PS Product SecurityKnowledge Base

โš™๏ธ Vault Installation, HA, and Automation Pack

Intro: This page focuses on implementation mechanics: Helm values, bootstrap scripts, and snapshot backups.

Helm values example

server:
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
  dataStorage:
    enabled: true
    size: 20Gi
  auditStorage:
    enabled: true
    size: 10Gi
ui:
  enabled: true
injector:
  enabled: true

Bootstrap script

#!/usr/bin/env bash
set -euo pipefail
export VAULT_ADDR="${VAULT_ADDR:-https://vault.internal:8200}"
vault secrets enable -path=secret kv-v2 || true
vault auth enable kubernetes || true
vault policy write payments-app ./vault-policy-payments-app.hcl
vault kv put secret/payments/api username="svc-payments" password="CHANGEME"
echo "[OK] Vault bootstrap completed"

Backup script

#!/usr/bin/env bash
set -euo pipefail
STAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_DIR="${BACKUP_DIR:-/var/backups/vault}"
mkdir -p "$BACKUP_DIR"
vault operator raft snapshot save "$BACKUP_DIR/vault-raft-$STAMP.snap"
sha256sum "$BACKUP_DIR/vault-raft-$STAMP.snap" > "$BACKUP_DIR/vault-raft-$STAMP.snap.sha256"

Restore discipline

  • document ownership and breakglass path
  • hash backups and verify integrity
  • test restore in non-production
  • re-validate auth methods and policies after restore

Footer