Client certificate distribution in k8s

Hi guys,

we are using the consul helm chart to deploy consul on k8s and we have tls.enabled and enableAutoEncrypt set to true. This means consul clients automatically get a certificate from the server but how does this process actually look like in terms of security. Does the consul client create a certificate signing request (CSR) and the server sends back a signed certificate? Also how is it ensured that only consul clients can get a certificate from the server?

I am sure this is somewhere mentioned in the documentation but I was not able to find details on the certificate distribution process.

Best regards,
Nico

Hi Nico,
It requires ACLs to be secure. The consul client needs an ACL token that lets them request the cert. This is talked about a bit here: Configuration | Consul by HashiCorp

Hi @lkysow,

thanks for the answer and the link. Do you also know how the private key and certificate on the consul client is managed? My guess would be that the client generates a certificate signing request and sends it to the server to receive a signed certificate.

Yes I think that’s how it works: consul/auto_encrypt.go at master · hashicorp/consul · GitHub

1 Like