- Datasources (connector)
- Pipeline stages
- Jobs

The ZooKeeper-based secrets management option is the legacy approach, where credentials are encrypted and embedded directly in pipeline and connector configurations. It is maintained for backward compatibility, and uses V1 connectors.
Benefits of Fusion Vault
Using Fusion Vault for secrets management, your organization can perform the following functions:- Create and store credentials in Kubernetes secrets instead of embedding them directly in a pipeline. Kubernetes secrets can be populated from external providers such as HashiCorp Vault, Amazon Web Services (AWS) Secrets Manager, Google Cloud Platform (GCP) Secret Manager, and Azure Key Vault using ESO. Fusion configurations only store references, not actual values.
- Reference credentials by logical name rather than by value. References are stored and exported as plain text, so the same pipeline or connector configuration can be imported into any environment. Each environment can define different underlying Kubernetes secrets behind the same reference name, with no changes to the configuration itself.
- When you update a credential in your vault, all related pipelines change automatically without manual pipeline updates or service restarts.
- Maintain compliance with strict Kubernetes security policies.
Use cases
This section provides examples of use cases that illustrate how your organization can use Fusion Vault for secrets management.- A data scientist creates a query pipeline that needs to access multiple external services securely. The fields of the pipeline are configured to reference the API and database credentials entered in your organization’s Kubernetes vault. The data scientist does not enter the values of the credentials in the Fusion pipeline. When the pipeline runs, authorization is completed using the credentials in the external vault. In addition, the same secret can be reused in multiple pipelines and stages, and are logged for audit purposes.
- A data engineer needs to configure an AWS S3 connector using credentials stored in AWS Secrets Manager. Other backend procedures such as configuring an ESO in the cluster need to be created as well. The data engineer creates an AWS S3 connector in the Fusion Admin UI by selecting the reference names of the credentials, but does not enter the values of the credentials in the Fusion UI. When the connector starts, credentials are pulled from the external vault. Credentials can be updated without reconfiguring the connector, and ESO automatically synchronizes any changes to all instances.
Operational flow

fusion/vault-managed: "true" and caches their values. The following describes how the components interact:
-
Fusion Admin UI queries Fusion Vault for the list of available secret labels and presents them in dropdowns when configuring pipelines, jobs, and connectors. Users select a secret reference (for example,
my-creds.password), but users never see or enter the actual secret value. - Fusion services (jobs, connectors, pipelines, and stages) store only the logical secret reference in their configuration. At runtime, they resolve the actual value through Fusion Vault using a service account. End users cannot access secret values directly.
-
Kubernetes secrets are the source of truth. Fusion Vault watches them continuously and updates its cache when they change. Secrets can be created directly using
kubectlor Helm, or are synchronized from an external vault provider (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager) using the optional Kubernetes External Secrets Operator (ESO).
Multi-tier caching ensures Fusion pipelines continue to run even if the Kubernetes API is temporarily unavailable, with automatic resynchronization when connectivity is restored.
Fusion Vault functions
Fusion Vault manages credentials such as database credentials, API keys, cloud storage access keys, and authentication tokens used by pipelines, jobs, and connectors to connect to external services. Fusion Vault does not manage secrets required for Fusion itself to operate, such as service account passwords, TLS certificates, and encryption keys. Those are defined during installation through Helm chart values or Kubernetes secrets and are not affected by this feature.Configuration
Fusion Vault reads Kubernetes secrets that match its required format. You can create conforming secrets using a method that suits your infrastructure. Create secrets using Helm, a CI/CD pipeline, or any tool capable of producing Kubernetes secrets with the required label and annotations.Prerequisites
Prerequisites
Ensure you have the following prerequisites in place:
- A Kubernetes cluster with Fusion installed
- Access to the Kubernetes cluster using
kubectlcommands - Administrative privileges in Fusion for testing and validation
- Administrative privileges in your external vault provider (only required if using a synchronizing tool such as ESO)
Kubernetes secret format requirements
Kubernetes secret format requirements
For Fusion Vault to pick up a Kubernetes secret, the secret must have the label Any method to create Kubernetes secrets is valid:
fusion/vault-managed: "true". Secrets without this label are ignored.The following annotations are optional but recommended:fusion/label: A human-readable name used when referencing the secret in Fusion. If omitted, the Kubernetes secret name is used in references insteadfusion/description: A description of the secret’s purpose
kubectl, Helm, CI/CD pipelines, or automated synchronizing tools as long as the resulting secret carries the fusion/vault-managed: "true" label.Create secrets
Create secrets
Choose one of the following approaches to create conforming secrets.
- Create secrets directly (kubectl)
- Create secrets using ESO
Create Kubernetes secrets yourself using Fusion Vault detects the labeled secret and makes it available for reference in pipelines, jobs, and connectors as
kubectl, Helm, or a CI/CD pipeline.Here is an example of using kubectl to create a Kubernetes secret and apply the required label and optional annotations:database-creds.username and database-creds.password.Configure SecretStore
Configure SecretStore
A SecretStore is a Kubernetes Custom Resource Definition (CRD) provided by the External Secrets Operator.
It is not part of Fusion’s Helm chart. You manage it as a separate infrastructure resource, deployed in the same namespace as Fusion.The SecretStore acts as a configuration bridge that tells ESO which external vault to connect to and how to authenticate to it. Define it as a YAML manifest and apply it to your cluster:You can configure multiple SecretStores simultaneously, one per environment (development, staging, production) or one per vault provider.Each ExternalSecret resource references the appropriate store by name.
- Google Cloud Secret Manager
- AWS Secrets Manager
- Azure Key Vault
- HashiCorp Vault
- Kubernetes Secrets
Create secrets in your vault provider
Create secrets in your vault provider
Use your vault provider’s console or command line interface (CLI) to create the actual secret values. Store the vault paths and keys securely for reference when creating ExternalSecret resources.
- Google Cloud Console
- AWS Console
- Azure Portal
- HashiCorp Vault
Use the Google Cloud Console or enter the
gcloud secrets create command.Create ExternalSecret resources
Create ExternalSecret resources
Create ExternalSecret resources that define how secrets synchronize from your vault to Kubernetes.ExternalSecret resources must include the
fusion/vault-managed: "true" label in spec.target.template.metadata.labels for Fusion to discover them. This feature requires Kubernetes External Secrets Operator version 0.10 or later.As you create ExternalSecret resources, enter the following labels and annotations to identify the secrets.-
The
fusion/vault-managed: "true"label is required and enables Fusion discovery of secrets. -
The following annotations are recommended, but not required:
fusion/label: A human-readable identifier used in secret referencesfusion/description: A description of the secret’s purpose
- GCP
- AWS S3
- Multi-provider configuration
These are example database credentials from GCP.
Verify secrets are visible to Fusion Vault
Verify secrets are visible to Fusion Vault
-
Use
kubectlto verify that secrets exist in Kubernetes with the required label:- List all Fusion-managed secrets:
- View secret details:
- Check ExternalSecret status
- Verify labels and annotations
-
Verify that Fusion can access the secrets through the Fusion Vault API by querying the Fusion Vault labels endpoint:
Configure Fusion to reference secrets
Configure Fusion to reference secrets
Configure Fusion datasources (connectors), pipelines, and jobs to reference the synchronized secrets.In the Fusion UI, preview the fields used for secrets:
Your managed secret is found in the datasource configuration in Crawl Authentication Properties > Basic Authentication > Host.
- Datasources (connectors)
- Query pipelines
- Custom Python job

Test and validate
Test and validate
Test each configured pipeline, job, and connector using these steps:
- Run a test indexing job using the configured datasource.
- Verify the connector, pipeline, or job can authenticate using the secret reference.
- Check Fusion logs for any secret resolution errors.
- Monitor Fusion processes to confirm secrets are accessible.
When secret rotation is necessary, update the secret values in your vault provider. ESO automatically synchronizes changes to Kubernetes based on the
refreshInterval, and Fusion picks up the new values without manual updates or restarts.

