General question on Vault


I’m working with Vault OSS at the moment with raft storage. We were working with ‘file’ storage but then figured since ‘raft’ provides HA capability it might be better to switch to raft storage to begin with, in event we need to enable HA.

In raft storage, although I’m not enabling HA at the moment, if I don’t provide cluster_addr, it complains about Cluster address not being set. As seen below, I provided a random port for cluster address.

Vault OSS hcl configuration:


When I execute the server:

Now, I’m confused :

  • what is the significance of both these cluster addresses ( within Listener 1 group and by itself ). I have to admit I got a bit lost in documentation.

  • Also, I have seen references to Integrated Storage ‘raft’ in context of HA. If I’m not concerned with HA at the moment, can I still work with raft storage ?

Any help greatly appreciated.


HA mode is always enabled with Raft storage, it cannot be disabled - although if you don’t have enough nodes, it may not be practically useful.

This is a hardcoded requirement, as the cluster address is used to inform other members of the Raft cluster how to reach each node.

That’s a bit weird, the standard Vault cluster port is 8201 and there is usually little reason to change it.

Unfortunately as you’ve provided this as a screenshot, I can’t quote parts of the configuration.

There are several issues you should correct:

  • You should use an absolute path to specify the Raft storage directory. By not doing so, you expose yourself to problems if the current directory when invoking the Vault server is accidentally changed.

  • You have disabled TLS, but also specified a certificate and key, this makes no sense.

  • You have specified an api_addr with an https:// scheme, which disagrees with you having disabled TLS.

It shows a defect in your Vault configuration - that you have instructed Vault to advise other nodes to attempt to connect to it on port 59358, despite the fact that it is actually listening on port 8201.

You should correct this by changing 59358 back to 8201.

After you have done this, if you haven’t significantly started using Vault, you should destroy and recreate the Raft cluster, as otherwise the incorrect address will lurk within the Raft cluster metadata, and sabotage you one day in the future if you ever try to add extra nodes to the cluster. (Observe this via the vault operator raft list-peers command.)

If the node is already in operation, there are ways to make the update without starting again from scratch, but they’re pretty complicated to explain.

It is fine to run a 1 node Raft cluster if HA is not of interest right now.

1 Like