Thanks :). I'm waiting on Terraform support for Secret Manager[0], then I'll update the configurations to use that for storing the initial root token and certificates.
Vault works great on GCP, and it's used by hundreds of enterprises who want brokered identity management across clouds, dynamic secrets, and an open core model that fits their business.
However, we kept hearing that sometimes Vault was complex for some small problems. If you're not using its advanced functionality, Vault is incredibly cost prohibitive. It doesn't run well in a serverless environment, so you have to pay for VMs 24/7 even when secrets aren't being accessed.
We continue to contribute to Vault and build deeper Vault integrations into GCP - that's not changing. Secret Manager provides choice. Just like there's certain scenarios where you'd prefer a NoSQL database over a relational one, there are scenarios where you'd prefer Secret Manager over Vault and vice versa.
Since this question and "Secret Manager vs Cloud KMS" keep coming up as questions, I'm going to work with our team to put together something in the documentation.
0: https://github.com/sethvargo/vault-on-gke