Consul services and auto-encrypt : unknown authority

Hi,

I am currently trying to setup the auto_encrypt feature on my client agents.

Setup is working fine as expected in the documentation:

But I’m facing a challenge when it comes to my sidecars registering their services and connecting their envoy to the agent.

I’m facing a “x509 : signed by unknow authority” , I understand that when using auto_encrypt, consul manages an other CA which is obviously not the same as the one I bootstrap and sign my certificates with.

Related github issue : https://github.com/hashicorp/consul/issues/8636

How to bootstrap those dynamic certs onto my sidecars? Since, as I understand it, its signed with specific SPIFFE which are dependant on the cluster-id which is non-deterministic.

Thanks for your help.
Marius