I’m having some difficulty understanding Consul end-to-end TLS. For reference, I’m using Consul in Kubernetes (via the hashicorp/consul Helm chart). Only one datacenter and Kubernetes cluster - no external parties or concerns.
I have configured my override values.yaml file like so:
global: datacenter: sandbox gossipEncryption: secretName: "consul" secretKey: "CONSUL_GOSSIP_ENCRYPTION_KEY" tls: enabled: true httpsOnly: true enableAutoEncrypt: true serverAdditionalDNSSANs: ["'consul.service.consul'"] server: replicas: 3 bootstrapExpect: 3 storage: 20Gi dns: clusterIP: 172.20.53.53 ui: service: type: 'LoadBalancer' syncCatalog: enabled: true
All other values are as default from the shipped values.yaml file.
This works, and Consul client logs suggest that all agents area connecting nicely using TLS, with relevant certs and keys being created by (as I understand) the Auto-encryption feature of Consul.
What I don’t understand is how to initiate a HTTPS connection from an application on Kubernetes, running in a Pod, to a Consul server. Since the Pod’s container does not (presumably) have the Consul root CA cert in its trust store, all HTTPS calls fail, as per wget example below:
# Connect to Pod: laptop$> kubectl exec -it my-pod sh # Attempt valid HTTPS connection: my-pod$> wget -q -O - https://consul.service.consul:8501 Connecting to consul.service.consul:8501 (10.110.1.131:8501) ssl_client: consul.service.consul: certificate verification failed: unable to get local issuer certificate wget: error getting response: Connection reset by peer # Retry, but ignore certificate validity issues: my-pod$> wget --no-check-certificate -q -O - https://consul.service.consul:8501/v1/status/leader "10.110.1.131:8300"
How am I supposed to enforce end-to-end (verified) HTTPS connections from my apps on Kubernetes to Consul if the container does not recognize the certificate as valid?
Am I misunderstanding something about certificate propagation?