Ability to provide self-signed public CA cert for Vault?

[patoarvizu]

I'm not sure if this would be the right repo to ask this question, but I'm sure at least I can be pointed in the right direction.

I'm trying to use Vault as CA. I'm running Vault with a self-signed cert. I can add the public CA cert for it to the trusted store on my containers, including the Consul server stateful set pods (modifying the consul-helm chart a little bit), so I'm able to configure Vault as the CA. However, when the Envoy sidecar injected by consul-k8s is spinning up the proxy, I get this:

[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:494] add/update cluster local_app during init
[2018-12-18 23:29:52.516][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Cluster update rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Cluster rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:135] cm init: all clusters initialized
[2018-12-18 23:29:52.516][1][info][main] source/server/server.cc:421] all clusters initialized. initializing init manager
[2018-12-18 23:29:52.518][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.518][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.518][1][info][config] source/server/listener_manager_impl.cc:908] all dependencies initialized. starting workers

The line Failed to load trusted CA certificates from <inline> makes me think that it's not able to talk to Vault because of the lack of trust. Indeed if I exec into the sidecar and curl my Vault endpoint, I get the standard "Can't verify server identity" error that goes away with -k.

Is there a way to either pass/inject the public CA cert for the Envoy sidecar to use, or at least set some environment variable to ignore server verification?

For what it's worth, I'm not entirely sure if this is an issue with Envoy, Consul or consul-k8s, but I thought this was a good starting point. Also, it seems to me like something similar is being addressed on the Consul side, but I was wondering if something can be done in the meantime.

[banks]

Hey @patoarvizu as you spotted this is a Consul core issue hashicorp/consul#4800 so the kubernetes integration can't really work around it!

Good news is that is due to be fixed in our current release sprint early in the new year. I'll close this as it's not really relevant to the kube integration here but hopefully news soon on the issue above!

Thanks.

[patoarvizu]

Gotcha, thanks!