HashiCorp Vault HA Deployment using Raft

HashiCorp Vault HA Deployment using Raft - Printable Version

+- DevOps Discussion Forum (https://forums.geekssolutions.io)
+-- Forum: Cloud Computing (https://forums.geekssolutions.io/forumdisplay.php?fid=10)
+--- Forum: DevOps (https://forums.geekssolutions.io/forumdisplay.php?fid=14)
+--- Thread: HashiCorp Vault HA Deployment using Raft (/showthread.php?tid=22)

HashiCorp Vault HA Deployment using Raft - aniket.pitre - 04-07-2026

Purpose: Deploy HashiCorp Vault in High Availability mode using Raft storage

? Prerequisite Infrastructure
Before deploying Vault, ensure:

HAProxy (Load Balancer)
Keepalived (Failover)
Virtual IP (VIP)

These ensure a single stable endpoint for clients.

? Overview
Vault HA cluster using Raft:

One node = Leader
Others = Standby replicas
Automatic failover

Provides:

High availability
Secure secret storage
TLS encryption

Ports:

8200 → API
8201 → Cluster communication

? Prerequisites

Minimum 3 Linux servers
Network connectivity
Root/sudo access
Internet access
Basic Linux knowledge

? Phase 1 — Create Vault User

Code:
sudo useradd --system --home /etc/vault.d --shell /bin/false vault

id vault

? Phase 2 — Create Directories

Code:
sudo mkdir -p /etc/vault.d

sudo mkdir -p /opt/vault/data

sudo mkdir -p /etc/vault.d/tls

sudo mkdir -p /var/log/vault

sudo chown -R vault:vault /etc/vault.d

sudo chown -R vault:vault /opt/vault

sudo chown vault:vault /var/log/vault

sudo chmod 750 /var/log/vault

? Phase 3 — Install Vault

Code:
sudo apt update

sudo apt install unzip -y

cd /tmp

wget [url=https://releases.hashicorp.com/vault/]https://releases.hashicorp.com/vault/[/url]/vault__linux_amd64.zip

unzip vault__linux_amd64.zip

sudo mv vault /usr/local/bin/

sudo chmod +x /usr/local/bin/vault

vault --version

which vault

? Phase 4 — Generate TLS Certificates

Code:
mkdir ~/vault-tls

cd ~/vault-tls

openssl genrsa -out vault-ca.key 4096

openssl req -x509 -new -nodes

-key vault-ca.key

-out vault-ca.crt

-days 3650

openssl genrsa -out vault.key 2048

? Phase 5 — Install TLS Certificates

Code:
sudo cp vault.crt vault.key vault-ca.crt /etc/vault.d/tls/

sudo chown vault:vault /etc/vault.d/tls/*

sudo chmod 600 /etc/vault.d/tls/vault.key

? Phase 6 — Trust CA

Code:
sudo cp /etc/vault.d/tls/vault-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

⚙️ Phase 7 — Configure Vault
File:
/etc/vault.d/vault.hcl

Code:
ui = true

cluster_name = "vault-cluster"

listener "tcp" {

address = "0.0.0.0:8200"

cluster_address = "0.0.0.0:8201"

tls_cert_file = "/etc/vault.d/tls/vault.crt"

tls_key_file = "/etc/vault.d/tls/vault.key"

}

storage "raft" {

path = "/opt/vault/data"

node_id = "node-1"

}

api_addr = "https://:8200"

cluster_addr = "https://:8201"

disable_mlock = true

Code:
sudo chown vault:vault /etc/vault.d/vault.hcl

sudo chmod 640 /etc/vault.d/vault.hcl

⚙️ Phase 8 — Systemd Service
File:
/etc/systemd/system/vault.service

Code:
[Unit]

Description=HashiCorp Vault

After=network-online.target

[Service]

User=vault

Group=vault

ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl

Restart=on-failure

LimitMEMLOCK=infinity

[Install]

WantedBy=multi-user.target

Code:
sudo systemctl daemon-reload

sudo systemctl enable vault

sudo systemctl start vault

sudo systemctl status vault

? Phase 9 — Initialize Vault

Code:
export VAULT_ADDR=https://:8200

export VAULT_CACERT=/etc/vault.d/tls/vault-ca.crt

vault operator init

⚠️ Save:

Unseal keys
Root token

? Phase 10 — Unseal Vault

Code:
vault operator unseal

vault operator unseal

vault operator unseal

vault status

? Phase 11 — Join Nodes

Code:
vault operator raft join https://:8200

vault operator unseal

vault operator unseal

vault operator unseal

? Phase 12 — Verify Cluster

Code:
vault operator raft list-peers

? Phase 13 — Enable Audit Logging

Code:
vault audit enable file file_path=/var/log/vault/audit.log

vault audit list

? Phase 14 — Log Rotation
File:
/etc/logrotate.d/vault

Code:
/var/log/vault/audit.log {

daily

rotate 7

compress

missingok

notifempty

}

? Common Commands

Code:
vault status

vault operator raft list-peers

vault operator unseal

vault operator raft snapshot save backup.snap

⚠️ Important Notes

Store unseal keys securely
Protect root token
Vault seals after reboot
Must unseal manually after restart
Renew TLS certificates before expiry