When Consul has TLS enabled, Auto Encrypt, and Consul Client enabled so that all K8s nodes have client via DaemonSet, Helm Installed Vault can’t use Consul Client as proxy to Consul as a Vault backend. Even with CA included via tls_ca_file, always get the following message,
[WARN] storage migration check error: error="Get "https://10.145.0.7:8501/v1/kv/vault/core/migration": x509: certificate signed by unknown authority"
I have remoted into the vault pods and they can see the cert file. So, the CA cert file is there and I can’t see any other way to match the recommended configs, but I also can’t seem to riddle why this won’t work. The Consul Client for that node has no meaningful errors or issues in its logs. Everything looks good except that when Vault tries to access Consul via Consul Client (downward API, etc.) it can’t match up the certs.
For the record, if I add tls_skip_verify to the storage config, it works. So, there’s something going on where the client of the Consul Client (Vault in this case) doesn’t like the Consul Client cert. Seems like I must be doing something wrong though because it can’t be this hard… what does Vault need to have that it doesn’t have?
I am experiencing this issue and can confirm that the two are the same.
I can also confirm that the following is present in Vault’s storage stanza: tls_ca_file = "/vault/tls/ca/tls.crt"
Given the error present and the fact that I have confirmed that the file at that path and the CA file in use by Consul match, it would appear that Vault 1.10.0 is ignoring the ca file parameter.