Clustering HashiCorp Vault

Here are special instructions for setting up a vault cluster.

NOTE: See the regular setup page for other details: Hashicorp Vault Setup

DNS Resolution

Since the vault services will communicate with eachother over TLS, they will need certificates.
And as such, the certs will include hostnames.

So, open the /etc/hosts file of each vault host, and add entries, at the bottom of the file, for each instance and API host.

Here's an example list of entries for a cluster:

192.168.75.10 vault02api
192.168.75.21 vault0201
192.168.75.22 vault0202
192.168.75.23 vault0203
192.168.75.24 vault0204
192.168.75.25 vault0205
192.168.75.26 vault0206

Vault.HCL

 

 

Before starting the vault service, we need to setup the cluster configuration.

Changes

Open the config file at: /etc/vault.d/vault.hcl

We have created the following vault.hcl file for a cluster node that has an:

• IP = 192.168.75.24
• node_id = vault0204

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# Vault Configuration for Clustering.
# Created on 20250901

ui            = true
cluster_name  = "prod-vault"
# recommended with Integrated Storage
disable_mlock = true

# Advertise addresses (MUST be correct & reachable)
# Define the external API address that clients will use to communicate with this Vault node.
# set per node
api_addr     = "https://vault-1.example.com:8200"
api_addr     = "https://192.168.75.24:8200"
# Define the internal address used by Vault nodes to communicate with this Vault node.
# Vault ignores the scheme of this URL, so it doesn't matter if http or https.
# set per node (node's intra-cluster IP:8201)
cluster_addr = "https://192.168.75.24:8201"

listener "tcp" {
  address                  = "0.0.0.0:8200"
  tls_disable              = 0
  tls_cert_file            = "/etc/vault.d/tls/vault.crt"
  tls_key_file             = "/etc/vault.d/tls/vault.key"
  tls_client_ca_file       = "/etc/vault.d/tls/ca.crt"
  # optional: require client certs from automation:
  # tls_require_and_verify_client_cert = "true"
}

# Updated to use raft backend (Integrated Storage).
storage "raft" {
  path    = "/opt/vault/raft"
# unique on each node  
  node_id = "vault0204"

  # Auto-join peers (preferred over manual joins)
  retry_join {
    leader_api_addr      = "https://vault-1.example.com:8200"
    leader_ca_cert_file  = "/etc/vault.d/tls/ca.crt"
  }
  retry_join {
    leader_api_addr      = "https://vault-2.example.com:8200"
    leader_ca_cert_file  = "/etc/vault.d/tls/ca.crt"
  }
  retry_join {
    leader_api_addr      = "https://vault-3.example.com:8200"
    leader_ca_cert_file  = "/etc/vault.d/tls/ca.crt"
  }
}

# Recommended health endpoint behavior for LBs
# (defaults are fine; LB should treat 200 as active, 429 as standby, 503 sealed)
# See /v1/sys/health docs for details.