External Database Secrets#

An external database password secret is required to connect to a production PostgreSQL database for multiple microservices.

Important

By default, Kubernetes secrets are not encrypted. To secure your secrets, see Kubernetes secret best practices in the Kubernetes documentation.

Microservice pods read this secret through a secretKeyRef and exposes it to the application through an environment variable named POSTGRES_DB_PASSWORD. The value of this variable is not visible in the pod specification itself.

Sample external database secret values for NeMo Helm charts:

externalDatabase:
   host: <db host name or IP address>
   port: <port number, e.g. 5432>
   user: <user for authentication>
   database: <existing database in postgres>
   sslMode: <ssl mode for database connetion>
   # SSL/TLS encryption mode for connecting to the database.
   # disable: Disable TLS.
   # require: Enable TLS without any verifications.
   # verify-ca: Enable TLS with verification of the database server
   #            certificate against its root certificate.
   password: <password for user>
   existingSecret: "" # see note about database secret management below
   existingSecretPasswordKey: "" # see note about database secret management below

Behavior#

  • If you set externalDatabase.existingSecret="", a new Kubernetes secret will be created with the password you specify to externalDatabase.password.

  • If you prefer to use your own Kubernetes secret, specify the name of the secret resource in externalDatabase.existingSecret and the name of the secret key in externalDatabase.existingSecretPasswordKey.

  • The password parameter is mutually exclusive with the existingSecret and existingSecretPasswordKey parameters. If you set password, NeMo Data Store automatically creates a secret using the supplied password. Alternatively, you can reference an existing secret containing the password by using the existingSecret and existingSecretPasswordKey parameters.

Create a Secret#

Create a secret using the following command:

kubectl create secret generic <secret-name> --from-literal=password=<password>

Example Secret

The following example shows a secret named my-secret with a password of my-password.

apiVersion: v1
kind: Secret
metadata:
  name: my-external-database-secret
type: Opaque
data:
  password: bXktcGFzc3dvcmQ=
On this page