External secret management

Integration with HashiCorp Vault, an external secret provider, centralizes and externalizes the management of your secrets.

External secret management integration enables Content Cortex to securely manage its secrets with the Secret Store CSI (Container Storage Interface) provider. The prerequisites script creates SecretProviderClass objects, which define how the secrets are retrieved from the storage vault. The objects are mounted directly into the pods, which allows the operators and runtime components to use them securely and efficiently.

Important: The location of secrets and certificates in the content-operator/ai-services-operator pod is /tmp/secrets and /tmp/certificates.

External secret management lays the foundation for enhanced secret management and improved security posture in containerized environments.

Prerequisites

Before you enable external secret management, complete the following prerequisites:

Install the CSI drivers. For more information, see Using the Secrets Store CSI Driver Operator .
Install and configure HashiCorp Vault CSI Provider with Kubernetes authentication. For more information, see Using the vault provider for the Secrets Store CSI Driver .
If external vault servers are used, the configuration steps are slightly different.

Limitations

The following limitations for external secret management integration for Content Cortex:

Integration of external secret management with Content Cortex is supported only through script-based installation.
Integration of external secret management with Content Cortex is only supported in HashiCorp Vault.