Provide the Vault Host (FQDN or IP address of the Vault Server)
Users are allowed to skip the certificate verification by setting true or false from the drop-down. Set true to skip Vault CA Certificate Verification (or) false to provide the CA Certificate for verification, only if the certificate is self-signed
Provide the CA Cert (base64) when skip verification is set to false and only if certificate is self-signed
(Optional) Click on Add Clusters to add additional managed Kubernetes cluster to use this secret store
Click Save Changes to save the secret store settings
Important
It will take ~30 seconds for the Vault integration configuration to be deployed to the managed Kubernetes clusters
Once the Vault integration configuration is deployed to the clusters, copy the related Vault settings for each of the clusters and complete the configuration in Vault (See Step 3)
To upgrade the secret store to the latest version, click the upgrade button available in the Edit page. This will upgrade the secretstore-admission-webhook image to latest version for the all the cluster(s) under that secretstore.
In order for Vault to grant access to the clusters to retrieve secrets, the Kubernetes Auth Method for each of the clusters will need to be created in Vault from the information retrieved in Step 2 above.
This step completes the establishment of "Trust" between the clusters and the central Vault Server. The settings in Vault can be updated using the Vault CLI, UI or API.
Important
The steps described below are typically performed by a Vault Admin.
Follow these steps to perform the update using the Vault CLI.
% vault write auth/stage-gke-cluster/config \
token_reviewer_jwt=@token_reviewer_jwt \
kubernetes_host=https://35.227.173.45:443 \
kubernetes_ca_cert=@ca.crt
Success! Data written to: auth/stage-gke-cluster/config
Create a KV secret engine if it has not been already created by the Vault admin. Both KV v1 and v2 are supported. Customers are strongly recommended to use v2 since it has additional functionality such as versioning etc.