Annotations for Vault on Kubernetes with Consul transparent proxy

For those deploying Vault on Kubernetes with the Helm chart and adding it to a Consul service mesh with transparent proxy enabled, I did get it working but it needed some annotations.

In vault-helm values

I updated some annotations on the Vault server.

I added outbound and inbound port exclusions because of the Vault server StatefulSet configuration.

consul.hashicorp.com/transparent-proxy-exclude-outbound-ports: "8200,8201"
consul.hashicorp.com/transparent-proxy-exclude-inbound-ports: "8200,8201"

Since I was using GCP KMS to auto-unseal my cluster, I included an outbound CIDR exclusion for the GCP private services endpoint.

consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "199.36.153.4/30"

In Deployments, StatefulSets, or DaemonSets that use Vault agent injection

For each service that used Vault agent injection, I had to add a pod annotation to allow the Vault agent to initialize first before Consul sidecars and Envoy.

vault.hashicorp.com/agent-init-first: "true"
3 Likes

Hi, is there any chance that you were able to onboard also Vault in HA mode?

Thanks for your time :slight_smile: