Deploy vault on-premise#
Prepare your hosts#
Prepare hosts and load balancer according to the reference architecture recommendations.
Hosts should be reachable from your Ansible controller through Public Key Authentication.
Depending on your requirements, comply with the Production Hardening Guide.
End-to-end connectivity
Think about SELinux policies that could be a silent blocker, somewhat hard to debug.
If you want to manage a specific mount point for vault run data, plug your storage solution on
/opt/vault.
Network#
Check for network connectivity compliance.
End-to-end connectivity
Mind about each host firewall configuration.
Configure your load balancer as TCP(L4) traffic balancing.
Integrate your hosts and load balancer into your default DNS resolution so that:
Ansible controller resolves each host’s and load balancer’s FQDN
Each host resolves each other hosts’ and load balancer’s FQDN
Certificates#
Prepare your x509 certificates for every nodes (private keys, certificates and fullchain certificates).
The certificates’ issuer should be trusted at the operating system level by every node (and the future clients).
Caveats
Each certificate should be issued for both:
the host’s fqdn
the exposed service FQDN beared by the load balancer
Caveats
Each certificate must have:
Key usage
digitalSignature
keyEncipherment
Extended key usage
serverAuth
clientAuth
Have them ready on your Ansible controller.
Prepare your Ansible controller#
Initialize an environment directory and place your terminal in it.
review the generated variable files and inventory, adjust if needed.
Check for connectivity
> ansible -m ping all
Install Vault#
> ansible-playbook wescale.hashistack.vault
if everything when fine, you should be able to reach the Vault web UI through your load balancer’s FQDN.