenter requests of Connect services registered by
+Nomad, Consul agents will need to be configured with [default anonymous][anon_token]
+ACL tokens with ACL policies of sufficient permissions to read service and node
+metadata pertaining to those requests. This mechanism is described in Consul [#7414][consul_acl].
+A typical Consul agent anonymous token may contain an ACL policy such as:
+
+```hcl
+service_prefix "" { policy = "read" }
+node_prefix    "" { policy = "read" }
+```
+
 ### Nomad
 
 Nomad must schedule onto a routable interface in order for the proxies to
@@ -326,6 +340,7 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so
 
 ## Limitations
 
+- The minimum Consul version to use Connect with Nomad is Consul v1.8.0.
 - The `consul` binary must be present in Nomad's `$PATH` to run the Envoy
   proxy sidecar on client nodes.
 - Consul service mesh using network namespaces is only supported on Linux.
@@ -333,4 +348,7 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so
   connections while the Nomad agent is restarting.
 
 [count-dashboard]: /img/count-dashboard.png
+[consul_acl]: https://github.com/hashicorp/consul/issues/7414
 [gh-9907]: https://github.com/hashicorp/nomad/issues/9907
+[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes
+[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens
diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
index d9f3ec527aba..c6c95d2fb7a7 100644
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -126,6 +126,24 @@ connect {
 }
 ```
 
+#### Changes to Consul Connect Service Identity Tokens
+
+Starting with Nomad 1.3.0, Consul Service Identity Tokens created automatically
+by Nomad on behalf of Connect services will now be created as [`Local`] tokens. These
+tokens will no longer be replicated globally. To facilitate cross-Consul datacenter
+requests of Connect services registered by Nomad, Consul agents will need to be
+configured with [default anonymous][anon_token] ACL tokens with ACL policies of
+sufficient permissions to read service and node metadata pertaining to those
+requests. This mechanism is described in Consul [#7414][consul_acl].
+A typical Consul agent anonymous token may contain an ACL policy such as:
+
+```hcl
+service_prefix "" { policy = "read" }
+node_prefix    "" { policy = "read" }
+```
+
+The minimum version of Consul supported by Nomad's Connect integration is now Consul v1.8.0.
+
 #### Linux Control Groups Version 2
 
 Starting with Nomad 1.3.0, Linux systems configured to use [cgroups v2][cgroups2]
@@ -1376,3 +1394,6 @@ deleted and then Nomad 0.3.0 can be launched.
 [cap_drop_exec]: /docs/drivers/exec#cap_drop
 [`log_file`]: /docs/configuration#log_file
 [Upgrading to Raft Protocol 3]: /docs/upgrade#upgrading-to-raft-protocol-3
+[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes
+[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens
+[consul_acl]: https://github.com/hashicorp/consul/issues/7414
\ No newline at end of file