From 713077c23c0994610bdc627a2629d80ec0db3e44 Mon Sep 17 00:00:00 2001
From: ianwatsonrh <ianwatson@redhat.com>
Date: Mon, 27 Apr 2020 10:48:21 +0100
Subject: [PATCH] Docs: vault kv and transit engine updates

Providing some clearer documentation on the steps needed when using either the kv or transit engine

Signed-off-by: ianwatsonrh <ianwatson@redhat.com>
---
 doc/radosgw/vault.rst | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/doc/radosgw/vault.rst b/doc/radosgw/vault.rst
index dc3ec3ddfb6e..c952324daa98 100644
--- a/doc/radosgw/vault.rst
+++ b/doc/radosgw/vault.rst
@@ -61,7 +61,7 @@ KV secrets engine
 The KV secrets engine is used to store arbitrary key/value secrets in Vault. To
 enable the KV engine version 2 in Vault, use the following command::
 
-  vault secrets enable kv-v2
+  vault secrets enable -path secret kv-v2
 
 The Object Gateway can be configured to use the KV engine version 2 with the
 following setting::
@@ -266,9 +266,13 @@ Upload object
 =============
 
 When uploading an object to the Gateway, provide the SSE key ID in the request.
-As an example, using the AWS command-line client::
+As an example, for the kv engine, using the AWS command-line client::
 
   aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id myproject/mybucketkey
+  
+As an example, for the transit engine, using the AWS command-line client::
+
+  aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id mybucketkey/1
 
 The Object Gateway will fetch the key from Vault, encrypt the object and store
 it in the bucket. Any request to download the object will make the Gateway
@@ -276,11 +280,16 @@ automatically retrieve the correspondent key from Vault and decrypt the object.
 
 Note that the secret will be fetched from Vault using a URL constructed by
 concatenating the base address (``rgw crypt vault addr``), the (optional)
-URL prefix (``rgw crypt vault prefix``), and finally the key ID. In the example
-above, the Gateway would fetch the secret from::
+URL prefix (``rgw crypt vault prefix``), and finally the key ID. 
+
+In the kv engine example above, the Gateway would fetch the secret from::
 
   http://vaultserver:8200/v1/secret/data/myproject/mybucketkey
 
+In the transit engine example above, the Gateway would fetch the secret from::
+
+  http://vaultserver:8200/v1/transit/export/encryption-key/mybucketkey/1
+
 .. _Server-Side Encryption: ../encryption
 .. _Vault: https://www.vaultproject.io/docs/
 .. _Token authentication method: https://www.vaultproject.io/docs/auth/token.html
-- 
2.47.3