Helm Installed Vault with Consul Backend with Auto Encrypt and TLS Enabled using Consul Client

When Consul has TLS enabled, Auto Encrypt, and Consul Client enabled so that all K8s nodes have client via DaemonSet, Helm Installed Vault can’t use Consul Client as proxy to Consul as a Vault backend. Even with CA included via tls_ca_file, always get the following message,

[WARN] storage migration check error: error="Get "https://10.145.0.7:8501/v1/kv/vault/core/migration": x509: certificate signed by unknown authority"

Sample of config (from Vault Helm values file):

storage “consul” {
path = “vault/”
address = “HOST_IP:8501”
token = “XYZ”
scheme = “https”
tls_ca_file = “/vault/consul/tls/consul-ca-certs/ca.pem”
}

I have remoted into the vault pods and they can see the cert file. So, the CA cert file is there and I can’t see any other way to match the recommended configs, but I also can’t seem to riddle why this won’t work. The Consul Client for that node has no meaningful errors or issues in its logs. Everything looks good except that when Vault tries to access Consul via Consul Client (downward API, etc.) it can’t match up the certs.

For the record, if I add tls_skip_verify to the storage config, it works. So, there’s something going on where the client of the Consul Client (Vault in this case) doesn’t like the Consul Client cert. Seems like I must be doing something wrong though because it can’t be this hard… what does Vault need to have that it doesn’t have?

Hi, sorry to hear this isn’t working. Can you share your values.yaml file for Consul and Vault?

Also can you verify that the ca.pem is the same as the contents of consul-ca-cert secret?