docs: improve Kubernetes deployment section in external PostgreSQL guide

d-bytebase · claude · d-bytebase · commit 3e8a45fe625b · 2025-08-13T01:52:22.000-07:00
- Rename "Running with Kubernetes" to "Kubernetes Deployment" for clarity - Reorganize secret configuration with clearer subheadings - Add comprehensive example for mounting secrets as files - Document automatic secret rotation behavior with file mounts - Clarify that Bytebase monitors file changes for seamless updates 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/mintlify/get-started/self-host/external-postgres.mdx b/mintlify/get-started/self-host/external-postgres.mdx
@@ -72,25 +72,25 @@ This bash script demonstrates how to add an external PostgreSQL database as the
 
 <TerminalDockerRunPgUrl />
 
-## Running with Kubernetes
+## Kubernetes Deployment
 
-### Using Connection String in YAML
+### Direct Configuration
 
-You can specify the PostgreSQL connection string directly in your Kubernetes YAML file:
+Configure the PostgreSQL connection directly in your deployment manifest:
 
 ```yaml
 env:
   - name: PG_URL
     value: 'postgresql://<<user>>:<<secret>>@<<host>>:<<port>>/<<dbname>>'
 ```
 
-### Using Kubernetes Secrets
+### Secret-Based Configuration
 
-Instead of specifying PostgreSQL connection string directly in Helm or Kubernetes yaml file, you can use Kubernetes secrets resources:
+For enhanced security, store your PostgreSQL connection string in a Kubernetes Secret:
 
-#### Kubernetes
+#### Using Secret as Environment Variable
 
-Use the following yaml section to replace the `spec.templates.spec.containers.env` section:
+Add the following environment variable configuration to your deployment's `spec.templates.spec.containers.env` section:
 
 ```yaml
 env:
@@ -101,3 +101,31 @@ env:
         key: secret_key
 ```
 
+#### Using Secret as File Mount
+
+Mount the secret as a file and point `PG_URL` to the file path. This approach supports automatic secret rotation - when the Kubernetes Secret is updated, the mounted file content is automatically refreshed, and Bytebase will pick up the new connection string without requiring a restart:
+
+```yaml
+spec:
+  containers:
+    - name: bytebase
+      env:
+        - name: PG_URL
+          value: "/var/secrets/pg-connection/url"
+      volumeMounts:
+        - name: pg-secret
+          mountPath: "/var/secrets/pg-connection"
+          readOnly: true
+  volumes:
+    - name: pg-secret
+      secret:
+        secretName: bytebase-pg-secret
+        items:
+          - key: connection-string
+            path: url
+```
+
+<Note>
+When using file-based secrets, Kubernetes automatically updates the mounted file content when the Secret is updated (typically within a minute). Bytebase monitors the file for changes and automatically reloads the connection string, enabling seamless secret rotation without downtime.
+</Note>
+
