Add Hashicorp Vault docs

Signed-off-by: Dan Middleton <dmiddleton@nvidia.com>

Author: dcmiddle

content/en/docs/attestation/resources/_index.md

@@ -72,4 +72,4 @@ kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-litera
 ## Advanced configurations
 
 There are additional plugins and additional backends for the resource plugin.
-For example, Trustee can integrate with Azure Key Vault or PKCS11 HSMs.
+For example, Trustee can integrate with [Azure Key Vault](kbs-backed-by-akv), [HashiCorp Vault KV](kbs-backed-by-vault-kv), or PKCS11 HSMs.

content/en/docs/attestation/resources/resource-backends.md

@@ -68,4 +68,17 @@ The Pkcs11 backend is configured with the following values.
 	       No `slot_index` is set, the first slot will be used.
 * `pin` The user password for authenticating a session with the above slot.
 
+### HashiCorp Vault KV
+
+The KBS can use [HashiCorp Vault](https://developer.hashicorp.com/vault) KV v1 as a resource backend,
+storing and retrieving secrets from a central Vault instance.
+Build the KBS with the `vault` feature (e.g. `cargo build --features vault`).
+In the KBS config, add a resource plugin of type `Vault` with `vault_url`, `token`, and optionally
+`mount_path`, `verify_ssl`, and `ca_certs`.
+Resource URIs map to Vault paths as `{repository_name}/{resource_type}/{resource_tag}`; the secret
+value is stored under the key `data`.
+Only token authentication and KV v1 are supported.
+For setup, policy examples, and TLS options, see the
+[Vault KV backend documentation](https://github.com/confidential-containers/trustee/blob/main/kbs/docs/vault_kv.md)
+in the Trustee repo.