diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml
index 9ffc9efe..6fefa4b5 100644
--- a/platform/vault/values.yaml
+++ b/platform/vault/values.yaml
@@ -2,6 +2,47 @@ vault:
   injector:
     enabled: false
   server:
+    # TODO enable TLS?
+    ha:
+      enabled: true
+      replicas: 3
+      raft:
+        enabled: true
+        setNodeId: true
+        config: |
+          ui = true
+
+          listener "tcp" {
+            tls_disable = 1
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+          }
+
+          storage "raft" {
+            path = "/vault/data"
+
+            retry_join {
+              leader_api_addr = "http://vault-0.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-1.vault-internal:8200"
+            }
+            retry_join {
+              leader_api_addr = "http://vault-2.vault-internal:8200"
+            }
+
+            autopilot {
+              cleanup_dead_servers = "true"
+              last_contact_threshold = "200ms"
+              last_contact_failure_threshold = "10m"
+              max_trailing_logs = 250000
+              min_quorum = 3
+              server_stabilization_time = "10s"
+            }
+          }
+
+          service_registration "kubernetes" {}
+
     dataStorage:
       storageClass: longhorn
     ingress:
@@ -17,5 +58,3 @@ vault:
         - secretName: vault-tls-certificate
           hosts:
             - *host
-    dev:
-      enabled: true  # TODO disable vault dev mode