Deploy vault on-premise#
Prepare your hosts#
Prepare hosts and load balancer according to the reference architecture recommendations.
Hosts should be reachable from your Ansible controller through Public Key Authentication.
Depending on your requirements, comply with the Production Hardening Guide.
Think about SELinux policies that could be a silent blocker, somewhat hard to debug.
If you want to manage a specific mount point for vault run data, plug your storage solution on
Check for network connectivity compliance.
Mind about each host firewall configuration.
Configure your load balancer as TCP(L4) traffic balancing.
Integrate your hosts and load balancer into your default DNS resolution so that:
Ansible controller resolves each host’s and load balancer’s FQDN
Each host resolves each other hosts’ and load balancer’s FQDN
Prepare your x509 certificates for every nodes (private keys, certificates and fullchain certificates).
The certificates’ issuer should be trusted at the operating system level by every node (and the future clients).
Each certificate should be issued for both:
the host’s fqdn
the exposed service FQDN beared by the load balancer
Each certificate must have:
Extended key usage
Have them ready on your Ansible controller.
Prepare your Ansible controller#
Initialize an environment directory and place your terminal in it.
review the generated variable files and inventory, adjust if needed.
Check for connectivity
> ansible -m ping all
> ansible-playbook wescale.hashistack.vault
if everything when fine, you should be able to reach the Vault web UI through your load balancer’s FQDN.