The latest articles on Forem by Kubilay İşen (@k5y). https://forem.com/k5y https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F379617%2Fbe425898-c36e-4091-8a77-4ea8774d1e28.png https://forem.com/k5y en Kubilay İşen Mon, 20 Oct 2025 11:12:42 +0000 https://forem.com/k5y/building-a-high-availability-vault-cluster-with-docker-and-raft-storage-1931 https://forem.com/k5y/building-a-high-availability-vault-cluster-with-docker-and-raft-storage-1931 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1mn9rdere6ra5j8uqyb1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1mn9rdere6ra5j8uqyb1.png" alt="Vault Cluster Architecture" width="800" height="665"></a></p> <h2> Introduction </h2> <p>HashiCorp Vault is one of the most powerful secrets management solutions in the industry. However, setting up a production-ready, highly-available Vault cluster can be intimidating. In this article, I'll walk you through building a <strong>3-node Vault cluster using Docker</strong> with <strong>automatic unsealing</strong>, <strong>Raft-based storage</strong>, and <strong>infrastructure-as-code automation</strong>.</p> <p>By the end of this guide, you'll have a resilient secrets management infrastructure that can handle node failures and scale horizontally.</p> <h2> Why Vault? Why High-Availability? </h2> <h3> The Problem </h3> <p>In modern infrastructure:</p> <ul> <li>Secrets are scattered across multiple systems (databases, APIs, certificates)</li> <li>No single source of truth for credential rotation</li> <li>Compliance requirements demand audit trails</li> <li>Manual secret management is error-prone</li> </ul> <h3> The Solution </h3> <p>Vault provides:</p> <ul> <li> <strong>Centralized secret management</strong> - Single source of truth</li> <li> <strong>Encryption as a service</strong> - Encrypt/decrypt without exposing keys</li> <li> <strong>Dynamic credentials</strong> - Automatically generate short-lived credentials</li> <li> <strong>Audit logging</strong> - Complete trail of who accessed what and when</li> <li> <strong>High availability</strong> - Never lose access to your secrets</li> </ul> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ Docker Compose Network │ ├─────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Vault Node │ │ Vault Node │ │ Vault Node │ │ │ │ (1) │ │ (2) │ │ (3) │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ │ │ │ ┌──────┴─────────────────┼──────────────────┴────┐ │ │ │ Raft Consensus │ │ │ └────────────────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ Nginx Load Balancer (Optional) │ │ │ └──────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Our setup features:</p> <ul> <li> <strong>3 Vault nodes</strong> for true high-availability</li> <li> <strong>Raft storage backend</strong> - No external dependencies (unlike Consul)</li> <li> <strong>Auto-unsealing</strong> - Automatic node recovery without manual intervention</li> <li> <strong>Docker Compose orchestration</strong> - Easy to deploy and manage</li> <li> <strong>Health checks</strong> - Automatic failure detection</li> </ul> <h2> Prerequisites </h2> <p>Before we begin, make sure you have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>- Docker &amp; Docker Compose <span class="o">(</span>v3.8+<span class="o">)</span> - Taskfile CLI <span class="k">for</span> <span class="o">[</span>go-task]<span class="o">(</span>https://taskfile.dev/#/installation<span class="o">)</span> automation - curl <span class="o">(</span><span class="k">for </span>API testing<span class="o">)</span> </code></pre> </div> <p>Install the requirements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> brew <span class="nb">install </span>docker docker-compose task jq curl <span class="c"># Linux</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>docker.io docker-compose taskfile jq curl </code></pre> </div> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vault-docker-cluster/ ├── docker-compose.yaml # Services definition ├── Dockerfile.vault # Custom Vault image ├── Taskfile.yml # Task automation ├── init-and-generate-unseal.sh # Cluster initialization ├── auto-unseal-monitor.sh # Monitoring script ├── vault-1/ │ ├── config/ │ │ ├── vault.hcl # Vault configuration │ │ └── unseal.sh # Auto-generated unseal script │ └── data/ # Raft data storage ├── vault-2/ # (same structure) └── vault-3/ # (same structure) </code></pre> </div> <h2> Step 1: Docker Compose Configuration </h2> <p>Let's start with the <code>docker-compose.yaml</code>. This file orchestrates three Vault nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">vault_net</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">services</span><span class="pi">:</span> <span class="na">vault-1</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">vaultdockercluster:1.20</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./vault-1/config:/vault/config</span> <span class="pi">-</span> <span class="s">./vault-1/data:/vault/data</span> <span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">IPC_LOCK</span> <span class="c1"># Required for mlock</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">vault</span> <span class="pi">-</span> <span class="s">server</span> <span class="pi">-</span> <span class="s">-config=/vault/config/vault.hcl</span> <span class="na">ulimits</span><span class="pi">:</span> <span class="na">memlock</span><span class="pi">:</span> <span class="s">-1</span> <span class="c1"># Unlimited memory lock</span> <span class="na">nofile</span><span class="pi">:</span> <span class="na">soft</span><span class="pi">:</span> <span class="m">65535</span> <span class="na">hard</span><span class="pi">:</span> <span class="m">65535</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">vault_net</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">vault"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">status"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-tls-skip-verify"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1G</span> <span class="c1"># vault-2 and vault-3 use the same configuration...</span> </code></pre> </div> <p><strong>Key Configuration Points:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>IPC_LOCK</code></td> <td>Allows Vault to lock memory pages (prevents swapping secrets to disk)</td> </tr> <tr> <td><code>memlock: -1</code></td> <td>Unlimited memory lock for all processes</td> </tr> <tr> <td><code>healthcheck</code></td> <td>Detects node failures automatically</td> </tr> <tr> <td><code>ulimits</code></td> <td>Handles many concurrent connections</td> </tr> <tr> <td><code>networks</code></td> <td>Isolated network for inter-node communication</td> </tr> </tbody> </table></div> <h2> Step 2: Vault Configuration (HCL) </h2> <p>Each node has its own <code>vault.hcl</code> configuration:</p> <p><strong>vault-1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">storage</span> <span class="s2">"raft"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/vault/data"</span> <span class="nx">node_id</span> <span class="p">=</span> <span class="s2">"vault-1"</span> <span class="p">}</span> <span class="nx">listener</span> <span class="s2">"tcp"</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8200"</span> <span class="nx">cluster_address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8201"</span> <span class="nx">tls_disable</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">api_addr</span> <span class="err">=</span> <span class="s2">"http://vault-1:8200"</span> <span class="nx">cluster_addr</span> <span class="err">=</span> <span class="s2">"http://vault-1:8201"</span> <span class="nx">ui</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">disable_mlock</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p><strong>vault-2:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">storage</span> <span class="s2">"raft"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/vault/data"</span> <span class="nx">node_id</span> <span class="p">=</span> <span class="s2">"vault-2"</span> <span class="nx">retry_join</span> <span class="p">{</span> <span class="nx">leader_api_addr</span> <span class="p">=</span> <span class="s2">"http://vault-1:8200"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">listener</span> <span class="s2">"tcp"</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8200"</span> <span class="nx">cluster_address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8201"</span> <span class="nx">tls_disable</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">api_addr</span> <span class="err">=</span> <span class="s2">"http://vault-2:8200"</span> <span class="nx">cluster_addr</span> <span class="err">=</span> <span class="s2">"http://vault-2:8201"</span> <span class="nx">ui</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">disable_mlock</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p><strong>vault-3:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">storage</span> <span class="s2">"raft"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/vault/data"</span> <span class="nx">node_id</span> <span class="p">=</span> <span class="s2">"vault-3"</span> <span class="nx">retry_join</span> <span class="p">{</span> <span class="nx">leader_api_addr</span> <span class="p">=</span> <span class="s2">"http://vault-1:8200"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">listener</span> <span class="s2">"tcp"</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8200"</span> <span class="nx">cluster_address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8201"</span> <span class="nx">tls_disable</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">api_addr</span> <span class="err">=</span> <span class="s2">"http://vault-3:8200"</span> <span class="nx">cluster_addr</span> <span class="err">=</span> <span class="s2">"http://vault-3:8201"</span> <span class="nx">ui</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">disable_mlock</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Raft vs Other Backends:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Raft</th> <th>Consul</th> <th>S3</th> </tr> </thead> <tbody> <tr> <td><strong>Setup Complexity</strong></td> <td>Simple</td> <td>Complex</td> <td>Simple</td> </tr> <tr> <td><strong>Dependencies</strong></td> <td>None</td> <td>Consul cluster needed</td> <td>AWS account</td> </tr> <tr> <td><strong>Cost</strong></td> <td>Free</td> <td>Free (self-hosted)</td> <td>$ per API call</td> </tr> <tr> <td><strong>Performance</strong></td> <td>Excellent</td> <td>Good</td> <td>Slower</td> </tr> <tr> <td><strong>Best For</strong></td> <td>Self-hosted HA</td> <td>Enterprise</td> <td>AWS-native</td> </tr> </tbody> </table></div> <h2> Step 3: Automated Setup with Taskfile </h2> <p>The <code>Taskfile.yml</code> automates common operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">VAULT_ADDR</span><span class="pi">:</span> <span class="s1">'</span><span class="s">http://127.0.0.1:8200'</span> <span class="na">KEY_SHARES</span><span class="pi">:</span> <span class="m">5</span> <span class="na">KEY_THRESHOLD</span><span class="pi">:</span> <span class="m">3</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">bootstrap</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Full bootstrap - start cluster, initialize, and setup</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">up</span> <span class="pi">-</span> <span class="s">echo "⏳ Waiting for containers to be ready (15 seconds)..."</span> <span class="pi">-</span> <span class="s">sleep </span><span class="m">15</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">init</span> <span class="pi">-</span> <span class="s">echo ""</span> <span class="pi">-</span> <span class="s">echo "📋 Credentials saved! Review them above."</span> <span class="pi">-</span> <span class="s">echo "Press Enter to continue with cluster setup..."</span> <span class="pi">-</span> <span class="s">read _</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">setup-cluster</span> <span class="pi">-</span> <span class="s">echo ""</span> <span class="pi">-</span> <span class="s">echo "✅ Bootstrap complete!"</span> <span class="na">up</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Start the Vault cluster</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker-compose up -d</span> <span class="na">init</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Initialize vault-1 and auto-generate unseal.sh scripts</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./init-and-generate-unseal.sh</span> <span class="na">preconditions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">sh</span><span class="pi">:</span> <span class="s">docker-compose ps vault-1 | grep -q "Up"</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">vault-1</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">running.</span><span class="nv"> </span><span class="s">Run</span><span class="nv"> </span><span class="s">'task</span><span class="nv"> </span><span class="s">up'</span><span class="nv"> </span><span class="s">first."</span> <span class="pi">-</span> <span class="na">sh</span><span class="pi">:</span> <span class="s">command -v jq &gt;/dev/null 2&gt;&amp;1</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">jq</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">but</span><span class="nv"> </span><span class="s">not</span><span class="nv"> </span><span class="s">installed.</span><span class="nv"> </span><span class="s">Install</span><span class="nv"> </span><span class="s">with:</span><span class="nv"> </span><span class="s">brew</span><span class="nv"> </span><span class="s">install</span><span class="nv"> </span><span class="s">jq"</span> <span class="na">setup-cluster</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Complete cluster setup - unseal vault-1, join and unseal vault-2 and vault-3</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">unseal-vault-1</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">join-vault-2</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">unseal-vault-2</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">join-vault-3</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">unseal-vault-3</span> </code></pre> </div> <p>Usage is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start everything</span> task bootstrap <span class="c"># Or step by step</span> task up task init task setup-cluster <span class="c"># Check status</span> docker-compose ps </code></pre> </div> <h2> Step 4: Initialization and Unsealing </h2> <p>The initialization script (<code>init-and-generate-unseal.sh</code>) handles the critical setup:</p> <ul> <li>Calls <code>vault operator init</code> against <code>vault-1</code>.</li> <li>Prints the unseal keys + root token (and writes them to <code>vault-credentials-&lt;timestamp&gt;.md</code> and <code>vault-init-keys.json</code>).</li> <li>Generates <code>vault-*/config/unseal.sh</code> helper scripts. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔐 Initializing Vault Cluster..."</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Wait for vault-1 to be ready (unsealed but not initialized)</span> <span class="nb">echo</span> <span class="s2">"⏳ Waiting for vault-1 to be ready..."</span> <span class="nv">max_attempts</span><span class="o">=</span>30 <span class="nv">attempt</span><span class="o">=</span>0 <span class="k">while</span> <span class="o">[</span> <span class="nv">$attempt</span> <span class="nt">-lt</span> <span class="nv">$max_attempts</span> <span class="o">]</span><span class="p">;</span> <span class="k">do</span> <span class="c"># Check if we can connect to Vault and get a status response</span> <span class="c"># vault status returns non-zero exit code when sealed, so we need to capture both stdout and exit code</span> <span class="nv">status</span><span class="o">=</span><span class="si">$(</span>docker-compose <span class="nb">exec</span> <span class="nt">-T</span> vault-1 sh <span class="nt">-c</span> <span class="s2">"export VAULT_ADDR='http://127.0.0.1:8200' &amp;&amp; vault status -format=json 2&gt;&amp;1"</span> <span class="o">||</span> <span class="nb">true</span><span class="si">)</span> <span class="c"># Check if we got valid JSON output (meaning Vault is responding)</span> <span class="k">if </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$status</span><span class="s2">"</span> | jq <span class="nt">-e</span> <span class="nb">.</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then </span><span class="nv">initialized</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$status</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.initialized // false'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$initialized</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"false"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ Vault is ready for initialization"</span> <span class="nb">break </span><span class="k">elif</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$initialized</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"true"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Error: Vault is already initialized!"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"If you want to re-initialize:"</span> <span class="nb">echo</span> <span class="s2">" 1. Run: task reset"</span> <span class="nb">echo</span> <span class="s2">" 2. Run: task bootstrap"</span> <span class="nb">exit </span>1 <span class="k">fi else</span> <span class="c"># Vault is not responding yet, keep waiting</span> <span class="nb">echo</span> <span class="s2">"⏳ Waiting for Vault to start (attempt </span><span class="k">$((</span>attempt <span class="o">+</span> <span class="m">1</span><span class="k">))</span><span class="s2">/</span><span class="nv">$max_attempts</span><span class="s2">)..."</span> <span class="k">fi </span><span class="nv">attempt</span><span class="o">=</span><span class="k">$((</span>attempt <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="nb">sleep </span>2 <span class="k">done if</span> <span class="o">[</span> <span class="nv">$attempt</span> <span class="nt">-eq</span> <span class="nv">$max_attempts</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Timeout waiting for vault-1 to be ready"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Check logs with: docker-compose logs vault-1"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Initialize vault-1 and capture output</span> <span class="nb">echo</span> <span class="s2">"🔑 Initializing Vault..."</span> <span class="nv">INIT_OUTPUT</span><span class="o">=</span><span class="si">$(</span>docker-compose <span class="nb">exec</span> <span class="nt">-T</span> vault-1 sh <span class="nt">-c</span> <span class="s2">"export VAULT_ADDR='http://127.0.0.1:8200' &amp;&amp; vault operator init -key-shares=5 -key-threshold=3 -format=json"</span><span class="si">)</span> <span class="c"># Parse the JSON output</span> <span class="nv">UNSEAL_KEY_1</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[0]'</span><span class="si">)</span> <span class="nv">UNSEAL_KEY_2</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[1]'</span><span class="si">)</span> <span class="nv">UNSEAL_KEY_3</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[2]'</span><span class="si">)</span> <span class="nv">UNSEAL_KEY_4</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[3]'</span><span class="si">)</span> <span class="nv">UNSEAL_KEY_5</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.unseal_keys_b64[4]'</span><span class="si">)</span> <span class="nv">ROOT_TOKEN</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.root_token'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">"⚠️ SAVE THESE CREDENTIALS SECURELY - THEY CANNOT BE RECOVERED!"</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Unseal Key 1: </span><span class="nv">$UNSEAL_KEY_1</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Unseal Key 2: </span><span class="nv">$UNSEAL_KEY_2</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Unseal Key 3: </span><span class="nv">$UNSEAL_KEY_3</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Unseal Key 4: </span><span class="nv">$UNSEAL_KEY_4</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Unseal Key 5: </span><span class="nv">$UNSEAL_KEY_5</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Root Token: </span><span class="nv">$ROOT_TOKEN</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Save to a backup file</span> <span class="nv">BACKUP_FILE</span><span class="o">=</span><span class="s2">"vault-credentials-</span><span class="si">$(</span><span class="nb">date</span> +%Y%m%d-%H%M%S<span class="si">)</span><span class="s2">.md"</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$BACKUP_FILE</span><span class="s2">"</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> Vault Cluster Initialization - </span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="sh"> ════════════════════════════════════════════════════════════════ Unseal Key 1: </span><span class="nv">$UNSEAL_KEY_1</span><span class="sh"> Unseal Key 2: </span><span class="nv">$UNSEAL_KEY_2</span><span class="sh"> Unseal Key 3: </span><span class="nv">$UNSEAL_KEY_3</span><span class="sh"> Unseal Key 4: </span><span class="nv">$UNSEAL_KEY_4</span><span class="sh"> Unseal Key 5: </span><span class="nv">$UNSEAL_KEY_5</span><span class="sh"> Root Token: </span><span class="nv">$ROOT_TOKEN</span><span class="sh"> ════════════════════════════════════════════════════════════════ ⚠️ Store this file securely and delete it from this location! </span><span class="no">EOF </span><span class="nb">echo</span> <span class="s2">"✅ Credentials saved to: </span><span class="nv">$BACKUP_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Generate unseal.sh for vault-1</span> <span class="nb">echo</span> <span class="s2">"📝 Generating unseal.sh scripts..."</span> <span class="nb">cat</span> <span class="o">&gt;</span> vault-1/config/unseal.sh <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> #!/bin/sh set -e export VAULT_ADDR='http://127.0.0.1:8200' vault operator unseal </span><span class="nv">$UNSEAL_KEY_1</span><span class="sh"> vault operator unseal </span><span class="nv">$UNSEAL_KEY_2</span><span class="sh"> vault operator unseal </span><span class="nv">$UNSEAL_KEY_3</span><span class="sh"> echo "✅ Vault unsealed successfully" </span><span class="no">EOF </span><span class="nb">chmod</span> +x vault-1/config/unseal.sh <span class="c"># Copy to vault-2</span> <span class="nb">cp </span>vault-1/config/unseal.sh vault-2/config/unseal.sh <span class="c"># Copy to vault-3</span> <span class="nb">cp </span>vault-1/config/unseal.sh vault-3/config/unseal.sh <span class="nb">echo</span> <span class="s2">"✅ Created unseal.sh in vault-1/config/"</span> <span class="nb">echo</span> <span class="s2">"✅ Created unseal.sh in vault-2/config/"</span> <span class="nb">echo</span> <span class="s2">"✅ Created unseal.sh in vault-3/config/"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Also save JSON format for automation</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$INIT_OUTPUT</span><span class="s2">"</span> | jq <span class="s1">'.'</span> <span class="o">&gt;</span> vault-init-keys.json <span class="nb">echo</span> <span class="s2">"✅ Saved JSON format to: vault-init-keys.json"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">"🎉 Initialization Complete!"</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Next steps:"</span> <span class="nb">echo</span> <span class="s2">" 1. Secure the credentials file: </span><span class="nv">$BACKUP_FILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" 2. Run: task setup-cluster"</span> <span class="nb">echo</span> <span class="s2">" 3. Or manually:"</span> <span class="nb">echo</span> <span class="s2">" - task unseal-vault-1"</span> <span class="nb">echo</span> <span class="s2">" - task join-vault-2 &amp;&amp; task unseal-vault-2"</span> <span class="nb">echo</span> <span class="s2">" - task join-vault-3 &amp;&amp; task unseal-vault-3"</span> <span class="nb">echo</span> <span class="s2">""</span> </code></pre> </div> <p><strong>Important Security Notes:</strong></p> <p>⚠️ <strong>Critical:</strong> Store the root token and unseal keys safely:</p> <ul> <li>Save them in a password manager</li> <li>Never commit them to version control</li> <li>Consider using Vault's auto-unseal with KMS (AWS, GCP, Azure)</li> </ul> <h2> Step 5: Building the Docker Image </h2> <p>A minimal <code>Dockerfile.vault</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> hashicorp/vault:1.20</span> <span class="k">ENV</span><span class="s"> TZ=Europe/Istanbul</span> </code></pre> </div> <p>Build it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-f</span> Dockerfile.vault <span class="nt">-t</span> vaultdockercluster:1.20 <span class="nb">.</span> </code></pre> </div> <h2> Step 6: Raft Cluster Formation </h2> <p>After initializing vault-1, join the other nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Join vault-2 to the cluster</span> docker-compose <span class="nb">exec </span>vault-2 sh <span class="nt">-c</span> <span class="se">\</span> <span class="s2">"vault operator raft join http://vault-1:8200"</span> <span class="c"># Join vault-3 to the cluster</span> docker-compose <span class="nb">exec </span>vault-3 sh <span class="nt">-c</span> <span class="se">\</span> <span class="s2">"vault operator raft join http://vault-1:8200"</span> <span class="c"># Verify cluster status</span> docker-compose <span class="nb">exec </span>vault-1 vault operator raft list-peers </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Node ID Address State Voter ------ ------- ----- ----- vault-1 vault-1:8201 leader true vault-2 vault-2:8201 follower true vault-3 vault-3:8201 follower true </code></pre> </div> <h2> Complete Workflow: From Zero to Hero </h2> <p>Here's the complete startup sequence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Start the containers</span> task up <span class="c"># 2. Watch the logs</span> docker-compose logs <span class="nt">-f</span> vault-1 <span class="c"># 3. Initialize the cluster</span> task init <span class="c"># Save the credentials somewhere safe!</span> <span class="c"># 4. Unseal all nodes</span> task unseal-all <span class="c"># 5. Join nodes 2 and 3 to the cluster</span> task join-vault-2 task join-vault-3 <span class="c"># 6. Verify the cluster</span> docker-compose <span class="nb">exec </span>vault-1 vault operator raft list-peers <span class="c"># 7. Access the UI</span> open http://localhost:8200/ui </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcy1997lg2d8ibxwjflv1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcy1997lg2d8ibxwjflv1.png" alt="http://localhost:8200/ui" width="800" height="297"></a></p> <h2> Testing Your Cluster </h2> <h3> Test 1: High Availability </h3> <p>Kill the leader node and watch the cluster recover:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kill vault-1 (the leader)</span> docker-compose <span class="nb">kill </span>vault-1 <span class="c"># Check who's the new leader</span> docker-compose <span class="nb">exec </span>vault-2 vault operator raft list-peers <span class="c"># Bring it back</span> docker-compose restart vault-1 <span class="c"># Verify recovery</span> docker-compose ps </code></pre> </div> <h3> Auto-Unseal Monitor </h3> <p>When a Vault container restarts, the auto-unseal monitor automatically detects that the Vault node has become sealed and immediately unseals it using the stored unseal keys.</p> <p>The auto-unseal-monitor.sh script runs in its own container (vault-unsealer).</p> <ul> <li>Polls each Vault node every 30 seconds via vault status.</li> <li>If a node transitions to sealed, reads the unseal keys from the mounted unseal.sh file and runs the three <code>vault operator unseal</code> commands.</li> <li>Retries up to three times per incident. Logs show timestamps and outcomes.</li> </ul> <p>Because the helper executes the same unseal script stored on disk, protect the vault-*/config/unseal.sh files and remove them when no longer needed.</p> <h3> Test 2: Secret Storage </h3> <p>Store and retrieve a secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker-compose <span class="nb">exec </span>vault-1 sh <span class="c"># Login</span> <span class="nb">export </span><span class="nv">VAULT_TOKEN</span><span class="o">=</span><span class="s2">"your-root-token"</span> <span class="nb">export </span><span class="nv">VAULT_ADDR</span><span class="o">=</span><span class="s2">"http://localhost:8200"</span> <span class="c"># Create a secret</span> vault kv put secret/my-app/database <span class="se">\</span> <span class="nv">username</span><span class="o">=</span>admin <span class="se">\</span> <span class="nv">password</span><span class="o">=</span>super-secret-password <span class="c"># Retrieve it</span> vault kv get secret/my-app/database <span class="c"># Read it via API</span> curl <span class="nt">-H</span> <span class="s2">"X-Vault-Token: </span><span class="nv">$VAULT_TOKEN</span><span class="s2">"</span> <span class="se">\</span> http://localhost:8200/v1/secret/data/my-app/database </code></pre> </div> <h3> Test 3: Encryption as a Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable transit engine</span> vault secrets <span class="nb">enable </span>transit <span class="c"># Create an encryption key</span> vault write <span class="nt">-f</span> transit/keys/my-key <span class="c"># Encrypt data</span> vault write transit/encrypt/my-key <span class="nv">plaintext</span><span class="o">=</span>@data.txt <span class="c"># Decrypt it</span> vault write transit/decrypt/my-key <span class="nv">ciphertext</span><span class="o">=</span>vault:v1:... </code></pre> </div> <h2> Monitoring and Maintenance </h2> <h3> Check Cluster Health </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Status of all nodes</span> docker-compose <span class="nb">exec </span>vault-1 vault status <span class="c"># Raft peer status</span> docker-compose <span class="nb">exec </span>vault-1 vault operator raft list-peers <span class="c"># Audit logs</span> docker-compose logs vault-1 | <span class="nb">grep </span>ERROR <span class="c"># System metrics</span> docker-compose stats </code></pre> </div> <h3> Common Issues and Solutions </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Issue</th> <th>Cause</th> <th>Solution</th> </tr> </thead> <tbody> <tr> <td>Node won't join</td> <td>Already part of a cluster</td> <td>Run <code>task reset</code> and <code>task bootstrap</code> </td> </tr> <tr> <td>Connection refused</td> <td>Node not running</td> <td>Check with <code>docker-compose ps</code> </td> </tr> <tr> <td>Memory locked</td> <td>mlock issues</td> <td>Check <code>ulimits</code> and <code>IPC_LOCK</code> capability</td> </tr> </tbody> </table></div> <h2> Production Considerations </h2> <h3> 1. Enable TLS/HTTPS </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">listener</span> <span class="s2">"tcp"</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"0.0.0.0:8200"</span> <span class="nx">tls_cert_file</span> <span class="p">=</span> <span class="s2">"/vault/config/cert.pem"</span> <span class="nx">tls_key_file</span> <span class="p">=</span> <span class="s2">"/vault/config/key.pem"</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Enable Audit Logging </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">audit</span> <span class="p">{</span> <span class="nx">file</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/vault/logs/audit.log"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Configure Storage Snapshots </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Backup Raft data</span> vault operator raft snapshot save vault-backup.snap <span class="c"># Restore from snapshot</span> vault operator raft snapshot restore <span class="nt">-force</span> vault-backup.snap </code></pre> </div> <h3> 4. Set Resource Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2'</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4G</span> <span class="na">reservations</span><span class="pi">:</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2G</span> </code></pre> </div> <h2> Scaling Considerations </h2> <h3> Adding More Nodes </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Copy vault-1 directory structure</span> <span class="nb">cp</span> <span class="nt">-r</span> vault-1 vault-4 <span class="c"># Update vault-4/config/vault.hcl (change node_id)</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/vault-1/vault-4/g'</span> vault-4/config/vault.hcl <span class="c"># Add to docker-compose.yaml and run</span> docker-compose up <span class="nt">-d</span> vault-4 </code></pre> </div> <h3> Load Balancing </h3> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">vault</span> <span class="p">{</span> <span class="kn">server</span> <span class="nf">vault-1</span><span class="p">:</span><span class="mi">8200</span><span class="p">;</span> <span class="kn">server</span> <span class="nf">vault-2</span><span class="p">:</span><span class="mi">8200</span><span class="p">;</span> <span class="kn">server</span> <span class="nf">vault-3</span><span class="p">:</span><span class="mi">8200</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://vault</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Advanced: Disaster Recovery </h2> <h3> Scenario: Complete Cluster Failure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Reset everything</span> task reset <span class="c"># 2. Restore from backup</span> vault operator raft snapshot restore <span class="nt">-force</span> vault-backup.snap <span class="c"># 3. Bring cluster back up</span> task bootstrap </code></pre> </div> <h3> Scenario: Corrupted Raft State </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Stop all nodes</span> task down <span class="c"># 2. Clean data directories</span> <span class="nb">rm</span> <span class="nt">-rf</span> vault-<span class="k">*</span>/data/raft/<span class="k">*</span> <span class="c"># 3. Restore from known-good backup</span> <span class="c"># Copy backed-up raft directory to all nodes</span> <span class="c"># 4. Start nodes</span> task up </code></pre> </div> <h2> Conclusion </h2> <p>You now have a production-ready, highly-available Vault cluster with:</p> <p>✅ <strong>Three-node Raft cluster</strong> for high availability<br><br> ✅ <strong>Automated deployment</strong> via Docker Compose<br><br> ✅ <strong>Task automation</strong> for common operations<br><br> ✅ <strong>Auto-unsealing</strong> capability<br><br> ✅ <strong>Health monitoring</strong> and failure detection<br><br> ✅ <strong>Scalable architecture</strong> ready for growth </p> <h3> Resources </h3> <ul> <li><a href="https://www.vaultproject.io/docs" rel="noopener noreferrer">Official Vault Documentation</a></li> <li><a href="https://www.vaultproject.io/docs/configuration/storage/raft" rel="noopener noreferrer">Raft Storage Backend Guide</a></li> <li><a href="https://www.vaultproject.io/docs/concepts/integrated-storage" rel="noopener noreferrer">Production Hardening Checklist</a></li> <li><a href="https://www.vaultproject.io/docs/configuration/seal" rel="noopener noreferrer">Auto-Unseal Configuration</a></li> </ul> <h2> About the Author </h2> <p>This article demonstrates a practical approach to secrets management using open-source tools. For production deployments, consider consulting with security specialists to ensure compliance with your organization's security requirements.</p> <p><strong>Have questions?</strong> Share them in the comments below!</p> <p><em>GitHub Repository: <a href="https://github.com/k5yisen/vault-docker-cluster" rel="noopener noreferrer">vault-docker-cluster</a></em></p> hashicorpvault vault docker devops