Update documentation for FoundationDB TLS support

hashicorp · Nov 15, 2018 · 1cc77cc · 1cc77cc
1 parent 43cf405
commit 1cc77cc
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 13 deletions.
diff --git a/physical/foundationdb/README.md b/physical/foundationdb/README.md
@@ -6,15 +6,28 @@ this procedure will fail with a descriptive error message at runtime.
 
 ## Installing the Go bindings
 
-You will need to install the FoundationDB Go bindings to build the FoundationDB
-backend. Make sure you have the FoundationDB client library installed on your
-system, along with Mono (core is enough), then install the Go bindings using
-the `fdb-go-install.sh` script:
+### Picking a version
+
+The version of the Go bindings and the FoundationDB client library used to
+build them must match.
+
+This version will determine the minimum API version that can be used, hence
+it should be no higher than the version of FoundationDB used in your cluster,
+and must also satisfy the requirements of the backend code.
+
+The minimum required API version for the FoundationDB backend is 520.
+
+### Installation
+
+Make sure you have Mono installed (core is enough), then install the
+Go bindings using the `fdb-go-install.sh` script:
 
 ```
-$ physical/foundationdb/fdb-go-install.sh
+$ physical/foundationdb/fdb-go-install.sh install --fdbver x.y.z
 ```
 
+By default, if `--fdbver x.y.z` is not specified, version 5.2.4 will be used.
+
 ## Building Vault
 
 To build Vault the FoundationDB backend, add FDB_ENABLED=1 when invoking

diff --git a/website/source/docs/configuration/storage/foundationdb.html.md b/website/source/docs/configuration/storage/foundationdb.html.md
@@ -29,23 +29,47 @@ accompanying the backend's source in the Vault source tree.
 
 ```hcl
 storage "foundationdb" {
-  api_version  = 510
-  cluster_file = "/path/to/fdb.cluster"
-  path         = "vault-top-level-directory"
-  ha_enabled   = "true"
+  api_version      = 520
+  cluster_file     = "/path/to/fdb.cluster"
+
+  tls_verify_peers = "I.CN=MyTrustedIssuer,I.O=MyCompany\, Inc.,I.OU=Certification Authority"
+  tls_ca_file      = "/path/to/ca_bundle.pem"
+  tls_cert_file    = "/path/to/cert.pem"
+  tls_key_file     = "/path/to/key.pem"
+  tls_password     = "PrivateKeyPassword"
+
+  path             = "vault-top-level-directory"
+  ha_enabled       = "true"
 }
 ```
 
 ## `foundationdb` Parameters
 
 - `api_version` `(int)` - The FoundationDB API version to use; this is a
-  required parameter and doesn't have a default value. Future versions will
-  impose a minimum API version to access newer features.
+  required parameter and doesn't have a default value. The minimum required API
+  version is 520.
 
 - `cluster_file` `(string)` - The path to the cluster file containing the
   connection data for the target cluster; this is a required parameter and
   doesn't have a default value.
 
+- `tls_verify_peers` `(string)` - The peer certificate verification criteria;
+  this parameter is mandatory if TLS is enabled. Refer to the [FoundationDB TLS]
+  [fdb-tls] documentation.
+
+- `tls_ca_file` `(string)` - The path to the CA certificate bundle file; this
+  parameter is mandatory if TLS is enabled.
+
+- `tls_cert_file` `(string)` - The path to the certificate file; specifying this
+  parameter together with `tls_key_file` will enable TLS support.
+
+- `tls_key_file` `(string)` - The path to the key file; specifying this
+  parameter together with `tls_cert_file` will enable TLS support.
+
+- `tls_password` `(string)` - The password needed to decrypt `tls_key_file`, if
+  it is encrypted; optional. This can also be specified via the
+  `FDB_TLS_PASSWORD` environment variable.
+
 - `path` `(string: "vault")` - The path of the top-level FoundationDB directory
   (using the directory layer) under which the Vault data will reside.
 
@@ -73,8 +97,9 @@ version; during cluster upgrades, multiple server versions will be running
 in the cluster, and the client must cope with that situation.
 
 This is handled by the (primary) client library having the ability to load
-a different version of the client library to connect to a particular server;
-it is referred to as the [multi-version client][multi-ver-client] feature.
+a different, later version of the client library to connect to a particular
+server; it is referred to as the [multi-version client][multi-ver-client]
+feature.
 
 #### Client setup with `LD_LIBRARY_PATH`
 
@@ -137,4 +162,5 @@ $ /path/to/bin/vault ...
 ```
 
 [foundationdb]: https://www.foundationdb.org
+[fdb-tls]: https://apple.github.io/foundationdb/tls.html
 [multi-ver-client]: https://apple.github.io/foundationdb/api-general.html#multi-version-client-api