Nomad Docs: Enhance client intro release note & add usage guide

[aimeeu]

Description

Enhance the client node intro and identity release note with content from Benjamin Lykins' blog. This builds on the previous PR that added the bit about not replacing mTLS.

Links

Jira: CE-1084 CE-1088

• https://unified-docs-frontend-preview-8ih1vuw5e-hashicorp.vercel.app/nomad/docs/release-notes/nomad/v1-11-x#client-node-introduction-and-identity
• https://unified-docs-frontend-preview-8ih1vuw5e-hashicorp.vercel.app/nomad/docs/deploy/clusters/connect-nodes#use-client-node-introduction-tokens

Contributor checklists

Review urgency:

• ASAP: Bug fixes, broken content, imminent releases
• 3 days: Small changes, easy reviews
• 1 week: Default expectation
• Best effort: No urgency

Pull request:

• Verify that the PR is set to merge into the correct base branch
• Verify that all status checks passed
• Verify that the preview environment deployed successfully
• Add additional reviewers if they are not part of assigned groups

Content:

• I added redirects for any moved or removed pages
• I followed the Education style guide
• I looked at the local or Vercel build to make sure the content rendered correctly

Reviewer checklist

• This PR is set to merge into the correct base branch.
• The content does not contain technical inaccuracies.
• The content follows the Education content and style guides.
• I have verified and tested changes to instructions for end users.

[github-actions]

Vercel Previews Deployed

Name	Status	Preview	Updated (UTC)
Dev Portal	✅ Ready (Inspect)	Visit Preview	Thu Dec 4 18:20:07 UTC 2025
Unified Docs API	✅ Ready (Inspect)	Visit Preview	Thu Dec 4 18:15:15 UTC 2025

[github-actions]

Broken Link Checker

No broken links found! 🎉

[boruszak]

I left suggestions and my reasoning. Otherwise LGTM!

[jrasell]

Do we want to call out that this is node introduction rather than identity? I see two different features and node identity does not act like MFA, it's node introduction that does.

If we wanted to expand the context, mTLS guards at the region level and stops misconfigured clients joining the wrong region or agents running in the wrong mode.

[aimeeu]

@jrasell I created a new section in the connect nodes into a cluster page. "Use client node introduction tokens" based 100% on Benjamin Lynkins blog but cut down to bare bones. Anthony is planning a longer tutorial on how to use client introduction.

[boruszak]

See my comments about the overall workflow. I started just leaving suggestions, but after reading through the steps several times I'm not quite able to parse what is actually happening and why the ACL token is required.

[boruszak]

Suggested change

	1. [Create an ACL policy in which the node has write permissions](#create-an-acl-policy).
	1. [Create an ACL policy for a node with write permissions](#create-an-acl-policy).

Simplifying this

[boruszak]

Suggested change

	1. Create the policy.
	1. Add the policy to the Nomad cluster.

To avoid repetition with the step before this one and clarify what is happening.

[boruszak]

Suggested change

	This example creates an ACL role called `client-introduction`.
	Create an ACL role, and attach the policy you created to the role.
	This example creates an ACL role with the name `client-introduction` that uses the policy `client-introduction`.

1. Instructions to begin the section, then the example.
2. Trying to point out both CLI flags because the example uses the same name but that isn't a requirement.

[boruszak]

Suggested change

	Output is similar to the this:
	The output describes the ACL role, including its attached policies and the Raft index at its creation.

[boruszak]

Missing and/or extra bracket?

[boruszak]

Highlighting the value of the client-intro-token-1 ACL token, which all instructions up to this point have led to creating.

[boruszak]

Here's the client-intro-token-1 ACL token value. So now I have a few questions.

1. Should the CLI instructions have included a step to use the ACL token as well?
2. Are you supposed to create a separate ACL token for each node, and that's why it's token-1?
3. Or should you be creating a separate intro token for each client, using the one shared ACL token?

But now I'm confused about the workflow. You create an ACL token so that a client node has permission to contact a server and change policies (which covers creating client introduction tokens). Then the node uses the client introduction token it creates to join the cluster it already has a valid ACL token from? Why the dedicated client token, then, when there's already an ACL token being used?

[jrasell]

Is it worth stating our stance being that we should specify node names and node pool when creating an identity token to tightly scope and provide more security?

[boruszak]

Much more clear to me this time, with the existing ACL token issue taken care of.

My big suggestion is to be more explicit about the change from working on the server node to working on the client node, which gets buried in the term "Nomad agent."

[boruszak]

Suggested change

	You may restrict which clients join your cluster with a client
	introduction token. The client node introduction feature is like multi-factor
	authentication for your Nomad clusters. It does not replace mTLS but adds an
	additional layer of security to prevent an unauthorized or misconfigured client
	from joining a Nomad cluster. Although you do not need to configure mTLS to use
	client node introduction tokens, we do recommend securing your cluster with mTLS.
	Use client introduction tokens to restrict which clients join your cluster.
	The client node introduction feature is like multi-factor authentication
	for your Nomad clusters. **It does not replace mTLS**, but instead adds an
	additional layer of security that prevents an unauthorized or misconfigured client
	from joining a Nomad cluster.

Moving the last sentence to the next line. Changes to the first sentence simplify the sentence and main idea. Bold is optional. I believe it fits the style guidelines about emphasis for differentiation but not semantic emphasis.

[boruszak]

Suggested change

	Each security layer answers a distinct question:
	You do not need to configure mTLS before you use client node introduction tokens. However, we do recommend securing your cluster with mTLS, even if you use a client introduction because each security layer answers a distinct question:

I'm not a fan of the rhetorical questions, but if you keep them flesh out the setup to provide context.

[boruszak]

Suggested change

	When you generate a client introduction token, you may specify the following
	optional parameters:
	Optionally, you can specify additional parameters for your client introduction token to further secure their cluster access:

[boruszak]

Suggested change

	- You have configured the CLI to use the management token.
	- You set the value of the management to `$NOMAD_TOKEN` to use the CLI.

More actionable/direct by stating the env. variable.

[boruszak]

Suggested change

	1. [Configure the Nomad agent to use client introduction](#configure-the-nomad-agent).
	1. [Start the Nomad agent](#start-the-nomad-agent).
	1. [Update the Nomad server's configuration to use client introduction tokens](#update-the-nomad-server).
	1. [Start the Nomad agent on the client node](#start-the-nomad-agent).

You've mentioned previously the terminology blur around "Nomad server" and "Nomad agent." I suggest differentiating with the phrasing here because it's the only part of these instructions where there's lingering ambiguity around a sudden change. All of the previous steps interact with the Nomad server, and then you start the agent on the client node with the token attached.

[aimeeu]

You aren't starting the agent on the client node. The agent in question is the server.

[boruszak]

Suggested change

	### Configure the Nomad agent
	### Update the Nomad server's configuration

[boruszak]

Suggested change

	There is no additional client configuration.
	This example also sets default and max TTLs for the client introduction token.
	No additional configuration is required on the client node.

To be more explicit about the other parameters in the example.