Self-managed Cortex
Last updated
Last updated
For organizations with strict security and compliance requirements, Cortex can be deployed on-premises into your own Kubernetes (k8s) cluster.
The Cortex installation is provided as a Helm chart.
After following the instructions on this page to get started with your self-managed Cortex account, see these additional guides to enable other features and integrations:
User management: , ,
Configuring integrations: , , , , ,
To deploy Cortex on-premises, you will download and extract the Cortex Helm chart, edit its configuration, then install it from the local copy.
Before getting started, you will need:
A running k8s cluster, configured with permission to talk to the public internet (our Docker images are hosted on GitHub)
Permission to add image pull secrets to the cluster
installed and connected to your k8s cluster
installed
A GitHub personal access token (PAT) and a JWT license key, both provided to you by the Cortex team
Run the following command to configure your cluster to talk to Cortex:
Make sure to replace <enter the GitHub PAT provided by Cortex> with the value of your PAT, and replace <yourname@example.com> with an email address.
Run the following command to create a secret for your Cortex license:
Make sure to replace your_JWT with the value of your JWT license key.
Cortex requires a Postgres Database (version 15), and does not support other datastores. We recommend using your standard database provider, for example a hosted RDS or Cloud SQL instance.
You will need the following resources:
2 instances of backend container, with 8GB memory per instance (2 cores recommended)
1 instance of frontend container
< 500MB memory is generally sufficient, but you can adjust based on your available resources.
Postgres DB v15 with 15GB storage and 4GB memory, with a maximum number of connections ≥100.
The maximum number of connections should be ≥2x the backend's connection pool size, which is 50 by default (25 per instance).
Note: You must create (or utilize an existing) an instance of Postgres and the database within.
Create a Postgres Database (version 15) with UTF8 encoding that will be accessible from your instance. Create the following and note their values, as you will need them in the next steps:
The database instance and database with: instance URI, database name, and instance port
The username and password to access the database
Set up database user permissions on the default public.schema:
Add ALL on the public schema to create/modify tables
Add INSERT, SELECT, UPDATE, DELETE on all tables in the public schema
In command line, run the following commands to download and unzip the latest version of the Cortex chart into a cortex directory:
Run the following command to create a k8s secret that will hold your database and license credentials:
Make sure to substitute the placeholders in this command with the actual values of your port, username, password, database, and JWT.
Continue to the next steps to configure the chart.
In command line, cd to the cortex directory, where you downloaded the helm chart in the previous steps.
Using a text editor such as vi, open the values.yaml file.
You may need to make modifications, such as the following:
app.service.type: Configure this field based on your infrastructure. For example, if you're using EKS, AKS, or GKE, configure the type as LoadBalancer. If you're configuring this locally on your system, configure NodePort.
app.ingress: Configure these fields if you are using a load balancer.
Under the Hosted DATABASE section:
Locate the line # secret: cortex-secret. Uncomment this line by deleting the #.
app.hostnames: Configure the frontend and backend hostnames that the servers will be expecting to be reached on.
In a load balancer setup, the frontend hostname should be pointed at the external IP of the load balancer.
app.protocol: If your cloud provider or load balancer automatically uses TLS or SSL, change app.protocol to https.
Note that this field does not set up TLS; it is used for URL generation.
Under the Cortex API (Backend) Configuration section:
backend.replicaCount: This field determines how many containers to create. Depending on your resource constraints, you may need to change this to 1.
backend.containerConfiguration.resources: Depending on your resource constraints, you may need to adjust requests.memory and limits.memory. By default, each container will consume a minimum of 8GB and a limit of 16GB.
backend.containerConfiguration.livenessProbe.periodSeconds and backend.containerConfiguration.livenessProbe.timeoutSeconds: You may need to extend these settings if your containers aren't starting after you install the helm chart.
For any containers that you do not require for your use case, you can disabled them by setting their enabled field to false.
After making additional modifications to values.yaml, apply the changes by running helm upgrade.
In some cases, you may want to enable your Cortex deployment to access managed services within your infrastructure (such as a self-hosted GitLab instance) that have their own SSL Certificates. Follow these steps to add a certificate to the trusted keystores:
Create a kubernetes secret in the same namespace as your Cortex helm installation called tls.cert, containing the contents of the certificate file:
Open your values.yaml file. Enable selfSignedCerts and ensure the secret name is the same as the one created in the last step. In the example below, the secret is called tls-secret:
Repeat the previous step for each service in your values.yaml where you want to use the provided certificate.
Run helm upgrade.
Cortex provides optional Redis support by provisioning Redis in Kubernetes as part of the Helm chart. Enable Redis to gain support for outbound rate limiting of integration API calls.
To enable Redis, set redis.enabled to true in your values.yaml:
It will only be accessible from within the Kubernetes cluster, and authentication will not be enabled by default.
If you enable auth for Redis:
Create a secret:
Configure the Redis subchart to use that secret:
Prometheus metrics can be published from the backend and worker pods by setting app.shared.prometheusMetrics.enabled to true in your values.yaml:
With this enabled, Prometheus metrics will be published on port 8181 at the /actuator/prometheus endpoint.
To dump all the information about the installation, run the following command:
Note: The CLI only dumps non-sensitive information. For the secrets, the values are masked.
To fetch the logs for all Cortex related deployments, run the following command:
After a successful installation, the Cortex team might ask for settings or configurations on your setup. To get this information, run the following command:
Cortex collects basic, anonymized data from self-managed customers. If you would like to opt out, please reach out to your Cortex Customer Success Manager.
See the Kubernetes documentation for more information on .
Make sure to remove the additional space before secret to maintain the correct YAML formatting.
If you're installing Cortex into a cloud cluster, for example EKS or GKE, you may need to install required plugins to your cluster. For example, kubectl apply the .
Redis is enabled via a third-party Helm chart; a full reference to all of the possible settings can be found in .
Cortex provides a to debug the on-prem installation. All commands create a data folder that has the data needed for the Cortex team to debug the issue.
You can create a Cortex PAT in your Cortex workspace under .
