Vault TLS and Consul backend via ACL and TLS


I have deployed Consul in HA mode to a on-prem K8s cluster using helm (chart version 0.22.0) and Vault using the consul storage stanza (chart version v0.6.0)

Consul comes up fine. Vault crash loops with the following log on vault-0
Error initializing listener of type tcp: 'tls_cert_file' must be set

I then add in a cert lying around my cluster and Vault comes up, initializes, and unseals. Access to the UI then stops presenting.

the ha config looks like:

ui = true
    api_addr = "https://POD_IP:8201"

    listener "tcp" {
      tls_disable = 0
      address = ""
      tls_key_file    = "/etc/pem/af-consul-server-cert/tls.key"
      tls_cert_file    = "/etc/pem/af-consul-server-cert/tls.crt"
      # cluster_address = "[::]:8201"
    storage "consul" {
      path            = "vault"
      address         = "HOST_IP:8501"
      token           = "tokenxxxxx"
      tls_skip_verify = "true"
      scheme          = "https"
      # tls_ca_file     = "/etc/pem/"

    seal "transit" {
      address = "ip address to master vault"
      disable_renewal = "false"
      key_name = "xxxxkeyname"
      mount_path = "transit/"
      tls_skip_verify = "true"

    service_registration "kubernetes" {}

Is anyone able to provide some guidance?


Regarding this :

# tls_ca_file = "/etc/pem/"

If Consul accepts only TLS protected connections, Vault also needs to initiate HTTPS to Consul. I think this line should be uncommented and the parameter tls_ca_file should point to the correct CA that Consul is using.