Merge "[doc] Add documentation for Vault plugin"

doc/source/configuration/plugin_backends.rst

@@ -39,7 +39,7 @@ Multiple plugin configuration can be defined as follows.
     [secretstore]
     # Set to True when multiple plugin backends support is needed
     enable_multiple_secret_stores = True
-    stores_lookup_suffix = software, kmip, pkcs11, dogtag
+    stores_lookup_suffix = software, kmip, pkcs11, dogtag, vault
 
     [secretstore:software]
     secret_store_plugin = store_crypto
@@ -56,6 +56,9 @@ Multiple plugin configuration can be defined as follows.
     secret_store_plugin = store_crypto
     crypto_plugin = p11_crypto
 
+    [secretstore:vault]
+    secret_store_plugin = vault_plugin
+
 When `enable_multiple_secret_stores` is enabled (True), then list property
 `stores_lookup_suffix` is used for looking up supported plugin names in
 configuration section. This section name is constructed using pattern

doc/source/install/barbican-backend.rst

@@ -471,3 +471,31 @@ The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as follo
        dogtag_port = 8443
        nss_db_path = '/etc/barbican/alias'
        nss_password = 'password123'
+
+Vault Plugin
+^^^^^^^^^^^^
+
+Vault is a Hashicorp tool for securely accessing secrets and other objects,
+such as API keys, passwords, or certificates. Vault provides a unified
+interface to any secret, while providing tight access control and recording
+a detailed audit log.
+
+The plugin communicates with the Vault using a Vault token.
+
+The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as
+follows:
+
+    .. code-block:: ini
+
+       [secretstore]
+       ..
+       enabled_secretstore_plugins = vault_plugin
+
+       [vault_plugin]
+       root_token_id =
+       approle_role_id =
+       approle_secret_id =
+       kv_mountpoint = secret
+       vault_url = https://127.0.0.1:8200
+       use_ssl = True
+       ssl_ca_crt_file = /opt/vault/tls/tls-ca.crt