diff --git a/website/content/docs/k8s/installation/vault/server-tls.mdx b/website/content/docs/k8s/installation/vault/server-tls.mdx
index 612d9997e9..4669556bb3 100644
--- a/website/content/docs/k8s/installation/vault/server-tls.mdx
+++ b/website/content/docs/k8s/installation/vault/server-tls.mdx
@@ -102,10 +102,11 @@ echo allowed_domains=\"$DATACENTER.consul, $NAME-server, $NAME-server.$NAMESPACE
 
 Prior to creating Vault auth roles for the Consul server and the Consul components, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).
 
-Finally, two Kubernetes auth roles need to be created, one for the Consul servers and one for the Consul components:
+Finally, three Kubernetes auth roles need to be created, one for the Consul servers, one for the Consul clients, and one for the Consul components.
 
+Role for Consul servers:
 ```shell-session
-vault write auth/kubernetes/role/consul-server \
+$ vault write auth/kubernetes/role/consul-server \
     bound_service_account_names=<Consul server service account> \
     bound_service_account_namespaces=<Consul installation namespace> \
     policies=consul-server \
@@ -121,11 +122,29 @@ you can run:
 -> **Note:** Should you enable other supported features such as gossip-encryption be sure to append additional policies to
 the Kube auth role in a comma separated value e.g.  `policies=consul-server,consul-gossip`
 
+Role for Consul clients:
 ```shell-session
-vault write auth/kubernetes/role/consul-ca \
+$ vault write auth/kubernetes/role/consul-client \
+    bound_service_account_names=<Consul client service account>  \
+    bound_service_account_namespaces=default \
+    policies=ca-policy \
+    ttl=1h
+```
+
+To find out the service account name of the Consul client, use the command below.
+```shell-session
+ $ helm template --release-name <your release name> -s templates/client-serviceaccount.yaml hashicorp/consul
+```
+
+-> **Note:** Should you enable other supported features such as gossip-encryption, ensure you append additional policies to
+the Kube auth role in a comma separated value e.g.  `policies=ca-policy,consul-gossip`
+
+Role for CA components:
+```shell-session
+$ vault write auth/kubernetes/role/consul-ca \
     bound_service_account_names="*" \
     bound_service_account_namespaces=<Consul installation namespace> \
-    policies=consul-ca \
+    policies=ca-policy \
     ttl=1h
 ```
 
@@ -147,6 +166,7 @@ global:
       consulClientRole: consul-client
       consulCARole: consul-ca
   tls:
+    enableAutoEncrypt: true
     enabled: true
     caCert:
       secretName: "pki/cert/ca"