Hi everyone,
I have an existing Nomad + Consul + Vault cluster running in production, and I’m currently working on enabling Consul ACLs (they were disabled until now). For reference, these are the versions I’m running:
- Nomad: v1.10.5
- Consul: v1.21.4
- Vault: v1.20.3
I followed this guide to enable Consul ACLs:
After that, I followed this tutorial to configure Nomad → Consul integration with ACLs:
So far, everything is working as expected. However, I noticed that jobs which access Consul via template blocks only work if I explicitly add a consul {} stanza to the job specification.
This is a big problem for me, because I already have hundreds of jobs running in this cluster, and all of them interact with Consul. It would be very painful (and risky) to “lock down” Consul and then redeploy every single job just to add an empty consul {} block.
My question is:
Is there a way to configure a default Consul audience / Workload Identity at the Nomad level (agent, namespace, or global configuration), so that jobs automatically get Consul credentials without requiring an explicit consul {} stanza in each job?
Any guidance or best practices for migrating an existing cluster to Consul ACLs without redeploying all jobs would be greatly appreciated.
Thanks!