[doc] Add documentation for Vault plugin

Vault plugin has been added for a while, however it is still undocumented Change-Id: I354a406799344a1577ba1a2d6a88df2a129bef1b
2020-10-09 16:01:03 +03:00 · 2020-10-09 16:01:03 +03:00 · 4d017c4cc2
commit 4d017c4cc2
parent 6be43dffe3
2 changed files with 32 additions and 1 deletions
--- a/doc/source/configuration/plugin_backends.rst
+++ b/doc/source/configuration/plugin_backends.rst
@ -39,7 +39,7 @@ Multiple plugin configuration can be defined as follows.
    [secretstore]
    # Set to True when multiple plugin backends support is needed
    enable_multiple_secret_stores = True
-    stores_lookup_suffix = software, kmip, pkcs11, dogtag
+    stores_lookup_suffix = software, kmip, pkcs11, dogtag, vault

    [secretstore:software]
    secret_store_plugin = store_crypto
@ -56,6 +56,9 @@ Multiple plugin configuration can be defined as follows.
    secret_store_plugin = store_crypto
    crypto_plugin = p11_crypto

+    [secretstore:vault]
+    secret_store_plugin = vault_plugin
+
 When `enable_multiple_secret_stores` is enabled (True), then list property
 `stores_lookup_suffix` is used for looking up supported plugin names in
 configuration section. This section name is constructed using pattern
--- a/doc/source/install/barbican-backend.rst
+++ b/doc/source/install/barbican-backend.rst
@ -430,3 +430,31 @@ The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as follo
       dogtag_port = 8443
       nss_db_path = '/etc/barbican/alias'
       nss_password = 'password123'
+
+Vault Plugin
+^^^^^^^^^^^^
+
+Vault is a Hashicorp tool for securely accessing secrets and other objects,
+such as API keys, passwords, or certificates. Vault provides a unified
+interface to any secret, while providing tight access control and recording
+a detailed audit log.
+
+The plugin communicates with the Vault using a Vault token.
+
+The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as
+follows:
+
+    .. code-block:: ini
+
+       [secretstore]
+       ..
+       enabled_secretstore_plugins = vault_plugin
+
+       [vault_plugin]
+       root_token_id =
+       approle_role_id =
+       approle_secret_id =
+       kv_mountpoint = secret
+       vault_url = https://127.0.0.1:8200
+       use_ssl = True
+       ssl_ca_crt_file = /opt/vault/tls/tls-ca.crt