(DOCSP-37583) Fix the vault settings (#1701)

* (DOCSP-37583) Fix the vault settings
* (DOCSP-37583) Update Vault settings and add them to Helm reference

Author: JuliaMongo

source/includes/steps-use-vault.yaml

@@ -115,9 +115,9 @@ content: |
 
   .. note::
     
-     If you installed the |k8s-op-short| using Helm, the |k8s-op-short| already
-     added these annotations. You can proceed to the next step.
-     
+     If you installed the |k8s-op-short| using Helm and set :ref:`operator.vaultSecretBackend.enabled <helm-vault-secret-enabled>`
+     to ``true``, the |k8s-op-short| adds the following annotations. You can proceed to the next step.
+
   .. code-block:: sh
      :emphasize-lines: 11-12
 
@@ -134,8 +134,10 @@ content: |
                vault.hashicorp.com/agent-inject: "true"
                vault.hashicorp.com/role: "mongodbenterprise"
 
-  If you're running |vault-short| in |tls| mode, you must also add the following
-  highlighted line to the file, replacing {TLSSecret} with the name of the secret
+  If you're running |vault-short| in |tls| mode, and specified the
+  :ref:`operator.vaultSecretBackend.tlsSecretRef <helm-vault-secret-ref>` value,
+  the |k8s-op-short| adds the following annotations. Otherwise, add the following
+  highlighted line to the file, replacing ``{TLSSecret}`` with the name of the secret
   containing a ``ca.crt`` entry. The content of the ``ca.crt`` entry must match
   the certificate of the |certauth| used to generate the |vault-short| TLS certificates.
 

source/reference/helm-operator-settings.txt

@@ -290,10 +290,9 @@ namespace
 needsCAInfrastructure
 ---------------------
 
-Flag that determines whether |k8s| creates a |k8s-cr| that allows the
-|k8s-op-short| to sign |tls| certificates using the
-:k8sdocs:`certificates.k8s.io </tasks/tls/managing-tls-in-a-cluster/>` 
-API.
+Determines whether |k8s| creates a |k8s-cr| that allows the |k8s-op-short|
+to sign |tls| certificates using
+the :k8sdocs:`certificates.k8s.io </tasks/tls/managing-tls-in-a-cluster/>` API.
 
 .. example::
 
@@ -376,6 +375,48 @@ The default value is **mongodb-enterprise-operator**.
       operator:
         name: mongodb-enterprise-operator
 
+.. _helm-vault-secret-enabled:
+
+operator.vaultSecretBackend.enabled
+------------------------------------
+
+Determines whether the |k8s-op-short| stores secrets in |hashicorp-vault|.
+To learn more, see :ref:`k8s-set-secret-storage-tool`.
+If you are using |tls| with |vault-short|, you must also specify
+:ref:`operator.vaultSecretBackend.tlsSecretRef <helm-vault-secret-ref>`.
+
+The default value is **false**.
+
+.. example::
+
+   .. code-block:: yaml
+
+      operator:
+        # Set the following setting to "true" so that the MongoDB Kubernetes Operator stores secrets in Vault.
+        vaultSecretBackend: false
+
+.. _helm-vault-secret-ref:
+
+operator.vaultSecretBackend.tlsSecretRef
+----------------------------------------
+
+Required if you are using |tls| with |vault-short|. The TLS secret used in
+your |vault-short| configuration that contains a ``ca.crt`` entry.
+The content of the ``ca.crt`` entry must match the certificate of
+the |certauth| used to generate the |vault-short| TLS certificates.
+The |k8s-op-short| stores this TLS secret in its |secret-store|.
+To learn more, see :ref:`Configure Secret Storage <k8s-set-secret-storage-tool>`.
+Requires that :ref:`operator.vaultSecretBackend.enabled <helm-vault-secret-enabled>`
+is set to ``true``.
+
+.. example::
+
+   .. code-block:: yaml
+
+      operator:
+        vaultSecretBackend: true
+          tlsSecretRef: "vault-tls-secret"
+
 operator.version
 ----------------
 
@@ -640,4 +681,4 @@ The default value is **true**.
 
     .. code-block:: yaml
 
-      subresourceEnabled: true
+       subresourceEnabled: true

source/tutorial/create-vault-secret.txt

@@ -1,7 +1,7 @@
 .. _create-vault-secret:
 
 =========================================
-Create Secrets in |hashicorp-vault|
+Create Secrets in |vault-short|
 =========================================
 
 .. default-domain:: mongodb