Version: 6.4.1

Secure Variables

This page provides information on secure variables and their storage within Cortex.

The secure variables described below are used to access external dependencies like databases and data stores.

In contrast, Vault injection (Kubernetes secrets) is also used within Cortex Fabric to provide authentication credentials for infrastructure dependencies required by Fabric services. View details here.

Secure Variables

Cortex has support for secure/secret variables to allow encrypted storage of sensitive information used by deployed resources within Cortex (e.g. auth credentials used for a custom connection).

Secure Variable Storage

By default Cortex maintains secure variables inside an encrypted MongoDB collection but also allows for HashiCorp Vault as a storage backend.

MongoDB

MongoDB is enabled by default as the storage backend but can be forced by setting the following in your values.yaml:

cortex:
  # cortex.secrets: related to internal secrets within cortex
  secrets:
    # cortex.secrets.engine: the backend to use for storing secrets internally within cortex, "mongo" or "vault"
    engine: "mongo"

Vault

To enable Vault as the secure storage backend, add the following overrides to your values.yaml (update the url and token accordingly):

cortex:
  # cortex.secrets: related to internal secrets within cortex
  secrets:
    # cortex.secrets.engine: the backend to use for storing secrets internally within cortex, "mongo" or "vault"
    engine: "vault"
accounts:
  env:
    VAULT_URL: "http://vault.vault.svc.cluster.local:8200"
    VAULT_TOKEN: "root"
    VAULT_STRICT_SSL: "false"
    # controls the `X-Vault-Namespace` header on vault rquests
    # VAULT_NAMESPACE: ""
    # sets the path to the KVv2 engine running in Vault
    VAULT_KV_PATH: "secret"

There are three ways for the Vault token to be injected by Vault in addition to the other access credentials used with Vault Injection.

Hard code the token in the values.yaml override as shown above.

Use the same token/credentials for Vault Injection and Vault Secrets Storage:

accounts:
  env:
    VAULT_TOKEN: "file:///vault/secrets/token"
  deployment:
    annotations:
      vault.hashicorp.com/agent-inject-token: "true"

Use a separately controlled token stored as a secret within Vault. This method is similar to the Vault injection of MongoDB, managed content, and Redis secrets (These secrets must be managed externally):

Note: The token secret must be managed independently in Vault. (e.g. vault kv put internal/cortex/helm/token token="secret")

accounts:
  env:
    VAULT_TOKEN: "file:///vault/secrets/token"
  deployment:
    annotations:
      vault.hashicorp.com/agent-inject-secret-token: internal/cortex/helm/token
      vault.hashicorp.com/agent-inject-template-token: |
        {{ with secret "internal/cortex/helm/token" -}}
        {{ .Data.data.token }}
        {{- end }}

#Secure Variables

#Secure Variable Storage

#MongoDB

#Vault

Secure Variables

Secure Variable Storage

MongoDB

Vault