Vault HA AWS CLuster

Solve your problems or get new ideas with basic brainstorming

Get Started. It's Free
or sign up with your email address
Rocket clouds
Vault HA AWS CLuster by Mind Map: Vault HA AWS CLuster

1. Problems

1.1. Cannot upgrade vault

1.2. etcd2 is unstable

1.3. non-existent data backup & storage

1.3.1. Should we even backup secret data?

1.4. vault unstable during reboots

1.5. CoreOS upgrades need to be supported

2. Vault Usage

2.1. Storage Backends

2.1.1. S3

2.1.2. Consul

2.2. Secret Backends

2.2.1. cubbyhole - default, cannot use, cannot be removed

2.2.2. secret - generic secret backend, segmented into app specific paths

2.2.3. postgres - backend for automatic postgres credential generation

2.3. Auth Backends

2.3.1. Token

2.3.2. Github?

3. New Cluster Properties

3.1. High Availability for Vault

3.1.1. AWS Autoscaling Group

3.1.1.1. cloud-init config with user-data

3.2. Backup/Restore Procedures for storage

3.3. Support for upgrades

3.4. Storage Backend

3.4.1. Consul (HA)

3.4.1.1. Separate Consul Cluster

3.4.1.2. Consul on the same instances as vault

3.4.2. S3 (Non-HA)

4. Operating Systems

4.1. Ubuntu

4.1.1. Cons: Its a Pet - needs care, patching, user management, vulnerability assessments, et. al., traditional linux - larger attack surface

4.1.2. Pros: No surprise reboots, what else do we get?

4.2. CoreOS

4.2.1. Cons: We still need etcd2 running to maintain CoreOS cluster state, Strategy for CoreOS updates

4.2.2. Pros: Stable, auto-updates, minimal binaries == minimal attack surface