If you’ve ever set up a HashiCorp Vault cluster manually, you know the very specific flavor of existential dread it unleashes.
Manually generating TLS certs? Wrestling with Raft quorum? Typing unseal keys like a medieval gatekeeper standing in front of castle doors?
Yeah… no.
I built The Keep because I value automation, stability, and not being summoned at 3 AM to resuscitate Vault like a trauma surgeon.
The Problem: Secrets Management Is a Trap
The lifecycle of most “manual Vault setups” looks depressingly familiar:
- Day 1: You install Vault on a VM. “Relax, it’s just dev,” you say.
- Day 30: Dev quietly becomes Prod.
- Day 31: That VM crashes. Your heart rate spikes.
- Day 32: You open the HA docs. You see “Consul.” You reconsider life choices.
- Day 33: You spin up a 3-node cluster. TLS breaks. Raft desyncs. Logs scream.
- Day 34+: You’re now manually unsealing multiple nodes after every update like an unpaid security guard.
This isn’t resilience.
This isn’t engineering excellence.
This is self-inflicted operational pain.
The Solution: The Keep
The Keep is an Ansible-powered automation that deploys a production-ready, hardened, highly-available Vault cluster without theatrics.
It’s predictable. It’s repeatable.
And most importantly, it will not demand unseal keys from you in the middle of the night.
It handles the necessary boring work so you can focus on building systems that matter.
Architecture Overview
Features That Actually Matter
- 3-Node HA Vault Cluster (Raft): No Consul dependency hell. Clean, simple and reliable.
- Auto-Unseal via Cloud KMS: Supports AWS & GCP. If you’re still unsealing Vault manually in 2025, we need to talk.
- TLS Everywhere: Automated cert creation and distribution. Goodbye endless
x509pain. - Secure Defaults: Sensible hardening out of the box — still fully configurable.
- Cloud Agnostic: Works on AWS or GCP. Pick your battlefield.
This is not a “demo script”.
This is designed for environments that actually matter.
The “Code”
Readable. Predictable. Built for humans, not just automation robots.
# A snippet from the main play
- hosts: vault
roles:
- role: vault
vars:
vault_version: "1.17.3-1"
vault_cluster_name: "production-keep"
Want to update the Vault version? Change a variable. Want to rename the cluster? Change a variable. Want to destroy everything?
Take a deep breath… then yes, Ansible can do that too.
Why “The Keep”?
In medieval castles, the keep was the most secure, fortified part — the place where they protected what truly mattered when everything went wrong.
This project is that — but for your secrets.
API keys. Tokens. Certificates. Database passwords. Everything critical lives here.
And unlike medieval keeps…
This one supports automated snapshots.
Conclusion
Stop building fragile Vault setups. Stop hand-rolling TLS. Stop saying “we’ll do HA later.”
Use The Keep — and deploy Vault the way it deserves to be deployed.
