Production-ready HashiCorp Vault on Kubernetes - what are your must-have practices? I’ve been working on designing a **production-grade HashiCorp Vault setup on Kubernetes**, and wanted to sanity-check some of the best practices I’m using + hear what others are doing in real environments. Here’s the architecture I’m currently leaning toward: * **HA setup:** 3-node Raft cluster (integrated storage) * **Auto-unseal:** AWS KMS * **TLS:** * Internal: cert-manager with self-signed CA * External: Let’s Encrypt (auto-renewal) * **Storage:** Longhorn-backed PVCs (separate volumes for data + audit logs) * **Audit logging:** File audit device on dedicated PVCs * **Backups:** Daily Raft snapshots pushed to S3 (30-day retention) * **Recovery keys:** Stored securely in AWS Secrets Manager * **Resilience:** PodDisruptionBudget allowing max 1 pod unavailable From what I’ve gathered, this aligns with a lot of recommended practices: * Vault should run in **HA mode with integrated storage (Raft)** for resilience *…