From a546f0f0af5b00b3a7bba9b6abece9b3c090437a Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Fri, 25 Aug 2023 17:53:44 +0200
Subject: [PATCH] Add documentation

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 bin/git-credential-vault | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/bin/git-credential-vault b/bin/git-credential-vault
index 7e314bd..10eb66b 100755
--- a/bin/git-credential-vault
+++ b/bin/git-credential-vault
@@ -1,6 +1,32 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+###
+# How to use
+###
+#
+# Create a key in Vault `secret/git-credential/<hostname>` so i.e.
+# `secret/git-credential/git.luzifer.io` and fill it with key-value
+# pairs according to the git-credential spec [1]
+#
+# So for example this could be the content:
+# {
+#   "protocol": "https",    # Force to use HTTPS
+#   "username": "luzifer",  # The username required for the host
+#   "password": "..."       # Password for the given user
+# }
+#
+# The `${key}=${value}` pairs are dumped as they are without further
+# processing. Therefore you can override all parameters the
+# git-credential spec allows you to set. I recommend to enforce the
+# `protocol` field to `https` as this helper is not checking the
+# protocol passed but only looks for the `host` value to fetch the
+# correct key from Vault.
+#
+# [1] https://git-scm.com/docs/git-credential
+#
+###
+
 source "${HOME}/bin/script_framework.sh"
 
 function handle_get() {