Sidecar TLS configuration

Hello,

I have a GKE-based Vault cluster installed with the Helm chart. I’m trying to get the sidecar to work. TLS is configured, and the sidecar causes vault-0 to log remote error: tls: bad certificate, so my config is close to working but wrong.

My TLS cert is created with openssl, and it consists of

  • intermediate-ca-cert.pem - the CA cert
  • vault-cert.pem - Vault server cert, signed by the intermediate ca
  • vault-tls-key.pem - private key for Vault server cert

A Kubernetes secret vault-tls provides these three files, mounted under /etc/tls, and the server config has:

        tls_cert_file = "/etc/tls/vault-tls/vault-cert.pem"
        tls_key_file = "/etc/tls/vault-tls/vault-tls-key.pem"
        tls_client_ca_file =  "/etc/tls/vault-tls/intermediate-ca-cert.pem"

Next, my point of confusion - how do I configure the sidecar injector?

What I’ve done is to bring over the intermediate-ca-cert.pem into the sidecar pod and point the injector at the cert, with these annotations:

        vault.hashicorp.com/agent-copy-volume-mounts: "my-service"
        vault.hashicorp.com/ca-cert: "/var/certs/intermediate-ca-cert.pem"

(my-service mounts a configmap volume containing intermediate-ca-cert.pem.)

I’m confused on the difference between

	// AnnotationVaultCACert is the path of the CA certificate used to verify Vault's
	// CA certificate.
	AnnotationVaultCACert = "vault.hashicorp.com/ca-cert"

	// AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA.
	AnnotationVaultCAKey = "vault.hashicorp.com/ca-key"

What exactly is the difference and purpose of each?

And any suggestions on how I configure the injector?