OSDOCS-15489 updated vault module

wgabor0427 · wgabor0427 · commit 7f8b2ade0f1c · 2025-08-07T08:57:31.000-04:00
diff --git a/modules/zero-trust-manager-configure-vault.adoc b/modules/zero-trust-manager-configure-vault.adoc
@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-cert-vault_{context}"]
+= Configuring the Vault plugin
+
+This procedure outlines the steps required to configure a SPIRE server to obtain its intermediate signing certificates from Vault. The plugin supports the following methodes for authenticating to Vault:
+
+* Client Certificate Authentication
+
+* Token Authentication
+
+* AppRole Authentication
+
+* Kubernetes Authentication
+
+.Prerequisites
+
+* A running and accessible HashiCorp Vault server is available.
+
+* A PKI secret engine must be enabled and configured in Vault at the specified `pki_mount_point`.
+
+* A role within the Vault PKI engine must be configured to allow issuing of intermediate CA certificates.
+
+* The Vault token or authentication method used by the plugin must have the necessary permissions.
+
+* The `ca_ttl` configured in your SPIRE Server configuration must be less than or equal to the cofigured `max_lease_ttl` of the Vault PKI secret engine role that the plugin uses.
+
+
+
+.Procedure
+
+. Create a YAML file containing the configuration for the `SpireServer` resource, for example `spireserver.yaml`. The file includes the `spec` block and the `upstreamAuthority` block configured to use the `vault` plugin.
++
+.Example `spireserver.yaml`
++
+[source,yaml]
+----
+apiVersion: spire.spiffe.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: spire-server
+  namespace: spire
+spec:
+  replicas: 1
+  # ... other SpireServer configuration ...
+  upstreamAuthority:
+    vault:
+      address: "https://vault.example.com" <1>
+      tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token" <2>
+      mtls:
+        spireTrustDomain: "spiffe://example.org" <3>
+        serverName: "vault.example.com" <4>
+      pkcs11: <5>
+        # ... PKCS11 configuration if needed ...
+      jwt: <5>
+        # ... JWT configuration if needed ...
+----
+
+<1> The URL of your Vault server.
+<2> The path to the Kubernetes service account token used for authentication with Vault.
+<3> The trust domain of your Spire Server.
+<4> The name used for the Mutual Transport Layer Security (mTLS) authentication with the Vault server.
+<5> Alternative authentication methods with Vault.
+
+. Configure one of the authentication methods:
+
+
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f spireserver.yaml
+----
diff --git a/modules/zero-trust-manager-vault-upstream-authority.adoc b/modules/zero-trust-manager-vault-upstream-authority.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-vault-upstream-authority_{context}"]
+= About the vault upstream authority plugin
+
+The vault plugin integrates the SPIRE server with the HashiCorp Vault Public Key Infrastructure (PKI) engine to manage the lifecycle of intermediate CA certificates that the SPIRE server uses to sign the workload {svid-full}. The plugin enables the SPIRE server to use the PKI for issuing and renewing intermediate signing certificates.
+
+The plugin interacts with the PKI secret engine to request intermediate CA certificates, signs the requests, and then provides the certificates to the SPIRE server.
+
+[NOTE]
+====
+The vault plugin does not support the `PublishJWTKey` remote procedure call (RPC) and should not be used in SPIRE configurations where JSON Web Tokens-SPIFFE Verifiable Identity Documents (JWT-SVIDs) are used.
+====
