Consul Connect CA integration with Google Certificate Authority Service

Hello,

According to Configuration | Consul by HashiCorp there are 3 ways to define a Consul Connect CA:

  • aws-pca
  • consul
  • vault

We deployed Consul Service Mesh on GCP GKE cluster and configured Google CAS. Now we would like to configure Consul Connect CA so that it integrates with Google CAS. When a service instance (running in Consul Service Mesh) needs its certificate for mTLS inside Consul Service Mesh, the certificate should be requested from Google CAS (where our private CA is created).

I checked the following Valut plugin GitHub - GoogleCloudPlatform/vault-plugin-secrets-gcppca: Vault Plugin: Google Cloud Platform CA Service, and I am wonderning if I could do the following:

  1. Deploy Valut on GCP GKE cluster
  2. Deploy/enable the Vault plugin
  3. Configure Vault/Vault plugin to use Google CAS
  4. Use the “vault” ca_provider Consul agent configration and point it to the Valut instance.
  5. When a service instance needs a certificate for mTLS inside Consul Service Mesh it gets the cert from Google CAS.
  6. Later we would like to use the same procedure to dynamically create TLS certificates for Consul clients/servers.

In above scenario Vault is a proxy for the GCP CAS Service.

Did one try the above? Does anyone know/has any suggestions how to make Consul Connect CA be integrated with GCP CAS Service?

I am also wonderning whether the Vault plugin at
GitHub - GoogleCloudPlatform/vault-plugin-secrets-gcppca: Vault Plugin: Google Cloud Platform CA Service is under active development (the last update was in July 2021).

Thank you very much for any suggestions/clues etc.

Dominik