External Database Secrets#
An external database password secret is required to connect to a production PostgreSQL database for multiple microservices.
Important
By default, Kubernetes secrets are not encrypted. To secure your secrets, see Kubernetes secret best practices in the Kubernetes documentation.
Microservice pods read this secret through a secretKeyRef and exposes it to the application through an environment variable named POSTGRES_DB_PASSWORD.  The value of this variable is not visible in the pod specification itself.
Sample external database secret values for NeMo Helm charts:
externalDatabase:
   host: <db host name or IP address>
   port: <port number, e.g. 5432>
   user: <user for authentication>
   database: <existing database in postgres>
   sslMode: <ssl mode for database connetion>
   # SSL/TLS encryption mode for connecting to the database.
   # disable: Disable TLS.
   # require: Enable TLS without any verifications.
   # verify-ca: Enable TLS with verification of the database server
   #            certificate against its root certificate.
   password: <password for user>
   existingSecret: "" # see note about database secret management below
   existingSecretPasswordKey: "" # see note about database secret management below
Behavior#
- If you set - externalDatabase.existingSecret="", a new Kubernetes secret will be created with the password you specify to- externalDatabase.password.
- If you prefer to use your own Kubernetes secret, specify the name of the secret resource in - externalDatabase.existingSecretand the name of the secret key in- externalDatabase.existingSecretPasswordKey.
- The - passwordparameter is mutually exclusive with the- existingSecretand- existingSecretPasswordKeyparameters. If you set- password, NeMo Data Store automatically creates a secret using the supplied password. Alternatively, you can reference an existing secret containing the password by using the- existingSecretand- existingSecretPasswordKeyparameters.
Create a Secret#
Create a secret using the following command:
kubectl create secret generic <secret-name> --from-literal=password=<password>
Example Secret
The following example shows a secret named my-secret with a password of my-password.
apiVersion: v1
kind: Secret
metadata:
  name: my-external-database-secret
type: Opaque
data:
  password: bXktcGFzc3dvcmQ=