Bump github.com/hashicorp/nomad from 1.10.4 to 1.11.1

[dependabot]

Bumps github.com/hashicorp/nomad from 1.10.4 to 1.11.1.

Release notes

Sourced from github.com/hashicorp/nomad's releases.

v1.11.1

1.11.1 (December 09, 2025)

BREAKING CHANGES:

• docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

• build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

• connect: allow configuring identities for sidecar_task [GH-25877]
• landlock: check paths exist on setup [GH-27149]
• oidc: add support for array-based OIDC claims [GH-26958]
• qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
• secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

• acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
• acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
• api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
• cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
• client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
• csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
• drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
• dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
• dynamic host volumes: fix Windows compatibility [GH-27147]
• fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
• keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
• keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
• oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
• reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
• scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
• scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
• server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
• ui: Fixed the error message presented for invalid Variables definitions [GH-26235]

v1.11.0

1.11.0 (November 11, 2025)

FEATURES:

• Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
• Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
• scheduler: Enable deployments for system jobs [GH-26708]
• secrets: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]

... (truncated)

Changelog

Sourced from github.com/hashicorp/nomad's changelog.

1.11.1 (December 09, 2025)

BREAKING CHANGES:

• docker: removed deprecated email auth config parameter [GH-27156]

SECURITY:

• build: Updated toolchain to Go 1.25.5 [GH-27186]

IMPROVEMENTS:

• connect: allow configuring identities for sidecar_task [GH-25877]
• landlock: check paths exist on setup [GH-27149]
• oidc: add support for array-based OIDC claims [GH-26958]
• qemu: Adds config parameters to modify qemu emulator binary and machine types and removes some hardcoded KVM accelerator settings. Defaults to previously used values of qemu-system-x86_64 and pc. The driver no longer forces machine type "host", or the -smp flag when using resources.cores with the KVM accelerator. [GH-27128]
• secrets: Adds nomad job ID and namespace to plugin environment [GH-27207]

BUG FIXES:

• acl: Made /agent and /recommendations endpoints workload-identity-aware [GH-27099]
• acl: include additional necessary permissions in the course-grained "scale" policy for nomad-autoscaler [GH-27061]
• api: Fixed a bug in the Go API where an event stream request without a topic filter would require a management token [GH-27065]
• cli: Fixed the var get command which was incorrectly displaying the variable modify time as the create time [GH-27208]
• client: return 403 when the caller doesn't have log streaming capabilities [GH-27098]
• csi: Fixed a bug where reading a volume from the API or event stream could erase its secrets [GH-27176]
• drain: Fixed a bug where clients configured with leave_on_terminate or leave_on_interrupt and drain_on_shutdown would receive a permission denied error when attempting to leave the cluster and drain themselves [GH-27115]
• dynamic host volumes: Ensure requested directory permission is correctly applied [GH-27068]
• dynamic host volumes: fix Windows compatibility [GH-27147]
• fingerprint: simplify storage fingerprint calculation to just (total disk space - reserved disk) [GH-27019]
• keyring: Do not mark the key as inactive until all follow-up rekey evals have completed. [GH-27193]
• keyring: Ensure follow-up rekey evals can be successfully created. [GH-27193]
• oidc: Add support for RFC9207, requiring an issuer param in authorization response if the provider requires it [GH-27168]
• reconciler: fixes a bug where stopping a job does not stop all allocations [GH-27175]
• scheduler (Enterprise): Fixed a bug where tasks were not placed on same numa node as reserved device [GH-27177]
• scheduler: Fixed a bug that was previously patched incorrectly where rescheduled allocations that could not be placed would later ignore their reschedule policy limits [GH-27129]
• server: Fixed a bug where a large backlog of unblocking evals could cause backpressure on Raft writes [GH-27184]
• ui: Fixed the error message presented for invalid Variables definitions [GH-26235]

1.11.0 (November 11, 2025)

FEATURES:

• Client Identity: Nomad clients use identities for authenticating and authorizing itself when performing RPC calls. The identities are generated and rotated automatically by Nomad servers with configurable TTLs. [GH-26291]
• Client Introduction: Nomad clients can now be introduced to the cluster using a token-based approach. Nomad servers can be configured with introduction enforcement levels which dictate how clients can join the cluster resulting in logs and metrics to detail introduction violations. [GH-26430]
• scheduler: Enable deployments for system jobs [GH-26708]
• secrets: Adds secret block for fetching and interpolating secrets in job spec [GH-26681]

BREAKING CHANGES:

... (truncated)

Commits

• 5b76eb0 Generate files for 1.11.1 release
• cf7db08 Backport of Revert "Fix qemu driver filesystem variable interpolation (#27179...
• 76b9ac1 backport of commit 22eace6081d527ae98f7424debdc555ef61693f7 (#27217)
• 63ab3c7 backport of commit 241f85c11783b6a603a508a7a67cb1b513768c9b (#27211)
• 62d4b81 backport of commit cfb2bbc56a5276667ff4fea155c7b866212d7f9f (#27213)
• 5942e68 Backport of scheduler: reschedule tracker dropped if follow-up fails placemen...
• 7eb6fe6 Backport of reduce FSM backpressure from blocked evals queue into release/1.1...
• df81a87 cli: Fix var get command incorrectly using modify time as create
• afb860c chore(deps): bump github.com/hashicorp/cap from 0.11.0 to 0.12.0
• 1a94398 chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.2 to 1.32.3
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.