Configure the Vault backend

1. Connecting the Vault backend

   If you are using the development Vault setup as suggested earlier the VAULT_ADDR and VAULT_TOKEN variables are automatically set.

   Otherwise VAULT_ADDR should be set in your cluster repository’s .envrc and VAULT_TOKEN be set manually. For the configuring the Vault backend VAULT_TOKEN needs to hold a root token. See also Secret Management, https://developer.hashicorp.com/vault/docs/concepts/tokens and https://developer.hashicorp.com/vault/docs/commands/login.

2. Run the init command for Vault

   This creates the necessary policies and approles in the Vault backend.

   ./managed-k8s/tools/vault/init.sh
   

3. Setup secret engines for the cluster

   This sets up key-value and PKI secret engines in a Vault API namespace dedicated to the cluster.

   ./managed-k8s/tools/vault/mkcluster-root.sh
   

More details about Vault as backend is provided at Using Hashicorp Vault.

Any following actions expect that VAULT_TOKEN contains a Vault token with policy yaook/orchestrator (recommended) or root.

vault token lookup -format=json | jq .data.policies