Ability to provide self-signed public CA cert for Vault?

[patoarvizu]

I opened pretty much this same ticket on consul-k8s, but I thought it was worth a shot to open one here too, so please forgive the copy/paste.

I'm trying to use Vault as CA. I'm running Vault with a self-signed cert. I can add the public CA cert for it to the trusted store on my containers, including the Consul server stateful set pods (modifying the stateful set template a little bit), so I'm able to configure Vault as the CA. However, when the Envoy sidecar injected by consul-k8s is spinning up the proxy, I get this:

[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:494] add/update cluster local_app during init
[2018-12-18 23:29:52.516][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Cluster update rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Cluster rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:135] cm init: all clusters initialized
[2018-12-18 23:29:52.516][1][info][main] source/server/server.cc:421] all clusters initialized. initializing init manager
[2018-12-18 23:29:52.518][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.518][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>

The line Failed to load trusted CA certificates from <inline> makes me think that it's not able to talk to Vault because of the lack of trust. Indeed if I exec into the sidecar and curl my Vault endpoint, I get the standard "Can't verify server identity" error that goes away with -k.

Is there a way to either pass/inject the public CA cert for the Envoy sidecar to use, or at least set some environment variable to ignore cert verification?

For what it's worth, I'm not entirely sure if this is an issue with Envoy, Consul, this chart, or consul-k8s, but I thought this was a good starting point. Also, it seems to me like something similar is being addressed on the Consul side, but I was wondering if something can be done in the meantime.

[banks]

Hey @patoarvizu as you spotted this is a Consul core issue hashicorp/consul#4800 so the helm chart can't really work around it!

Good news is that is due to be fixed in our current release sprint early in the new year. I'll close this as it's not really relevant to the helm chart but hopefully news soon on the issue above!

Thanks.