This is an automated email from the ASF dual-hosted git repository.
duncangrant pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-docs.git
The following commit(s) were added to refs/heads/master by this push:
new 3274467 Update documentation for Hashicorp Vault
new 84156e3 Merge pull request #313 from rdowner/hashicorp-vault-updates
3274467 is described below
commit 3274467e431d424b50e70f81ea4c27a13abd296b
Author: Richard Downer <rich...@apache.org>
AuthorDate: Wed Jan 13 22:50:50 2021 +0000
Update documentation for Hashicorp Vault
Updates the documentation to correspond with the brooklyn-server commit
7d15614 https://github.com/apache/brooklyn-server/pull/1136
---
guide/ops/externalized-configuration.md | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/guide/ops/externalized-configuration.md
b/guide/ops/externalized-configuration.md
index b19b6a3..ebddcad 100644
--- a/guide/ops/externalized-configuration.md
+++ b/guide/ops/externalized-configuration.md
@@ -197,11 +197,16 @@ Then, a blueprint which referred to
`$brooklyn:external("servers", "postgresql")
able to query the Vault REST API for configuration values. The different
suppliers implement alternative authentication
options that Vault provides.
-For *all* of the authentication methods, you must always set these properties
in `brooklyn.cfg`:
+Brooklyn supports the "Key/Value" Secrets Engine, with API version 1 or
version 2. See
+[KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv) in the Vault
documentation to help you decide which
+one to use.
+
+If you are using version 1, here are the properties you can set:
```properties
brooklyn.external.supplierName.endpoint=<Vault HTTP/HTTPs endpoint>
brooklyn.external.supplierName.path=<path to a Vault object>
+brooklyn.external.supplierName.kv-api-version=1 # can be omitted - 1 is the
default
```
For example, if the path is set to `secret/brooklyn`, then attempting to
retrieve the key `foo` would cause Brooklyn
@@ -212,6 +217,24 @@ like this:
vault write secret/brooklyn foo=bar
```
+If you are using version 2, here are the properties you can set:
+
+```properties
+brooklyn.external.supplierName.endpoint=<Vault HTTP/HTTPs endpoint>
+brooklyn.external.supplierName.mountPoint=<path to the secrets engine>
+brooklyn.external.supplierName.path=<path to the key>
+brooklyn.external.supplierName.kv-api-version=2
+```
+
+For example, if the k/v secrets engine is mounted at `secret/` and secrets are
stored in the object `brooklyn`, then
+set `mountPoint` to `secret` (no trailing slash) and `path` to `brooklyn`.
Values can be set on this object using the
+Vault CLI like this:
+
+```bash
+vault kv put secret/brooklyn foo=bar
+```
+
+
#### Authentication by username and password
The `userpass` plugin for Vault allows authentication with username and
password.
@@ -224,8 +247,12 @@ brooklyn.external.supplierName.password=s3kr1t
#### Authentication using App ID
-The `app_id` plugin for Vault allows you to specify an "app ID", and then
designate particular "user IDs" to be part
-of the app. Typically the app ID would be known and shared, but user ID would
be autogenerated on the client in some
+The `app-id` plugin for Vault allows you to specify an "app ID", and then
designate particular "user IDs" to be part
+of the app.
+
+**Note**: this auth method has been deprecated by Vault, and is therefore also
deprecated in Apache Brooklyn.
+
+Typically the app ID would be known and shared, but user ID would be
autogenerated on the client in some
way. Brooklyn implements this by determining the MAC address of the server
running Brooklyn (expressed as 12 lower
case hexadecimal digits without separators) and passing this as the user ID.
