Vault Persistent storage when deployed in standalone mode | single mode | Helm Installation

Dear Hashicorp Vault Team, Hope you are doing well. Thank you for your support.

I am trying to install Vault in standalone mode in Kubernetes using Helm and creating vault-pod on a particular node using nodeSelector option. Now, I understand that to have persistent storage, one of the options is to create a Persistent Volume Claim.

However, what if I required persistent storage on a particular node. For instance, vault folder on the host that gets mounted automatically to the pod.

The reason behind this is … Currently, we are using Rook CEPH to setup up storage class and PVC and we later want to encrypt the CEPH OSD using the keys stored in Vault to provide encryption at rest.

Now, if we create a PVC using Rook CEPH storageclass that stores the PVC for vault and encrypt it using the same keys. That would probably go wrong somewhere.

Hence, we want to create a node specifically for vault, join that node as a worker node and schedule vault pods on that using nodeSelector. Also, the above setup is on a Bare-Metal cluster rather than a cloud. Hence, we require a persistent storage on the host.

Creating two CEPH-rook clusters … one for OSD for storing the vault PVC and one for all the other data (that we want to encrypt) is kinda overkill.

Would appreciate the suggestions. Thank You

This isn’t Vault support. This is a community and other Vault users. For official support contact your TAM or use the portal to create a new case.

As far as your question, I’m starting out k8s so I may get this wrong but AFAIK yes you need PV/PVC attached to the pods for persistent data if you’re using integerated storage. Otherwise you can point your pods to an external non-kubs Consul or other backend.

I don’t believe the storageclass makes a difference in a technical sense, but I’d highly recommend making the storage as fast as possible as Vault is extremely I/O sensitive (specially with integrated storage). Having a slow disk in the mix can cause a lot of odd issues.

Lastly I’ll mention that the data stored by Vault is already encrypted, and re-encrypting it external means is, not necessary and not advised (not best practice).