HashiCorp Vault — BRAC POC tools

Quick facts

Chart: hashicorp/vault 0.31.0
Version: Vault 1.18.2
Mode: Raft, 3 replicas, transit auto-unseal
Hostname: vault-rke2.apps.sub.comptech-lab.com
Failover (DC→DR): ~9 s
Init artefacts: ~/cloud-init/vault-rke2-{dc,dr}-init.json (chmod 600)

What it is

Each cluster runs an independent 3-node Vault Raft cluster. Auto-unseal targets the small bootstrap Vault on a dedicated VM that holds the transit key; the bootstrap Vault's Shamir keys live at ~/cloud-init/vault-seed-init.txt and are the critical recovery artefact — without them, a Vault pod restart in either cluster comes up sealed.

Architecture

Add diagrams or topology notes here — how this component sits relative to DC/DR, what replicates, and what speaks to it. Mermaid blocks render as plain text today; embed images under /assets/ when needed.

Configuration

Add chart values overrides, important env vars, OIDC client config, secret references. Link to the source files in infra/gitops-rke2 rather than copying YAML wholesale — the repo is the source of truth.

Operations

Add runbook notes: backup, restore, common troubleshooting, dashboards, on-call cheatsheet entries.

Failover

Add DC/DR cutover/cutback notes: edge HAProxy backend name, healthcheck path, measured cutover/cutback times, smoke-test commands.

References

Add upstream chart / project links, ADR refs, MR links, and cross-references to other tools in this catalogue.