From 4d017c4cc2b68a98833c98aba537b87b4a16c3c0 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Fri, 9 Oct 2020 16:01:03 +0300
Subject: [PATCH] [doc] Add documentation for Vault plugin

Vault plugin has been added for a while, however it is still undocumented

Change-Id: I354a406799344a1577ba1a2d6a88df2a129bef1b
---
 doc/source/configuration/plugin_backends.rst |  5 +++-
 doc/source/install/barbican-backend.rst      | 28 ++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/doc/source/configuration/plugin_backends.rst b/doc/source/configuration/plugin_backends.rst
index ef38c22f9..a466cc133 100644
--- a/doc/source/configuration/plugin_backends.rst
+++ b/doc/source/configuration/plugin_backends.rst
@@ -39,7 +39,7 @@ Multiple plugin configuration can be defined as follows.
     [secretstore]
     # Set to True when multiple plugin backends support is needed
     enable_multiple_secret_stores = True
-    stores_lookup_suffix = software, kmip, pkcs11, dogtag
+    stores_lookup_suffix = software, kmip, pkcs11, dogtag, vault
 
     [secretstore:software]
     secret_store_plugin = store_crypto
@@ -56,6 +56,9 @@ Multiple plugin configuration can be defined as follows.
     secret_store_plugin = store_crypto
     crypto_plugin = p11_crypto
 
+    [secretstore:vault]
+    secret_store_plugin = vault_plugin
+
 When `enable_multiple_secret_stores` is enabled (True), then list property
 `stores_lookup_suffix` is used for looking up supported plugin names in
 configuration section. This section name is constructed using pattern
diff --git a/doc/source/install/barbican-backend.rst b/doc/source/install/barbican-backend.rst
index f67df033c..68b35d0e8 100644
--- a/doc/source/install/barbican-backend.rst
+++ b/doc/source/install/barbican-backend.rst
@@ -430,3 +430,31 @@ The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as follo
        dogtag_port = 8443
        nss_db_path = '/etc/barbican/alias'
        nss_password = 'password123'
+
+Vault Plugin
+^^^^^^^^^^^^
+
+Vault is a Hashicorp tool for securely accessing secrets and other objects,
+such as API keys, passwords, or certificates. Vault provides a unified
+interface to any secret, while providing tight access control and recording
+a detailed audit log.
+
+The plugin communicates with the Vault using a Vault token.
+
+The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as
+follows:
+
+    .. code-block:: ini
+
+       [secretstore]
+       ..
+       enabled_secretstore_plugins = vault_plugin
+
+       [vault_plugin]
+       root_token_id =
+       approle_role_id =
+       approle_secret_id =
+       kv_mountpoint = secret
+       vault_url = https://127.0.0.1:8200
+       use_ssl = True
+       ssl_ca_crt_file = /opt/vault/tls/tls-ca.crt