Vault on Cortex
This page provides information about how Cortex Fabric integrates with Hashicorp Vault for secrets injection.
Fabric supports two optional use-cases of Hashicorp Vault that can be configured independently:
- Vault Secrets Management is used for secure variables created/used in Fabric. By default secure variables are encrypted and stored in a MongoDB collection
- Vault Kubernetes Secrets are used to manage passwords and credentials for Fabric services to connect to dependent infrastructure (MongoDB, Redis, Minio). By default these are managed by Kubernetes Secret resources.
Learn how to use Vault as a secrets-store for Cortex Fabric.
Vault injection
Prerequisites
- A Vault instance is running and accessible to your Kubernetes cluster.
- Roles and policies have been set up to allow access to secrets
- Dex image override in vault
dex: image: tag:
Add secrets to Vault in the expected location.
Write secrets to a location in Vault (default =internal/cortex/helm/
.
You can change this in the Helm chart by setting cortex.vault.secretPath
within your values.yaml
Three secrets are expected at the secrets path:
mongodb
redis
managedcontent
The following command creates the secret path with the correct values:
vault kv put internal/cortex/helm/mongodb user="mongo" password="password"vault kv put internal/cortex/helm/managedcontent user="accessKey" password="secretKey"vault kv put internal/cortex/helm/redis password="secret"
Cortex enable read-secrets install
The Cortex Fabric Helm Chart templates the following annotations to all deployment resources that require vault injection:
vault.hashicorp.com/agent-inject: "{{ .cortex.vault.injection }}"vault.hashicorp.com/role: "{{ .cortex.vault.role }}"vault.hashicorp.com/agent-init-first: "true" # needed due to https://github.com/hashicorp/vault-k8s/issues/41vault.hashicorp.com/agent-inject-secret-mongodb: "{{ .cortex.vault.secretPath }}/mongodb"vault.hashicorp.com/agent-inject-secret-managedcontent: "{{ .cortex.vault.secretPath }}/managedcontent"vault.hashicorp.com/agent-inject-secret-redis: "{{ .cortex.vault.secretPath }}/redis"
If any extra annotations need to be set for accessing a Vault instance they can be added to the chart overrides (values.yaml
) under cortex.vault.extraAnnotations
.
The following enables the Cortex install to read configuration secrets from Vault. (Note: the mongo and redis uri's variable interpolation format has switched from k8s style $(...)
to shell style ${...}
)
cortex: mongodb: mongoUri: "mongodb://${MONGODB_USERNAME}:${MONGODB_PASSWORD}@cortex-mongodb-replicaset-client.cortex.svc.cluster.local:27017/cortex_services?authSource=admin&replicaSet=rs0" redis: redisUri: "redis://:${REDIS_PASSWORD}@cortex-redis-master-0.cortex-redis-headless.cortex.svc.cluster.local:6379" vault: # cortex.vault.injection: enable/disable vault injection annotations injection: true # cortex.vault.role: the name of the role within vault that the service account is bound to role: "cortex-role" # name of the service account configured to access secrets within a vault role saName: "cortex-vault-auth" # cortex.vault.secretPath: the prefix key to the location where secrets are expected be within vault secretPath: "internal/cortex/helm" # cortex.vault.extraAnnotations: Any extra annotations to apply to cortex deployment resources when vault injection is enabled # https://www.vaultproject.io/docs/platform/k8s/injector/annotations #extraAnnotations: #vault.hashicorp.com/agent-inject-status: "force"vault: injector: enabled: true # vault.injector.externalVaultAddr: External vault server address for the injector to use externalVaultAddr: "http://vault.cortex.svc.cluster.local:8200" server: enabled: false serviceAccount: create: true # vault.server.serviceAccount.name: the name of the service account to create for use with vault injection # should match cortex.vault.saName name: "cortex-vault-auth"