commit 3274467e431d424b50e70f81ea4c27a13abd296b
author Richard Downer <richard@apache.org> Wed Jan 13 22:50:50 2021 +0000
committer Richard Downer <richard@apache.org> Wed Jan 13 22:51:51 2021 +0000
tree ea2c15053cd1ad47f4986d1fce74430c727ea68b
parent f34d2b54deb1714c6f54c2794cdf0e832169614a

Update documentation for Hashicorp Vault

Updates the documentation to correspond with the brooklyn-server commit
7d15614 https://github.com/apache/brooklyn-server/pull/1136

guide/ops/externalized-configuration.md

diff --git a/guide/ops/externalized-configuration.md b/guide/ops/externalized-configuration.md
index b19b6a3..ebddcad 100644
--- a/guide/ops/externalized-configuration.md
+++ b/guide/ops/externalized-configuration.md
@@ -197,11 +197,16 @@
 able to query the Vault REST API for configuration values. The different suppliers implement alternative authentication
 options that Vault provides.
 
-For *all* of the authentication methods, you must always set these properties in `brooklyn.cfg`:
+Brooklyn supports the "Key/Value" Secrets Engine, with API version 1 or version 2. See
+[KV Secrets Engine](https://www.vaultproject.io/docs/secrets/kv) in the Vault documentation to help you decide which
+one to use.
+
+If you are using version 1, here are the properties you can set:
 
 ```properties
 brooklyn.external.supplierName.endpoint=<Vault HTTP/HTTPs endpoint>
 brooklyn.external.supplierName.path=<path to a Vault object>
+brooklyn.external.supplierName.kv-api-version=1  # can be omitted - 1 is the default
 ```
 
 For example, if the path is set to `secret/brooklyn`, then attempting to retrieve the key `foo` would cause Brooklyn
@@ -212,6 +217,24 @@
 vault write secret/brooklyn foo=bar
 ```
 
+If you are using version 2, here are the properties you can set:
+
+```properties
+brooklyn.external.supplierName.endpoint=<Vault HTTP/HTTPs endpoint>
+brooklyn.external.supplierName.mountPoint=<path to the secrets engine>
+brooklyn.external.supplierName.path=<path to the key>
+brooklyn.external.supplierName.kv-api-version=2
+```
+
+For example, if the k/v secrets engine is mounted at `secret/` and secrets are stored in the object `brooklyn`, then
+set `mountPoint` to `secret` (no trailing slash) and `path` to `brooklyn`. Values can be set on this object using the
+Vault CLI like this:
+
+```bash
+vault kv put secret/brooklyn foo=bar
+```
+
+
 #### Authentication by username and password
 
 The `userpass` plugin for Vault allows authentication with username and password.
@@ -224,8 +247,12 @@
 
 #### Authentication using App ID
 
-The `app_id` plugin for Vault allows you to specify an "app ID", and then designate particular "user IDs" to be part
-of the app. Typically the app ID would be known and shared, but user ID would be autogenerated on the client in some
+The `app-id` plugin for Vault allows you to specify an "app ID", and then designate particular "user IDs" to be part
+of the app.
+
+**Note**: this auth method has been deprecated by Vault, and is therefore also deprecated in Apache Brooklyn.
+
+Typically the app ID would be known and shared, but user ID would be autogenerated on the client in some
 way. Brooklyn implements this by determining the MAC address of the server running Brooklyn (expressed as 12 lower
 case hexadecimal digits without separators) and passing this as the user ID.