From 4db77d6e85c3f46b17f356098494e6f511fef2ba Mon Sep 17 00:00:00 2001 From: Dan Middleton Date: Wed, 18 Feb 2026 17:01:55 -0600 Subject: [PATCH 1/2] Add Hashicorp Vault docs Signed-off-by: Dan Middleton --- content/en/docs/attestation/resources/_index.md | 2 +- .../docs/attestation/resources/resource-backends.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/content/en/docs/attestation/resources/_index.md b/content/en/docs/attestation/resources/_index.md index 570437f..6d11d04 100644 --- a/content/en/docs/attestation/resources/_index.md +++ b/content/en/docs/attestation/resources/_index.md @@ -72,4 +72,4 @@ kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-litera ## Advanced configurations There are additional plugins and additional backends for the resource plugin. -For example, Trustee can integrate with Azure Key Vault or PKCS11 HSMs. +For example, Trustee can integrate with [Azure Key Vault](kbs-backed-by-akv), [HashiCorp Vault KV](kbs-backed-by-vault-kv), or PKCS11 HSMs. diff --git a/content/en/docs/attestation/resources/resource-backends.md b/content/en/docs/attestation/resources/resource-backends.md index 6b9ef40..dede2f9 100644 --- a/content/en/docs/attestation/resources/resource-backends.md +++ b/content/en/docs/attestation/resources/resource-backends.md @@ -68,4 +68,17 @@ The Pkcs11 backend is configured with the following values. No `slot_index` is set, the first slot will be used. * `pin` The user password for authenticating a session with the above slot. +### HashiCorp Vault KV + +The KBS can use [HashiCorp Vault](https://developer.hashicorp.com/vault) KV v1 as a resource backend, +storing and retrieving secrets from a central Vault instance. +Build the KBS with the `vault` feature (e.g. `cargo build --features vault`). +In the KBS config, add a resource plugin of type `Vault` with `vault_url`, `token`, and optionally +`mount_path`, `verify_ssl`, and `ca_certs`. +Resource URIs map to Vault paths as `{repository_name}/{resource_type}/{resource_tag}`; the secret +value is stored under the key `data`. +Only token authentication and KV v1 are supported. +For setup, policy examples, and TLS options, see the +[Vault KV backend documentation](https://github.com/confidential-containers/trustee/blob/main/kbs/docs/vault_kv.md) +in the Trustee repo. From ee37f984169d1452d75e98c43ada52af164afeb1 Mon Sep 17 00:00:00 2001 From: Dan Middleton Date: Fri, 20 Feb 2026 11:02:03 -0600 Subject: [PATCH 2/2] Add OpenBao as an alternative to Vault OpenBao is API compatible with Hashicorp Vault KVv1 Signed-off-by: Dan Middleton --- content/en/docs/attestation/resources/_index.md | 3 ++- content/en/docs/attestation/resources/resource-backends.md | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/content/en/docs/attestation/resources/_index.md b/content/en/docs/attestation/resources/_index.md index 6d11d04..6bd414b 100644 --- a/content/en/docs/attestation/resources/_index.md +++ b/content/en/docs/attestation/resources/_index.md @@ -72,4 +72,5 @@ kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-litera ## Advanced configurations There are additional plugins and additional backends for the resource plugin. -For example, Trustee can integrate with [Azure Key Vault](kbs-backed-by-akv), [HashiCorp Vault KV](kbs-backed-by-vault-kv), or PKCS11 HSMs. +For example, Trustee can integrate with [Azure Key Vault](kbs-backed-by-akv), +[HashiCorp Vault / OpenBao KV](kbs-backed-by-vault-kv), or PKCS11 HSMs. diff --git a/content/en/docs/attestation/resources/resource-backends.md b/content/en/docs/attestation/resources/resource-backends.md index dede2f9..cdfb28e 100644 --- a/content/en/docs/attestation/resources/resource-backends.md +++ b/content/en/docs/attestation/resources/resource-backends.md @@ -68,10 +68,10 @@ The Pkcs11 backend is configured with the following values. No `slot_index` is set, the first slot will be used. * `pin` The user password for authenticating a session with the above slot. -### HashiCorp Vault KV +### HashiCorp Vault / OpenBao KV -The KBS can use [HashiCorp Vault](https://developer.hashicorp.com/vault) KV v1 as a resource backend, -storing and retrieving secrets from a central Vault instance. +The KBS can use [HashiCorp Vault](https://developer.hashicorp.com/vault) or [OpenBao](https://www.openbao.org/) +KV v1 as a resource backend, storing and retrieving secrets from a Vault or OpenBao instance. Build the KBS with the `vault` feature (e.g. `cargo build --features vault`). In the KBS config, add a resource plugin of type `Vault` with `vault_url`, `token`, and optionally `mount_path`, `verify_ssl`, and `ca_certs`.