docs: update documentation with connect acls changes

This PR updates the changelog, adds notes the 1.3 upgrade guide, and
updates the connect integration docs with documentation about the new
requirement on Consul ACL policies of Consul agent default anonymous ACL
tokens.

Author: shoenig

.changelog/8068.txt

@@ -0,0 +1,6 @@
+```release-note:breaking-change
+connect: Consul Service Identity ACL tokens automatically generated for Connect services are now
+created as Local rather than Global tokens. Nomad clusters with Connect services making cross-Consul
+datacenter requests will need to ensure their Consul agents are configured with anonymous ACL tokens
+of sufficient permissions.
+```

website/content/docs/integrations/consul-connect.mdx

@@ -8,9 +8,6 @@ description: >-
 
 # Consul Service Mesh
 
-~> **Note:** This guide requires Nomad 0.10.0 or later and Consul 1.6.0 or
-later.
-
 ~> **Note:** Nomad's service mesh integration requires Linux network namespaces.
 Consul service mesh will not run on Windows or macOS.
 
@@ -58,7 +55,7 @@ The Consul service mesh integration with Nomad requires [Consul 1.6 or
 later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be
 run in dev mode with the following command:
 
-**Note**: Nomad's Consul service mesh integration requires Consul in your `$PATH`
+~> **Note:** Nomad's Consul service mesh integration requires Consul in your `$PATH`
 
 ```shell-session
 $ consul agent -dev
@@ -96,6 +93,23 @@ For JSON configurations:
 }
 ```
 
+#### Consul ACLs
+
+~> **Note:** Starting in Nomad v1.3.0, Consul Service Identity ACL tokens automatically
+generated by Nomad on behalf of Connect enabled services are now created in [`Local`]
+rather than Global scope, and are no longer replicated globally.
+
+To facilitate cross-Consul datacenter requests of Connect services registered by
+Nomad, Consul agents will need to be configured with [default anonymous][anon_token]
+ACL tokens with ACL policies of sufficient permissions to read service and node
+metadata pertaining to those requests. This mechanism is described in Consul [#7414][consul_acl].
+A typical Consul agent anonymous token may contain an ACL policy such as:
+
+```hcl
+service_prefix "" { policy = "read" }
+node_prefix    "" { policy = "read" }
+```
+
 ### Nomad
 
 Nomad must schedule onto a routable interface in order for the proxies to
@@ -333,4 +347,7 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so
   connections while the Nomad agent is restarting.
 
 [count-dashboard]: /img/count-dashboard.png
+[consul_acl]: https://github.com/hashicorp/consul/issues/7414
 [gh-9907]: https://github.com/hashicorp/nomad/issues/9907
+[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes
+[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens

website/content/docs/upgrade/upgrade-specific.mdx

@@ -126,6 +126,21 @@ connect {
 }
 ```
 
+#### Changes to Consul Connect Service Identity Tokens
+
+Starting with Nomad 1.3.0, Consul Service Identity Tokens created automatically
+by Nomad on behalf of Connect services will now be created as [`Local`] tokens. These
+tokens will no longer be replicated globally. To ensure Connect services making
+cross Consul datacenter requests continue to work, Consul agents of the destination
+services must be configured with a [default anonymous][anon_token] ACL token with `read` policy
+privileges on the necessary services and nodes. A typical ACL policy for such a
+token may contain these attributes:
+
+```hcl
+service_prefix "" { policy = "read" }
+node_prefix    "" { policy = "read" }
+```
+
 #### Linux Control Groups Version 2
 
 Starting with Nomad 1.3.0, Linux systems configured to use [cgroups v2][cgroups2]
@@ -1376,3 +1391,5 @@ deleted and then Nomad 0.3.0 can be launched.
 [cap_drop_exec]: /docs/drivers/exec#cap_drop
 [`log_file`]: /docs/configuration#log_file
 [Upgrading to Raft Protocol 3]: /docs/upgrade#upgrading-to-raft-protocol-3
+[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes
+[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens