[doc] Add documentation for Vault plugin

Vault plugin has been added for a while, however it is still undocumented

Change-Id: I354a406799344a1577ba1a2d6a88df2a129bef1b
This commit is contained in:
Dmitriy Rabotyagov 2020-10-09 16:01:03 +03:00
parent 6be43dffe3
commit 4d017c4cc2
2 changed files with 32 additions and 1 deletions

View File

@ -39,7 +39,7 @@ Multiple plugin configuration can be defined as follows.
[secretstore]
# Set to True when multiple plugin backends support is needed
enable_multiple_secret_stores = True
stores_lookup_suffix = software, kmip, pkcs11, dogtag
stores_lookup_suffix = software, kmip, pkcs11, dogtag, vault
[secretstore:software]
secret_store_plugin = store_crypto
@ -56,6 +56,9 @@ Multiple plugin configuration can be defined as follows.
secret_store_plugin = store_crypto
crypto_plugin = p11_crypto
[secretstore:vault]
secret_store_plugin = vault_plugin
When `enable_multiple_secret_stores` is enabled (True), then list property
`stores_lookup_suffix` is used for looking up supported plugin names in
configuration section. This section name is constructed using pattern

View File

@ -430,3 +430,31 @@ The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as follo
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_password = 'password123'
Vault Plugin
^^^^^^^^^^^^
Vault is a Hashicorp tool for securely accessing secrets and other objects,
such as API keys, passwords, or certificates. Vault provides a unified
interface to any secret, while providing tight access control and recording
a detailed audit log.
The plugin communicates with the Vault using a Vault token.
The configuration for this plugin in ``/etc/barbican/barbican.conf`` is as
follows:
.. code-block:: ini
[secretstore]
..
enabled_secretstore_plugins = vault_plugin
[vault_plugin]
root_token_id =
approle_role_id =
approle_secret_id =
kv_mountpoint = secret
vault_url = https://127.0.0.1:8200
use_ssl = True
ssl_ca_crt_file = /opt/vault/tls/tls-ca.crt