Skip to content

Deploying with Vault Enterprise

This guide provides instructions for deploying VOR Stream with an existing Vault Enterprise deployment. This configuration allows organizations to leverage their existing Vault Enterprise infrastructure for secrets management and token authentication.

Prerequisites

Before proceeding with the deployment, ensure you have:

  1. An operational Vault Enterprise cluster (self-managed or cloud-managed via HCP Vault Dedicated)
  2. A dedicated namespace for the deployment
  3. A Vault token with full access to the target namespace

Namespace Recommendations

Tip

Read the Vault namespace and mount structuring tutorial for best practices and recommendations for structuring your namespaces.

If leveraging the same Enterprise Vault cluster for multiple VOR Stream deployments, one approach is to organize all deployments under a dedicated namespace hierarchy. For example:

vor/
├── dev/
├── test/
└── prod/

This structure allows for separate environments while maintaining clear organization. The deployment will automatically configure all necessary policies, authentication methods, and secrets engines within the specified namespace.

Configuration

Update your hosts.ini file with the following Vault-specific variables:

Warning

When deploying into an existing Vault Enterprise cluster, ensure there are no hosts defined in the vault group. Not doing so will cause the deployment to attempt to manage the Vault cluster configuration, which is not desired.

# Vault Enterprise Configuration
vault_token=<your-vault-token>              # Token with full access to the target namespace
vault_namespace=admin/vor/prod              # Target namespace for deployment
vault_addr=https://your-vault-cluster:8200  # Vault cluster address

Note

If using HCP Vault, the vault_addr and vault_token can be obtained from the HCP Vault console.

If the Vault cluster is self-managed, you may need to specify vault_cacert to point to the CA certificate for the Vault cluster if the certificate is not trusted by the deployment host. If the Vault certificate is using the same CA as the rest of the VOR Stream deployment, you can use the following configuration:

vault_cacert={{ tls_ca_cert_file_path }}