Deploy vault on-premise#

Prepare your hosts#

End-to-end connectivity

Think about SELinux policies that could be a silent blocker, somewhat hard to debug.

  • If you want to manage a specific mount point for vault run data, plug your storage solution on /opt/vault.


End-to-end connectivity

Mind about each host firewall configuration.

  • Configure your load balancer as TCP(L4) traffic balancing.

  • Integrate your hosts and load balancer into your default DNS resolution so that:

    • Ansible controller resolves each host’s and load balancer’s FQDN

    • Each host resolves each other hosts’ and load balancer’s FQDN


  • Prepare your x509 certificates for every nodes (private keys, certificates and fullchain certificates).

  • The certificates’ issuer should be trusted at the operating system level by every node (and the future clients).


Each certificate should be issued for both:

  • the host’s fqdn

  • the exposed service FQDN beared by the load balancer


Each certificate must have:

  • Key usage

    • digitalSignature

    • keyEncipherment

  • Extended key usage

    • serverAuth

    • clientAuth

  • Have them ready on your Ansible controller.

Prepare your Ansible controller#

> ansible -m ping all

Install Vault#

> ansible-playbook wescale.hashistack.vault

if everything when fine, you should be able to reach the Vault web UI through your load balancer’s FQDN.