I m planning to use Vault Service as HA with Consul Backend with TLS using helm deployment for both consul and vault.
I have already deployed consul using helm deployment in my EKS cluster. This would deploy consul client as a daemonset and consul server as a pod When the vault is deployed using helm, my vault server has to interact with consul client instead of consul server. The challenge i face is that I can't provide storage consul address in below vault configuration file as 127.0.0.1:8501 because vault is running as separate pod and consul client as separate pod. so different ips.
storage "consul" {
address = "<WHAT_SHOULD_I_PROVIDE?>:8501"
path = "vault/"
scheme = "https"
tls_ca_file = ""
tls_cert_file = ""
tls_key_file = ""
token = "<CONSUL_TOKEN>""
}
I have also tweaked it by using HOST_IP:8501 but it throws below error [WARN] storage migration check error: error="Get "https://10.15.0.7:8501/v1/kv/vault/core/migration": x509: certificate signed by unknown authority"
This is because TLS certificate should include a Subject Alternative Name (SAN) for the IP address, and of course, it should be signed by a trusted CA that you include as part of the ca_file parameter in Consul. But in my consul helm chart configuration, I'm using enableAutoEncrypt: true. So I can't able to use custom certs.
This would resolve if i deploy vault and consul in the same pod. In the vault helm chart configs, I couldn't find the consulAgent configuration in order to deploy the vault and consul agent together. Please help and let me know how to resolve this
Have you tried consul.service.consul?