I have Workload Identity configured with a JWT auth method (`nomad-workloads`) for Consul Connect. Everything works perfectly during normal operation - allocations get SI tokens, Envoy proxies authenticate fine.
The problem: after a Nomad server restart (or full reboot), all allocations that get scheduled come up with an empty `x-consul-token` in `envoy_bootstrap.json`. Nomad never calls `consul login` for them. Envoy falls back to the anonymous token and fails with `Permission denied: anonymous token lacks permission ‘service:write’`.
I’ve verified the auth method, binding rules, and JWKS endpoint are all working - running `nomad job restart -reschedule` after the server has been up for a couple of minutes creates new allocations that get proper tokens immediately. So WI works, it’s just not triggered for allocations scheduled right after a restart.
I also tried draining the node before shutdown so allocations are brand new (not restored) after boot - same result, no tokens.
Is there a known fix or configuration I’m missing? Or is this the expected behavior?