<aside> 💡 Setting up Vault in High Availability (HA) mode with HAProxy and TLS certificates enabled is a multi-step process. Here’s a guided flow that explains each step:
</aside>
<aside> ⚠️ PLEASE READ, DO NOT BLINDLY COPY! DETAILS MATTER IN THIS GUIDE
</aside>
This guide contains steps in chronological order for infrastructure architects and operators to follow when deploying Vault using the Integrated Storage (Raft) storage backend in a production environment.
The following diagram shows the recommended architecture for deploying a single Vault cluster (Cluster Failover) with maximum resiliency:
With five nodes in the Vault cluster distributed between three availability zones, this architecture can withstand the loss of two nodes from within the cluster or the loss of an entire availability zone.
If deploying to three availability zones is not possible, the same architecture may be used across two or one availability zones, at the expense of significant reliability risk in case of an availability zone outage.
<aside> 💡
For Vault Enterprise customers, additional resiliency is possible by implementing a multi-cluster architecture (Regional Failover), which allows for additional performance and disaster recovery options.
</aside>
For this guide, we will reference and implement the following architecture as a POC:
This architecture ensures secure, scalable, and highly available management of secrets within a Kubernetes/OpenShift environment, with strong security enforced through TLS, HAProxy for load balancing, and redundancy using a multi-node Vault HA cluster. The Vault-secrets-operator ensures Kubernetes workloads have access to the secrets they need in a seamless and automated manner.
.jpg)
<aside> 💡
The AppRole authentication method is ideal for architecture of such where Vaults are configured on VM’s and will be dependent on Long-lived Token for communication with external clients. Read here for more.
</aside>
Here's a detailed breakdown of the components and flow depicted: