Vault OSS HA Cluster

ushanay · May 4, 2023, 8:25pm

Hello,

I’m new to Hashicorp Vault and need some guidance.

At the moment, I’m looking into Vault OSS and have managed to configure/execute successfully below :

via Vault CLI or Java based client application, I’m able to successfully connect to vault, authenticate and read/write secrets.
FYI, Since it’s a single Vault OSS server, I specify the URL for Java client application to look into.
example: VAULT_URL=https://machineA.net.com:8200

Now, I’m venturing into HA cluster and have minimum of 3 nodes on 2 different machines. Via Vault CLI, I followed above commands to connect, authenticate, read/write secrets. As expected, I do see secrets replicated on all 3 nodes.
• Machine A – Node1
• Machine A– Node 2
• Machine B – Node 3

The question is:
What Vault URL address would I need to specify for the Java client application to connect to ? Should I specify all 3 Urls, incase the machine is down where vault server node is and have logic in Java application layer to move onto next URL incase of failure ?

Appreciate help !!

Thanks.

maxb · May 5, 2023, 1:17pm

Vault doesn’t really provide an “in box” answer to this - it is assumed that you will do one of:

Use DNS-based service discovery, e.g. Consul, so that one host name rapidly changes to point to appropriate nodes during an outage
Use a load-balancer device, which proxies requests to a suitable node
Or, yes, you could write each client application to select a working node from a set of URLs, though this is generally not preferred, as it moves more complexity and configuration to every client.

brucellino1 · May 5, 2023, 1:49pm

Agree with @maxb – there isn’t a “golden path” here except for the one that includes Consul. If one is only using Vault, that’s some large baggage to carry down the road.

The key concept, I feel, is “service discovery”. Vault has service registration configuration options for Kubernetes and Consul, so if you use those, you will be able to use DNS in the client to look up active.vault.service.consul (in the case of Consul), and you will be returned the active endpoint, if it moves around.

ushanay · May 5, 2023, 7:25pm

Thank you all for your suggestions.

ushanay · May 12, 2023, 6:13pm

Hello,

I have setup cluster of 3 vault nodes on distributed machines with LB in front of it. My client is accessing cluster via load balancer (nginx):

Client connects to https://LB.com:81

Configurations are:
VaultNode1 ( Machine A):

VaultNode2 (Machine A):

VaultNode3 (Machine B):

Nginx conf:

I have read Vault documentation including some online materials on setting up HA cluster behind LB. However, I’m bit lost in the details at the moment and not quite sure if my configurations are accurate. Would greatly appreciate confirmation in regards to the configuration.

Thank you again.

Topic		Replies	Views
Vault OSS HA Cluster using raft on-prem Vault	1	353	December 5, 2022
Client configuration Vault connect , vault	8	1330	April 19, 2022
Inquiries about api_addr, cluster_addr of the vault cluster Vault	7	1569	August 15, 2022
Vault UI setup and balancing Vault	3	1711	July 25, 2019
Vault highly available setup Vault	9	1175	November 13, 2020

Vault OSS HA Cluster

Related topics