Skip to content

[DOCS]: PREREQUISITES.md does not clearly explain what Vault is used for and that Vault OSS is sufficient #496

New issue
New issue
Open
Documentation
Open
[DOCS]: PREREQUISITES.md does not clearly explain what Vault is used for and that Vault OSS is sufficient#496
Documentation
@benhuntley

Description

@benhuntley
benhuntley
opened on Mar 10, 2026

Version

v0.4.0

Which installation method(s) does this occur on?

No response

Describe the bug.

Issue:

PREREQUISITES.md contains two statements that appear to contradict each other:

  1. Section "HashiCorp Vault" (line 26): "Required for PKI (certificate signing) and secret storage."
  2. Section "ClusterIssuer" (line 208): "If you are using a different issuer (for example, self-signed or Let's Encrypt), update the issuer reference in your values file"

Reading these together, a user reasonably asks: "If I can use self-signed certs instead of Vault for PKI, why is Vault listed as required?"

In reality, Vault serves two separate purposes in BMM, and the docs never distinguish them:

  1. cert-manager ClusterIssuer -- Issues TLS certificates for service-to-service mTLS. This is the part that CAN be replaced with self-signed or Let's Encrypt. The line 208 guidance applies here.
  2. carbide-api credential and identity store -- carbide-api connects directly to Vault at runtime for:
    • Storing and retrieving BMC/DPU/firmware credentials (Vault KV v2) -- see crates/api/src/api.rs:820, crates/api/src/handlers/rack_firmware.rs:307-321
    • Issuing machine identity certificates with SPIFFE URI SANs (Vault PKI) -- see crates/secrets/src/forge_vault.rs

This part CANNOT be replaced. Vault is required for carbide-api to function.

The docs also never state which edition of Vault is needed. The codebase uses standard Vault PKI roles with allowed_uri_sans: ["spiffe://*"] (book/src/development/issuer_ca_recreate.md:66, dev/mac-local-dev/README.md:195), which is a standard Vault OSS feature. One customer mistook this for the Vault Enterprise "SPIFFE secrets engine," which is a different feature entirely.

Proposed Fix:

Update helm/PREREQUISITES.md to:

  1. Explain the two distinct roles Vault plays (cert-manager issuer vs. carbide-api runtime dependency)
  2. State explicitly that swapping the cert-manager ClusterIssuer to self-signed does NOT remove the need for Vault
  3. State that Vault OSS is sufficient -- Enterprise is not required

Minimum reproducible example



Relevant log output




Other/Misc.


No response


Code of Conduct


    

  •  I agree to follow NVIDIA Bare Metal Manager's Code of Conduct
    • 

  •  I have searched the open bugs and have found no duplicates for this bug report
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    Documentation
    Projects
    NVIDIA Bare Metal Manager
    Status
    Backlog
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions