That’s awesome thanks for the write-up! I’ve created https://github.com/hashicorp/consul-helm/issues/474 to track documenting this.
One thing I’d add is that you could also use an init container that uses the consul-k8s Docker image to run the get-client-ca command and write it to a shared volume. Then you don’t need to download consul-k8s in your image.