Persist and encrypt the Vault client cache
By default, the Vault client cache does not persist. You can use the transit secrets engine with Vault Secrets Operator (VSO) to store and encrypt the client cache in your Vault server.
Dynamic secrets best practice
We strongly recommend persisting and encrypting the client cache if you use Vault dynamic secrets, so that dynamic secret leases are maintained through restarts and upgrades.
Before you start
- You must have Vault Secrets Operator installed.
- You must have the
transit
secrets engine enabled. - You must have the
kubernetes
authentication engine enabled.
Step 1: Configure a key and policy for VSO
Use the Vault CLI or Terraform to add a key to transit
and define policies
for encrypting and decrypting cache information:
Step 2: Create a kubernetes authentication role
Use the Vault CLI or Terraform to create a Kubernetes authentication role for Vault Secrets Operator.
Step 3: Configure a Vault connection for VSO
Use the Vault Secrets Operator API to add a VaultConnection between VSO and your Vault server.
Note
If you already have a connection for VSO, continue to the next step
Step 4: Enable encrypted client cache storage
For Helm installs,
install (or upgrade) your server.clientCache
configuration:
Optional: Verify client cache storage and encryption
Confirm the Vault Secrets Operator logs the following information on startup:
Confirm the Vault Secrets Operator logs a "Setting up Vault Client for storage encryption" message when authenticating to Vault on behalf of a user:
Verify the encrypted cache is stored as Kubernetes secrets under the correct namespace with the prefix
vso-cc-<auth method>
. For example: