For those deploying Vault on Kubernetes with the Helm chart and adding it to a Consul service mesh with transparent proxy enabled, I did get it working but it needed some annotations.
In vault-helm values
I updated some annotations on the Vault server.
I added outbound and inbound port exclusions because of the Vault server StatefulSet configuration.
consul.hashicorp.com/transparent-proxy-exclude-outbound-ports: "8200,8201"
consul.hashicorp.com/transparent-proxy-exclude-inbound-ports: "8200,8201"
Since I was using GCP KMS to auto-unseal my cluster, I included an outbound CIDR exclusion for the GCP private services endpoint.
consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "199.36.153.4/30"
In Deployments, StatefulSets, or DaemonSets that use Vault agent injection
For each service that used Vault agent injection, I had to add a pod annotation to allow the Vault agent to initialize first before Consul sidecars and Envoy.
vault.hashicorp.com/agent-init-first: "true"