Hi,
Thanks for reply. Yes my consul server is configured with verify_incoming = true. And normally it should work with such config or at least I think so 
. After setting manageSystemACLs: false my K8S clients joined the cluster however I still can’t enable connectInject because of same reason. Init container named get-auto-encrypt-client-ca of consul-connect-injector-webhook pod is not able to get the client CA and failing with same error:
[ERROR] Error retrieving CA roots from Consul: err="Get "https://consul server:8501/v1/agent/connect/ca/roots": remote error: tls: bad certificate"
Inspecting the init container shows that the command is running and produces mentioned error message:
consul-k8s get-consul-client-ca -output-file=/consul/tls/client/ca/tls.crt -server-addr=consulserver -server-port=8501 -ca-file=/consul/tls/ca/tls.crt
I pretty much sure that if I will set verify_incoming = false on my consul server this will solve the issue however according the documentation it’s recommended to keep it enabled.
Currently my config yaml looks so:
global:
enabled: false
name: consul
image: "consul:1.8.1"
datacenter: consul-azure-dc
acls:
manageSystemACLs: false
bootstrapToken:
secretName: consul-acl-token
secretKey: bootstrap-token
gossipEncryption:
secretName: consul-gossip-encryption
secretKey: gossip
tls:
enabled: true
enableAutoEncrypt: true
caCert:
secretName: consul-ca-cert
secretKey: tls.crt
externalServers:
enabled: true
hosts: ["redacted"]
k8sAuthMethodHost: redacted:443
useSystemRoots: false
client:
enabled: true
join: ["redacted"]
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "100Mi"
cpu: "100m"
connectInject:
enabled: true
default: false
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "50Mi"
cpu: "50m"
centralConfig:
enabled: false
Thanks