Self-managed Cortex

Before getting started, you will need:

• A running Kubernetes cluster, configured with permission to make HTTPS requests to the public internet (our Docker images are hosted on GitHub) - you can use AWS/EKS, Azure/AKS, GCP/GKE, or your own locally installed Kubernetes distribution.

• Permission to add services, deployments, secrets and namespaces to the cluster

• kubectl installed and connected to your Kubernetes cluster

• Helm Package Manager installed

• A PostgresSQL database (15+) that is accessible from your k8s cluster, and has a dedicated database and user for Cortex.

  • Learn more under Step 2: Set up a persistent database.

• A GitHub personal access token (PAT) and a JWT license key, both provided to you by your Cortex account team

Required resources in Kubernetes

Below is a list of the containers that make up a minimum Cortex deployment, with their resource requirements:

• 2 instances of backend container, with 8GB memory per instance (2 cores recommended)

• 1 instance of worker container, with 8GB memory (2 cores recommended)

• 1 instance of frontend container

  • 500MB memory is generally sufficient, but you can adjust based on your available resources.

Ensure that your cluster has enough resources available to run the containers you plan to deploy.

DNS and TLS requirements

Before installing Cortex, you need to prepare:

• DNS Names: Create two DNS records in your domain:

  • One for the frontend (web UI): e.g., cortex-app.yourdomain.dom

  • One for the backend (API): e.g., cortex-api.yourdomain.dom

• TLS Certificate: Obtain a TLS certificate that covers both DNS names. You can use:

  • A wildcard certificate (e.g., *.yourdomain.dom)

  • A certificate with Subject Alternative Names (SANs) for both DNS names

  • For AWS: AWS Certificate Manager (ACM)

  • For Azure: Azure Key Vault certificates

• DNS Configuration: After installation, you'll need to point DNS records for the frontend and backend donain names to the two load balancers created by Kubernetes. The exact configuration depends on your environment:

  • For AWS: Point to each NLB's DNS name

  • For Azure: Point to each Load Balancer's public IP

  • For self-managed load balancers: Point to your load balancers' IPs or hostnames

Check kubectl installation and cluster access:

Check Helm installation:

Cortex requires PostgreSQL 15 or higher and does not support other datastores. You have several options, depending on your environment:

• Self-managed PostgreSQL: Install PostgreSQL on your own infrastructure

• AWS RDS: Use Amazon RDS for PostgreSQL if running on AWS

• Azure Database for PostgreSQL: Use Azure's managed PostgreSQL service if running on Azure

You will need the following resources:

• 15GB minimum available storage, 40 GB recommended

• Maximum number of connections ≥100. The maximum number of connections should be ≥2x the backend connection pool size, which is 25 per instance, for a total of 50 when two backend containers are running.

1. On your PostgreSQL server, create a database with UTF-8 encoding that will be accessible from your instance.

2. Create a user with the following permissions on the public.schema within the database you created:

   • Add ALL on the public schema to create/modify tables

   • Add INSERT, SELECT, UPDATE, DELETE on all tables in the public schema

3. Make a note of the following database connection details, as you will need them in the next steps:

   • The hostname and port number for connecting to the database server

   • The name of the database you created (this guide assumes the database is named cortex)

   • The username and password to access the database

Here is an example of SQL that you might run to create the database and the user with sufficient permissions:

Verify that containers in your Kubernetes cluster will be able to connect to your Postgres database using the connection details you noted above:

This command will:

• Connect to your database from within the cluster

• Create and drop a test table to verify write permissions

• Exit with an error if the database doesn't exist or the user lacks permissions

If it is successful, you will see:

1. Create a Kubernetes namespace. A namespace is optional, but it's recommended to install Cortex in its own namespace for better organization and isolation:

1. Run the following command to add a Docker registry secret for pulling Cortex images from the GitHub Container Registry:

• Replace <enter the GitHub PAT provided by Cortex> with the value of the GitHub PAT that was provided to you by your Cortex account team, and replace <[email protected]> with an email address.\

1. Run the following command to create a secret for your Cortex license and your database connection details:

• Substitute the placeholders in this command with the actual values of your port, username, password, database, and Cortex license JWT.

See the Kubernetes documentation for more information on managing secrets using kubectl.

1. In command line, run the following command to add the Cortex repo to Helm:

1. Install the Helm diff plugin to preview changes before applying them:

It's not recommended to modify the Helm chart or values.yaml directly. Instead, we recommend that you create a separate overrides.yaml file for your configuration. This approach ensures:

• Configurations are preserved across upgrades

• Easy version control of your settings

• Clear separation between defaults and customizations

• Timely support from Cortex in the event of an issue

Cortex requires at minimum one frontend pod, one backend pod, and one worker pod. See the example overrides.yaml below demonstrating this.

In this step, you will create and configure the overrides.yaml file. In the next step, you will install the chart and include the overrides.yaml.

See a list of available settings

To see a complete list of available settings, you can review the values.yaml that is bundled in the Cortex Helm chart by running the following command:

Recommended configurations in overrides.yaml

In your overrides.yaml, adjust the replica counts and resource allocations based on your expected load and availability requirements.

At a minimum, the following values should be set:

• image.secrets.name : The name of the Docker registry secret you set in step 2

• app.service.type : Set this field based on your infrastructure. If you're using EKS, AKS, or GKE, set the type as LoadBalancer. If you're using your own Kubernetes distribution and plan to do your own load balancing, configure NodePort.

• app.ingress.type: The type of ingress controller to use with your load balancing setup. For EKS and AKS, use nginx . For GKE, use gcp. If you are using your own Kubernetes distribution, this setting is not used.

• app.secret : The name of the secret you set up in step 2 containing your Cortex license key and database connection details

• app.hostnames.frontend : The DNS name where users will visit the Cortex Web UI in the browser. This should match the common name or a subject alternative name on the TLS certificate you use with your load balancer for the frontend service.

• app.hostnames.backend : The DNS name where the Cortex REST API will be available. This should match the common name or a subject alternative name on the TLS certificate you use with your load balancer for the backend service.

• app.hostnames.protocol : Set to https if you are configuring TLS termination at the load balancer (recommended), or http if you will use Cortex over cleartext. Note that this field does not set up TLS - TLS is configured at the load balancer; this setting is used only for generating URLs.

• app.backend.enabled : Set to true to enable the backend containers to run

• app.worker.enabled : Set to true to enable the worker containers to run

Additional container configuration:

There are additional settings available to configure the backend and worker for your environment. The following paths can be configured under app.backend and app.worker:

• replicaCount (default: 2) This field determines how many containers to create. Depending on your resource constraints, you may need to change this to 1.

• containerConfiguration.resources: Depending on your resource constraints, you may need to adjust requests.memory and limits.memory. By default, each container will consume a minimum of 8GB and a limit of 16GB.

• containerConfiguration.livenessProbe.periodSeconds (default: 10) and containerConfiguration.livenessProbe.timeoutSeconds (default: 6): In environments with slow networking or database, probes may expire before the containers are fully started, causing them to continually be restarted. If this occurs, you may need to raise the values of these settings.

Example overrides.yaml

Below is an example overrides.yaml implementing one backend pod and one worker pod with minimum resources, and configuring TLS termination using network load balancers in AWS:

1. Identify the version of Cortex you want to install.

   • Consider consulting with your Cortex account team to identify the appropriate version. Alternatively, you can find the latest version by running helm search repo cortex/cortex. Cortex version numbers look like 0.0.411.

   • Make a note of the version you are installing, in case you want to change configuration values while remaining on the same version.

2. Before installation, use the following command to preview what will be deployed. Replace DESIRED_VERSION with the version number you identified in the previous step:

1. Use helm to install Cortex. Replace DESIRED_VERSION with the version number you identified in the first step:

1. Monitor the deployment status:

The backend is ready when you see log lines containing:

It may take a few minutes, depending on your infrastructure.

1. Get the load balancer endpoints:

   You'll see two services of type LoadBalancer. Identify which is frontend and which is backend by their names.

2. Update your DNS records:

   • AWS NLB: Create CNAME records pointing to the respective load balancer DNS names.

   • Azure: Create A records pointing to the respective load balancer IPs.

   • Point your frontend hostname (for example, cortex-app.yourdomain.dom) to the frontend load balancer.

   • Point your backend hostname (for example, cortex-api.yourdomain.dom) to the backend load balancer.

3. Verify DNS resolution:

4. Test access to Cortex:

   • Open your frontend URL (for example, https://cortex-app.yourdomain.dom) in your web browser.

     • You should be logged in automatically as "Demo User."

     • After this, you can configure SSO for proper authentication.

Prerequisites:

• Certificates must be in PEM format (Base64 encoded).

  • If you have certificates in other formats, convert them to PEM:

    • DER to PEM: openssl x509 -inform der -in cert.der -out cert.pem

    • P7B to PEM: openssl pkcs7 -print_certs -in cert.p7b -out cert.pem

    • PFX to PEM: openssl pkcs12 -in cert.pfx -out cert.pem -nodes

• Certificates must include the complete certificate chain if they are using intermediate CAs.

• Each certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

• Multiple certificates can be concatenated in a single file.

Considerations:

• After following these instructions, the certificate will be added to the Java trust store in both backend and worker pods.

• This configuration is only needed for outbound connections from Cortex

• Be sure the full certificate chain is included, since importing only the leaf certificate can still result in PKIX path building errors when Java services attempt internal HTTPS calls.

• Inbound TLS/SSL should be configured at the load balancer

Example of creating a Kubernetes secret with concatenated certificates:

Example of PEM formatted certificates:

1. Set redis.enabled to true in your overrides.yaml:

1. Run helm to apply the changes as outlined in .

Note: It will only be accessible from within the Kubernetes cluster, and authentication will not be enabled by default.

If you enable authentication for Redis:

1. Create a secret for the Redis password:

1. Open your overrides.yaml. Configure the Redis subchart to use that secret:

1. Preview and apply the updated configuration by following the steps in Modifying the configuration after installing above.

If you are using embedded Redis, service interruption may occur if you upgrade after August 28, 2025.

To avoid service interruption, you must follow these instructions when you upgrade:

• If you have set redis.global.imagePullSecrets, ensure that the list of secrets includes the secret that enables you to pull the Cortex images, usually cortex-docker-registry-secret.

  • If you have not set redis.global.imagePullSecrets, no action is required.

• New Redis images are hosted by Cortex in ghcr.io/cortexapps/helm-chart/. If you have set any image URI options, or mirrored the old official images locally, you will need to update your values to use the new images.

  • Image options include:

    • redis.global.imageRegistry

    • redis.image.registry, redis.image.repository, or redis.image.tag

    • redis.metrics.image.registry, redis.metrics.image.repository, or redis.metrics.image.tag

  • If none of the above are set, no action is required.

• Ensure that all of the following settings are false:

  • redis.sentinel.enabled

  • redis.volumePermissions.enabled

  • redis.sysctl.enabled

  • redis.kubectl.enabled

These are all false by default, so if you have not set them, no action is required.

If you have questions about these steps or about the upgrade, please reach out to Cortex support.

To publish Prometheus metrics:

1. Set app.shared.prometheusMetrics.enabled to true in your overrides.yaml:

1. Preview and apply the updated configuration by following the steps in Modifying the configuration after installing above.

When enabled, Prometheus metrics will be published on port 8181 at path /manage/prometheus (http://localhost:8181/manage/prometheus) for both backend and worker pods.

Prometheus configuration

To scrape metrics from Cortex, configure your Prometheus instance to scrape pods directly, for example:

This configuration uses Kubernetes service discovery to find Cortex pods by their labels and scrapes metrics directly from port 8181.

Application Metrics:

• http_server_requests_seconds - HTTP request latencies

• spring_data_repository_invocations_seconds - Database query durations

• comparatron_operation_seconds - External API call durations

• scorecard_latest_cache_access_total - Scorecard cache hit/miss rates

• executor_active_threads - Background job thread activity

• executor_queued_tasks - Queued background tasks

JVM Metrics:

• jvm_memory_used_bytes - Memory usage by area

• jvm_gc_pause_seconds - Garbage collection pause times

• jvm_threads_live_threads - Active thread count

• jvm_classes_loaded_classes - Loaded class count

Database Metrics:

• hikaricp_connections_active - Active database connections

• hikaricp_connections_pending - Pending connection requests

• hikaricp_connections_idle - Idle connections in pool

• hikaricp_connections_timeout_total - Connection timeout count

To check published Prometheus metrics:

1. Add annotations in overrides.yaml:

1. Preview and apply the updated configuration by following the steps in Modifying the configuration after installing above.

You can create a Grafana dashboard to display the metrics from Prometheus.

Note: The dashboard below is a basic dashboard to get started. You can expand it by adding more panels for:

• Background job executors (executor_active_threads)

• Scorecard cache performance (scorecard_latest_cache_access_total)

• Integration API calls (comparatron_operation_seconds_count)

• Database query performance (spring_data_repository_invocations_seconds)

Import JSON into Grafana

Save the following as cortex-dashboard.json and import it into Grafana: