Configuring HashiCorp Vault
Introduction
The HashiCorp Vault is a secret management tool that provides a single source of secrets and credentials, while attaching security policies.
Once after setting up HashiCorp Vault we need to configure it to make it work with OpenShift secrets.
Steps to configure the vault
- Get access to the vault's terminal and run the commands below in the order listed. 
- Establish communication between OpenShift and the vault by enabling Kubernetes authentication in vault. - vault auth enable kubernetes- The Kubernetes auth method can be used to authenticate with the vault using Kubernetes Service Account Token. The vault accepts this token from any client within the Kubernetes cluster. There is authentication by the vault to see if the token is valid to access the configured Kubernetes path. 
- Configure the Kubernetes path - Writing Kubernetes configuration to vault so that vault can validate the OpenShift token. - vault write auth/kubernetes/config \ token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- Create policies - Policies in the vault basically define which resources a user can access. - vault policy write external-secrets-policy - <<EOF path "secret/data/external-secrets/*" { capabilities = ["read", "create", "update", "delete"] } EOF
- Create roles - Every policy must have a role and an associated service account. - vault write auth/kubernetes/role/external-secrets-role\ bound_service_account_names=cpd-admin-sa \ bound_service_account_namespaces='*' \ policies=external-secrets-policy
- Enable a Secret Engine KV - Enabling the path where we store the secrets in key value format. - vault secrets enable -path=/v1/secret/data/external-secrets/ kv