As of now we have the option to deploy Vault on our reference solution out of the box.
Previously we setup Vault on a 2 node EC2 cluster with a Dynamodb backend. This way of working had some downsides and made it harder for us to maintain and upgrade the cluster.
We came up with the following requirements during our design process:
- Running on K8s, low maintenance overhead
- Standardized & automated setup
- Auto unseal
- Using secure best-practices
- Include monitoring / metrics
- Include backups
- Use K8s external persistent storage (K8s workload should be “stateless”)
We have based ourselves on the official vault-helm chart and configured it with Terraform and automated with a Concourse pipeline. The Vault cluster is fully running on K8s and as backend we use a DynamoDB table.
If you are interested in adding this to your setup or you want more information: feel free to get in touch with your lead engineer.
Documentation on how to use the vault cluster can be found in our documentation repo.