How to setup Vault Transit Engine in HA

O_o · November 1, 2021, 4:22pm

Hi All,

We are looking to deploy Vault on-prem and will be using the Transit Engine (as described here: Auto-unseal using Transit Secrets Engine | Vault - HashiCorp Learn) for auto-unsealing.

The article how references the Transit Engine node (Vault 1) as a single instance. Is it possible to deploy this in HA, i.e. 2 (or multiple) instances of the Transit Engine and is there documentation that describes how to achieve this?

We would want to avoid a situation where the Transit Engine node goes down and the Vault instance that needs unsealing is unable to as a result.

I have already this High Availability | Vault by HashiCorp

Please help

ausmartway · November 1, 2021, 9:35pm

@O_o , you need a DIsaster Recovery or Performance Replication cluster.

aram · November 1, 2021, 11:42pm

Yes you can make your transit unseal cluster an HA cluster, however … there is no point and it would be a waste of resources, but technically there is nothing stopping you from doing so.

O_o · November 2, 2021, 2:52am

Thank you both. @ausmartway I believe DR & PR requires an enterprise license, is this correct? We do not have an enterprise license at the moment.

@aram Why do you think it would be a waste of time?

aram · November 2, 2021, 6:42am

It’s a comparison of cost vs. use vs. how reliant a system has to be. There is no technical reason not to do a full cluster. If you’re overflowing with money and machines and the SRE time to monitor and keep the system to update with security and vendor patches then go ahead and do a 3 node cluster.

mikegreen · November 3, 2021, 2:00pm

I agree with Aram here - running a single node transit just for unsealing (which you then have to manually unseal, or autounseal - which if that cluster can auto unseal - just do that for your primary business-centric cluster) should be a last resort.