Vault PKI Platform - Implementation
Implementation
| The Vault deployment evolved through three stages: single-node with file storage (2026-02-15), Raft migration (2026-03-09), and HA cluster expansion (2026-03-10). Detailed implementation steps are in the referenced runbooks. |
Stage 1: Single Node Deployment (2026-02-15)
-
VM creation on kvm-01 (Rocky Linux 9 cloud image)
-
Vault installation and initial configuration
-
File storage backend
-
PKI secrets engine: Root CA (20-year) + Intermediate CA (10-year)
-
SSH CA secrets engine with domus-client role
-
KV v2 secrets engine
Stage 2: Raft Migration (2026-03-09)
-
vault operator migratefrom file to Raft storage -
Proper cluster_addr configuration
-
Single-node Raft cluster verified
Stage 3: HA Cluster (2026-03-10)
-
vault-02 deployed on kvm-02
-
vault-03 deployed on kvm-02
-
Both nodes joined to Raft cluster
-
Leader election and failover tested