Vault HA with Istio "remote error: tls: unknown certificate authority"

Hello!

I’m trying to setup Vault with HA Consul, but I’m having trouble setting up.

The vault-sidecar-injector had issues receiving petitions when the webhook was trying to call /mutate endpoint.

I added a ServiceEncry :

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: vault-injector-service-entry
spec:
  hosts:
    - vault-agent-injector-svc.vault.svc.cluster.local
  ports:
    - number: 443
      name: tcp
      protocol: TCP
  location: MESH_EXTERNAL


That allows communicating to the vault injector. But now, the output from the injector shows the next error:

2020/10/13 09:46:21 http: TLS handshake error from 10.8.5.10:42776: remote error: tls: unknown certificate authority

So, it’s getting requests from the webhook but with the issue with the certificate.

The replica it shols that error:

Error creating: Internal error occurred: failed calling webhook "vault.hashicorp.com": Post https://vault-agent-injector-svc.vault.svc:443/mutate?timeout=30s: context deadline exceeded

I had to change the Failure Policy to Fail

This is the values from vault config:

injector:
  logLevel: "trace" 

server:
  extraEnvironmentVars:
    GOOGLE_REGION: xxxx
    GOOGLE_PROJECT: xxxx
    GOOGLE_APPLICATION_CREDENTIALS: xxxx

  extraVolumes:
    - type: 'secret'
      name: 'kms-creds'

  affinity: |
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              app: {{ template "vault.name" . }}
              release: "{{ .Release.Name }}"
              component: server
          topologyKey: kubernetes.io/hostname

  ha:
    enabled: true
    replicas: 1

    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "gcpckms" {
        project     = "xxxx"
        region      = "xxxx"
        key_ring    = "xxxx"
        crypto_key  = "xxxx"
      }

      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }

      service_registration "kubernetes" {}

Anyone can help?

Thanks