I have about 200 services registered in consul, and I’ve just set up a vault instance from which I want those services to retrieve secrets. I’m not actively using the service mesh/intentions but I have enabled connect and set up the CA to provision the agents for tls.
To reduce the amount of tokens/creds/config needed to retrieve secrets from vault, I was thinking of that a service could retrieve a leaf certificate and use that to authenticate with vault via client certs. Is there any downside to this setup? I can’t see any but am worrying I might have missed something