I have consul OSS deployed as helm chart in k8 and Vault running in VM as intermediate CA for our Infra.
Initially we did deploy Consul OSS with mTLS managed by Consul CA.
Actually we want to switch to vault CA ( vault CA will manage mTLS for consul so it will generate server and clients certificates ).
Im confused regarding which values should I update in the values.yaml, I have read some HA docs but still confused where and what to change 
Hi @abdel19792. I would start here Vault as the Service Mesh Certificate Provider on Kubernetes | Consul | HashiCorp Developer to see if this can be enabled through our native Vault integration for Consul-K8s.
Thanks David, is it mandatory to have vault acting as root CA ?
my case is somehow similar to this
Rosemary did a talk and created this demo app that incorporates vault, consul, boundary, etc. but part of it is generating offline roots and configuring Vault as intermediate pki engine.
I’m not overly familiar with the contents, but the readme calls this out. I’ll see if I can find the talk.
This talk I think is based on the original version of this demo app that did not include boundary. I believe it covers the offline root and configuring Vault as intermediate PKI engine. Secure Together: Consul + Vault - YouTube