[VAULT] Add run Vault on zCX page #1479
Open
+326
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Vercel Previews Deployed
|
Contributor
Broken Link CheckerNo broken links found! 🎉 |
schavis
requested changes
Dec 9, 2025
Comment on lines
+10
to
+14
| This guide walks through deploying a fully secured 3-node HashiCorp Vault Enterprise cluster | ||
| on IBM z/OS Container Extensions (zCX). The setup uses three independent zCX instances, | ||
| each running Vault with its own unique IP address. A Layer-4 HAProxy load balancer sits | ||
| in front to distribute traffic, and end-to-end TLS encryption is applied across all Vault nodes | ||
| and the load balancer to ensure secure communication throughout the cluster. |
Contributor
There was a problem hiding this comment.
Suggested change
| This guide walks through deploying a fully secured 3-node HashiCorp Vault Enterprise cluster | |
| on IBM z/OS Container Extensions (zCX). The setup uses three independent zCX instances, | |
| each running Vault with its own unique IP address. A Layer-4 HAProxy load balancer sits | |
| in front to distribute traffic, and end-to-end TLS encryption is applied across all Vault nodes | |
| and the load balancer to ensure secure communication throughout the cluster. | |
| Deploy a fully secured 3-node HashiCorp Vault Enterprise cluster on IBM z/OS | |
| Container Extensions (zCX) with: | |
| - Three independent zCX instances running Vault on unique IP addressed. | |
| - A Layer-4 HAProxy load balancer to distribute traffic. | |
| - End-to-end TLS encryption to ensure secure communication throughout the cluster. |
Style correction: describe the outcome of following the how-to guide, not the contents of the guide
|
|
||
|  | ||
|
|
||
| ## Step 1: Container image deployment |
Contributor
There was a problem hiding this comment.
Suggested change
| ## Step 1: Container image deployment | |
| ## Step 1: Get the Vault Enterprise image from Docker |
Style correction: use verbs for headings and describe the outcome of the step
|
|
||
| ## Step 1: Container image deployment | ||
|
|
||
| 1. Pull the official Vault Enterprise container image on all three zCX nodes. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Pull the official Vault Enterprise container image on all three zCX nodes. | |
| 1. Use the Docker CLI to pull official Vault Enterprise container images on all three zCX nodes: |
| $ docker images | grep vault-enterprise | ||
| ``` | ||
|
|
||
| ## Step 2: Persistent volume creation |
Contributor
There was a problem hiding this comment.
Suggested change
| ## Step 2: Persistent volume creation | |
| ## Step 2: Create a persistent volume on each node |
|
|
||
| Create Docker volumes for configuration and data persistence on each node. | ||
|
|
||
| 1. Create volume for Vault data storage (Raft backend, audit logs). |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Create volume for Vault data storage (Raft backend, audit logs). | |
| 1. Create volume for Vault data storage including an internal storage backend and space for audit logs: |
Style correction: prefer "internal storage" over "Raft" when not discussing the mechanics of the storage, avoid parenthesis when possible
| -v haproxy-config:/usr/local/etc/haproxy \ | ||
| ibmz-hc-registry.ngrok.dev/haproxy:3.2 | ||
| ``` | ||
|
|
Contributor
There was a problem hiding this comment.
Can we also set the VAULT_PROXY_ADDR to the load balancer URL and port for easier API calls later?
For example;
Suggested change
| 1. Set and export the `VAULT_PROXY_ADDR` environment variable in your local | |
| terminal to the load balancer URL and port: | |
| ```shell-session | |
| $ export VAULT_PROXY_ADDR="https://<load_balancer_id>:<port>" | |
| ``` |
Comment on lines
+304
to
+310
| ```shell-session | ||
| $ curl \ | ||
| --cacert <CA_CERT_FILE> \ | ||
| --header "X-Vault-Token: <VAULT_TOKEN>" \ | ||
| https://<LOAD_BALANCER_IP>:<PORT>/v1/sys/storage/raft/configuration \ | ||
| | jq . | ||
| ``` |
Contributor
There was a problem hiding this comment.
Suggested change
| ```shell-session | |
| $ curl \ | |
| --cacert <CA_CERT_FILE> \ | |
| --header "X-Vault-Token: <VAULT_TOKEN>" \ | |
| https://<LOAD_BALANCER_IP>:<PORT>/v1/sys/storage/raft/configuration \ | |
| | jq . | |
| ``` | |
| <Tabs> | |
| <Tab heading="CLI" group="cli"> | |
| ```shell-session | |
| $ vault read \ | |
| -ca-cert "/path/to/vault.pem" \ | |
| -format json \ | |
| /sys/storage/raft/configuration \ | |
| | jq | |
| ``` | |
| </Tab> | |
| <Tab heading="API" group="api"> | |
| ```shell-session | |
| $ curl \ | |
| --request POST \ | |
| --header "X-Vault-Token: ${VAULT_TOKEN}" \ | |
| --namespace "X-Vault-Namespace: ${VAULT_NAMESPACE}" \ | |
| --cacert <CA_CERT_FILE> \ | |
| ${VAULT_PROXY_ADDR}/v1/sys/storage/raft/configuration \ | |
| | jq . | |
| ``` | |
| </Tab> | |
| </Tabs> | |
We generally want new content to provide examples using both the CLI and the API so folks have example code regardless of which method they prefer
| ## Additional resources | ||
|
|
||
| - [Vault configuration parameters](/vault/docs/configuration) | ||
| - [Seal/unseal](/vault/docs/concepts/seal) |
Contributor
There was a problem hiding this comment.
Suggested change
| - [Seal/unseal](/vault/docs/concepts/seal) |
Folded into "Before you start"
|
|
||
| - [Vault configuration parameters](/vault/docs/configuration) | ||
| - [Seal/unseal](/vault/docs/concepts/seal) | ||
| - [CLI command - operator init](/vault/docs/commands/operator/init) |
Contributor
There was a problem hiding this comment.
Suggested change
| - [CLI command - operator init](/vault/docs/commands/operator/init) | |
| - [CLI command - `operator init`](/vault/docs/commands/operator/init) |
| - [Vault configuration parameters](/vault/docs/configuration) | ||
| - [Seal/unseal](/vault/docs/concepts/seal) | ||
| - [CLI command - operator init](/vault/docs/commands/operator/init) | ||
| - [CLI command - operator unseal](/vault/docs/commands/operator/unseal) No newline at end of file |
Contributor
There was a problem hiding this comment.
Suggested change
| - [CLI command - operator unseal](/vault/docs/commands/operator/unseal) | |
| - [CLI command - `operator unseal`](/vault/docs/commands/operator/unseal) |
schavis
requested changes
Dec 9, 2025
Contributor
schavis
left a comment
schavis
left a comment
There was a problem hiding this comment.
Let me know if you have any questions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔍 Deploy preview
This PR adds "Deploy Vault on zCX" page based on #1464.
Make the editorial updates to the original.