Modify the values file for the cluster Key Manager
Open the chart values file in your preferred text editor and add the keymanager.configuration.hsm.hashicorp.vault section:
# keymanager-values.yaml# Other configuration settings above this linekeymanager:configuration:hsm:vault:server:https://vault.example.net:8200approle:id:UUID# App Role IDsecret:UUID# App Role Secretnamespace:ns-1# Optional namespace for the approlepath:approle# Optional mount point for the approletransit:key:aistor-key-manager-hsmnamespace:ns-1# Optional namespace for the transit enginepath:transit# Optional mount point for the transit engine
# keymanager-values.yaml# Other configuration settings above this linekeymanager:configuration:hsm:vault:server:https://vault.example.net:8200approle:id:UUID# App Role IDsecret:UUID# App Role Secretnamespace:ns-1# Optional namespace for the approlepath:approle# Optional mount point for the approlekubernetes:role:aistor-key-manager-rolejwt:/tmp/kubernetes/jwtnamespace:ns-3# Optional namespace for the kubernetes authpath:kubernetes# Optional mount point for the kubernetes auth
(Optional) Disable the local HSM
You can disable the local HSM used to initialize the cluster Key Manager after configuring the external HSM.
This prevents using that HSM or its associated Root Encryption Key (REK) for accessing the encryption key database.
To disable the local HSM, comment out or remove the keymanager.configuration.hsm.key value from the values.yaml file.
Update the chart with the new values.yaml:
Use the helm upgrade command to upgrade the chart with the new values.yaml: