Database Setup#

An external database password secret is required to connect to a production PostgreSQL database.

Important

By default, Kubernetes secrets are not encrypted. To secure your secrets, see Kubernetes secret best practices in the Kubernetes documentation.

Microservice pods read this secret through a secretKeyRef and expose it to the platform through an environment variable named POSTGRES_DB_PASSWORD. The value of this variable is not visible in the pod specification itself.

Sample external database secret values for NeMo Helm charts:

externalDatabase:
   host: <db host name or IP address>
   port: <port number, e.g. 5432>
   user: <user for authentication>
   database: <existing database in postgres>
   sslMode: <ssl mode for database connetion>
   # SSL/TLS encryption mode for connecting to the database.
   # disable: Disable TLS.
   # require: Enable TLS without any verifications.
   # verify-ca: Enable TLS with verification of the database server
   #            certificate against its root certificate.
   password: <password for user>
   existingSecret: "" # see note about database secret management below
   existingSecretPasswordKey: "" # see note about database secret management below

Behavior#

  • If you set externalDatabase.existingSecret="", a new Kubernetes secret will be created with the password you specify to externalDatabase.password.

  • If you prefer to use your own Kubernetes secret, specify the name of the secret resource in externalDatabase.existingSecret and the name of the secret key in externalDatabase.existingSecretPasswordKey.

  • The password parameter is mutually exclusive with the existingSecret and existingSecretPasswordKey parameters. If you set password, NeMo Data Store automatically creates a secret using the supplied password. Alternatively, you can reference an existing secret containing the password by using the existingSecret and existingSecretPasswordKey parameters.

Create a Secret#

Create a secret using the following command:

kubectl create secret generic <secret-name> --from-literal=password=<password>

Example Secret

The following example shows a secret named my-secret with a password of my-password.

apiVersion: v1
kind: Secret
metadata:
  name: my-external-database-secret
type: Opaque
data:
  password: bXktcGFzc3dvcmQ=
On this page