Consul verified TLS from Pods in Kubernetes cluster

thecosmicfrog · May 28, 2020, 5:44pm

Thanks @lkysow. Something I got working was the following:

Create a test Pod YAML file which mounts the Consul server CA cert, as below:

apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: test-pod
spec:
  volumes:
  - name: consul-consul-ca-cert
    secret:
      secretName: consul-consul-ca-cert
  containers:
  - name: consul-test-pod
    [...]
    volumeMounts:
    - name: consul-consul-ca-cert
      mountPath: /consul/tls/ca

When the container comes up, copy the resulting /consul/tls/ca/tls.crt file into /usr/local/share/ca-certificates/consul-server-ca.crt
- Then execute update-ca-certificates to add the Consul server CA cert as a trusted CA.
Test connecting to the Consul server(s) over HTTPS:

#> curl https://consul.service.consul:8501/v1/status/leader
"10.110.2.24:8300"

As you can see, this works! Which is great news. But, this begs the question: If I’m able to connect to the server agent (where KV resides) now without issue, how do I connect to the Consul client to forward my queries?

Happy to provide other examples or further clarification if required.

Thanks - Aaron

Topic		Replies	Views
Consul TLS verification from k8s cluster to Consul Server Consul k8s	9	3175	September 1, 2020
Enable TLS on kubernetes Consul k8s	3	746	February 4, 2021
Consul TLS cert rotation for Consul Client and Server on Kubernetes Consul k8s , helm	4	1078	March 8, 2024
External Consul Clients - Kubernetes Servers - TLS and ACL Enabled Consul	1	278	September 1, 2020
Consul backend tls connection problem Vault k8s , consul-vault	7	2069	December 23, 2021

Consul verified TLS from Pods in Kubernetes cluster

Related topics