Vault OSS HA Cluster using raft on-prem

Hello,

I’m new to Hashicorp Vault. After going through some of the tutorials related to ‘Get Started’, I have setup configured Vault to enable TLS authentication. My application can now do TLS auth to Vault.
Now, I’m venturing into understanding or setting Vault in HA Cluster using raft. I have to admit I’m getting lost in details here.

I’m looking into basic setup where I install configure vault servers on 2 different machines and each Vault server ( i would assume ) knows about one another via clustering. If I’m not mistaken, from application point of view, application is agnostic to which vault it connects to ( since vault servers are in cluster mode, leader or follower, any one of them can process the request ).

Am I right in envisioning below steps?
a) modify each of the vault server configuration in following way for clustering:

Example:
Vaultserver 1 on machine A:
listener “tcp” {
tls_disable = “true”
address = “MachineA:8200”
cluster_address = “MachineA:8201”
}
storage “raft” {
path = “D:/apps/Vault/storage”
node_id = “raft_node_1”
}
retry_join {
leader_tls_servername = “MachineB:8200”
}
api_addr = “http://MachineA:8200”
cluster_addr = “http://MachineA:8201”
disable_mlock = true

Vaultserver 2 on machine B:
listener “tcp” {
tls_disable = “true”
address = “MachineB:8200”
cluster_address = “MachineB:8201”
}
retry_join {
leader_tls_servername = “MachineA:8200”
}
storage “raft” {
path = “D:/apps/Vault/storage”
node_id = “raft_node_1”
}
api_addr = “http://MachineB:8200”
cluster_addr = “http://MachineB:8201”
disable_mlock = true

b) ON machine A , execute vault initialize and with the root and unseal keys provided unseal the vault on machine A. ON Machine B, execute vault initialize and with it’s root and unseal keys unseal the vault on machine B.

Any help greatly appreciated.

Thanks.

If your choice of storage backend is Raft, you need minimum 3 servers for useful redundancy. This is because a quorum (majority) of servers need to be up and able to communicate with each other to elect which one will become active. In a Raft cluster of 2, loss of either server will render the cluster unable to serve requests.

Well… not exactly. Only the active/leader can process requests. However the standby/followers will forward requests to the active node and proxy responses.

When posting code here, please use ``` blocks so that the forum software doesn’t eat all your indentation, change your quotes to smart quotes, and sometimes worse.

It is definitely wrong to be setting the Raft node_id the same on multiple nodes. Generally I’d say people shouldn’t be setting the node_id at all, and allowing Vault to generate a random unique ID and store it on disk.

This is incorrect - leader_tls_servername is for overriding the expected TLS certificate identity, it does not by itself tell Vault where to connect to. You should be using leader_api_addr.

This would set up two separate 1 node clusters.

Initialise is an operation you perform once per cluster, not per node. I don’t have a link handy, but I’m sure there must be a tutorial on establishing a new Raft cluster on developer.hashicorp.com somewhere.