Vault HA with PVC and Auto-Unseal

It might be a simple question but I could find any reference documentation related to this?

  1. Can I deploy Vault with HA mode on the local k8s cluster(Rancher Desktop) using PVC as storage or should I use stand-alone mode?

  2. Is the auto-seal feature valid for on-prem clusters? How can I test this with my local k8s cluster?

Regards,
Semih

  1. You should be using HA and PVCs on k8s deployment of vault.
  2. Auto-"un"seal is available via cloud providers … you could use another external Vault instance with it’s transit engine as the auto-unseal for your k8s Vault, but realisticly you’re better off signing up for the free tier of a cloud provider and use their KMS.

On the other hand, that may take time, learning, figuring out whether you can fit within their free tier, and require an internet connection.

Various HashiCorp Learn tutorials include using the transit auto-unseal method - e.g. Vault HA Cluster with Integrated Storage | Vault - HashiCorp Learn - which uses another Vault (which you have to unseal manually, but is small, stable, and hardly ever restarted) to automate the unsealing of a larger, more frequently restarted Vault. The main tutorial for setting that up yourself is Auto-unseal using Transit Secrets Engine | Vault - HashiCorp Learn .

Which option is actually better for you will depend on your requirements, beyond the level of detail you’ve mentioned here.

@aram
Thanks for your kind response.
I could not able to see any examples specific for PVC… Most of the examples and documentation based on raft storage.

It might be my bad but what is the difference between raft and PVC ?

Raft is the protocol and “clustering” … { I’m going to preface this with I’m just starting out with Kubernetes, so the following may not be exact }
PVC is the storage class for Kubernetes.

The pods then use that PVC (the claim to a storage request) to store their data (makes them persistent) – so that when you upgrade/restart the pods you don’t lose your data.

The helm chart takes care of the PV/PVC requests so you don’t need to. You can see the flags in the sample values.yaml (for example you can turn on auditStorage which will add another PVC for persisting your audit logs).