Mesh Gateways on Kubernetes x509 - cannot register service

nikfot · June 25, 2021, 4:16pm

Hello,

I am trying to set up consul mesh on Kubernetes. I followed this guide:
https://www.consul.io/docs/k8s/installation/multi-cluster/kubernetes

My tls configuration looks like this:

  tls:
    enabled: true
    verify: true
    httpsOnly: true
    enableAutoEncrypt: true
    serverAdditionalDNSSANs: ["myserver.test"]
    serverAdditionalIPSANs: ["10.xxx.xxx.xxx"]
    caCert:
      secretName: consul-ca-cert
      secretKey: tls.crt
    caKey:
      secretName: consul-ca-key
      secretKey: tls.key

I created the secrets creating a CA crt on using consul CLI on my workstation.

When I install using helm the Mesh Gateways return this error in logs:

Error registering service “mesh-gateway”: Put “https://10.xxx.xxx.xxx:8501/v1/agent/service/register”: x509: certificate signed by unknown authority

What did I get wrong in this procedure?
Thanks!

nikfot · July 1, 2021, 1:34pm

To provide more details on this one, when I exec into the server pods, I can see tha /consu/tls/ca/tls.crt and /consul/tls/server/tls.crt certificates are valid, but they are not the ones being returned when I make a request to the https://10.xxx.xxx.xxx:8501/v1/agent/service/register.
Any help?

lkysow · July 6, 2021, 5:31pm

Because enableAutoEncrypt is set, the Consul clients actually use a different CA than the Consul servers. There should be an init container that runs in the mesh gateway pods that adds the correct Consul client CA cert into a shared volume (consul-helm/mesh-gateway-deployment.yaml at master · hashicorp/consul-helm · GitHub).

Can you share your other Helm config?