docs: document db-init-job for automatic postgresql setup in litellm and langfuse

docs/admin/deployment/aws/04-infrastructure-deployment/manual-deployment.md

@@ -298,6 +298,13 @@ enable_private_connections = true
 lb_prefix_list_ids         = []
 lb_specific_ips            = []
 security_group_ids         = []
+
+# Optional: Dedicated RDS Instances Configuration
+# Set enabled = true to provision a dedicated RDS instance for the service.
+# All other fields are optional and fall back to defaults.
+keycloak_db_config = { enabled = true }
+langfuse_db_config = { enabled = false }
+litellm_db_config  = { enabled = false }
 ```
 
 :::tip Review All Variables

docs/admin/deployment/aws/04-infrastructure-deployment/scripted-deployment.md

@@ -138,9 +138,12 @@ TF_VAR_lb_prefix_list_ids='[]'
 TF_VAR_lb_specific_ips='[]'
 TF_VAR_security_group_ids='[]'
 
-# Optional: Keycloak Database
-# Set to false to share the existing CodeMie RDS instance instead of creating a dedicated one
-TF_VAR_keycloak_dedicated_database_instance=true
+# Optional: Dedicated RDS Instances Configuration
+# Set enabled=true to provision a dedicated RDS instance for the service.
+# Omitted fields fall back to defaults (instance_class, db_name, username, etc.).
+TF_VAR_keycloak_db_config='{"enabled":true}'
+TF_VAR_langfuse_db_config='{"enabled":false}'
+TF_VAR_litellm_db_config='{"enabled":false}'
 ...
 ```
 
@@ -183,12 +186,26 @@ CODEMIE_POSTGRES_DATABASE_NAME=codemie
 CODEMIE_POSTGRES_DATABASE_USER=dbadmin
 CODEMIE_POSTGRES_DATABASE_PASSWORD="generated-password"
 
-# Keycloak Database Outputs (present when TF_VAR_keycloak_dedicated_database_instance=true)
+# Keycloak Database Outputs (present when keycloak_db_config.enabled=true)
 KEYCLOAK_POSTGRES_DATABASE_HOST=codemie-keycloak-rds.123456789012.us-east-1.rds.amazonaws.com
 KEYCLOAK_POSTGRES_DATABASE_PORT=5432
 KEYCLOAK_POSTGRES_DATABASE_NAME=keycloak
 KEYCLOAK_POSTGRES_DATABASE_USER=keycloak_admin
 KEYCLOAK_POSTGRES_DATABASE_PASSWORD="generated-password"
+
+# LiteLLM Database Outputs (present when litellm_db_config.enabled=true)
+LITELLM_POSTGRES_DATABASE_HOST=codemie-litellm-rds.123456789012.us-east-1.rds.amazonaws.com
+LITELLM_POSTGRES_DATABASE_PORT=5432
+LITELLM_POSTGRES_DATABASE_NAME=litellm
+LITELLM_POSTGRES_DATABASE_USER=litellm_admin
+LITELLM_POSTGRES_DATABASE_PASSWORD="generated-password"
+
+# Langfuse Database Outputs (present when langfuse_db_config.enabled=true)
+LANGFUSE_POSTGRES_DATABASE_HOST=codemie-langfuse-rds.123456789012.us-east-1.rds.amazonaws.com
+LANGFUSE_POSTGRES_DATABASE_PORT=5432
+LANGFUSE_POSTGRES_DATABASE_NAME=langfuse
+LANGFUSE_POSTGRES_DATABASE_USER=langfuse_admin
+LANGFUSE_POSTGRES_DATABASE_PASSWORD="generated-password"
 ```
 
 :::tip Save These Outputs

docs/admin/deployment/azure/04-infrastructure-deployment/scripted-deployment.md

@@ -85,9 +85,12 @@ TF_VAR_tags='{"createdWith":"Terraform","environment":"production"}'
 # Optional: AI Models Deployment
 DEPLOY_AI_MODELS="true"                    # Set to "false" to skip Azure OpenAI deployment
 
-# Optional: Keycloak Database
-# Set to false to share the existing CodeMie PostgreSQL instance instead of creating a dedicated one
-TF_VAR_keycloak_dedicated_database_instance=true
+# Optional: Dedicated PostgreSQL Flexible Server Instances Configuration
+# Set enabled=true to provision a dedicated instance for the service.
+# Omitted fields fall back to defaults (sku_name, db_name, username, etc.).
+TF_VAR_keycloak_db_config='{"enabled":true}'
+TF_VAR_langfuse_db_config='{"enabled":false}'
+TF_VAR_litellm_db_config='{"enabled":false}'
 ```
 
 :::tip Required vs Optional Variables
@@ -379,12 +382,26 @@ CODEMIE_POSTGRES_DATABASE_NAME="codemie"
 CODEMIE_POSTGRES_DATABASE_USER="pgadmin"
 CODEMIE_POSTGRES_DATABASE_PASSWORD="password"
 
-# Keycloak PostgreSQL (present when TF_VAR_keycloak_dedicated_database_instance=true)
+# Keycloak PostgreSQL (present when keycloak_db_config.enabled=true)
 KEYCLOAK_POSTGRES_DATABASE_HOST="keycloak-psql-abc123.postgres.database.azure.com"
-KEYCLOAK_POSTGRES_DATABASE_PORT="5432"
+KEYCLOAK_POSTGRES_DATABASE_PORT=5432
 KEYCLOAK_POSTGRES_DATABASE_NAME="keycloak"
 KEYCLOAK_POSTGRES_DATABASE_USER="keycloak_admin"
 KEYCLOAK_POSTGRES_DATABASE_PASSWORD="password"
+
+# LiteLLM PostgreSQL (present when litellm_db_config.enabled=true)
+LITELLM_POSTGRES_DATABASE_HOST="litellm-psql-abc123.postgres.database.azure.com"
+LITELLM_POSTGRES_DATABASE_PORT=5432
+LITELLM_POSTGRES_DATABASE_NAME="litellm"
+LITELLM_POSTGRES_DATABASE_USER="litellm_admin"
+LITELLM_POSTGRES_DATABASE_PASSWORD="password"
+
+# Langfuse PostgreSQL (present when langfuse_db_config.enabled=true)
+LANGFUSE_POSTGRES_DATABASE_HOST="langfuse-psql-abc123.postgres.database.azure.com"
+LANGFUSE_POSTGRES_DATABASE_PORT=5432
+LANGFUSE_POSTGRES_DATABASE_NAME="langfuse"
+LANGFUSE_POSTGRES_DATABASE_USER="langfuse_admin"
+LANGFUSE_POSTGRES_DATABASE_PASSWORD="password"
 ```
 
 :::tip Save These Outputs

docs/admin/deployment/common/deployment/05-components-deployment/manual-deployment/security/_security-keycloak-install.mdx

@@ -18,7 +18,7 @@ Create the required Kubernetes secrets in the `security` namespace before instal
 
 Keycloak can use a dedicated database instance or share the existing CodeMie database. Choose the appropriate option based on your infrastructure.
 
-**Dedicated database instance** (when `TF_VAR_keycloak_dedicated_database_instance=true`):
+**Dedicated database instance** (when `TF_VAR_keycloak_db_config='{"enabled":true}'`):
 
 ```bash
 # Source the infrastructure outputs
@@ -29,7 +29,7 @@ kubectl create secret generic keycloak-postgresql \
   --namespace security
 ```
 
-**Shared CodeMie database** (when `TF_VAR_keycloak_dedicated_database_instance=false`):
+**Shared CodeMie database** (when `TF_VAR_keycloak_db_config='{"enabled":false}'`):
 
 ```bash
 # Source the infrastructure outputs

docs/admin/deployment/extensions/01-litellm-proxy/02-configure-values.md → docs/admin/deployment/extensions/01-litellm-proxy/01-configure-values.md

@@ -1,14 +1,14 @@
 ---
 id: configure-values
 sidebar_label: Configure Values
-sidebar_position: 3
-title: Step 2 - Configure API and Proxy Values
+sidebar_position: 2
+title: Step 1 - Configure API and Proxy Values
 description: Configure CodeMie API and LiteLLM values.yaml files
 pagination_prev: admin/deployment/extensions/litellm-proxy/litellm-proxy-overview
 pagination_next: null
 ---
 
-# Step 2: Configure CodeMie API and LiteLLM Values
+# Step 1: Configure CodeMie API and LiteLLM Values
 
 This step is required for both Automated and Manual setups.
 
@@ -62,6 +62,25 @@ litellm-helm:
     enabled: false # Redis is disabled by default
 ```
 
+### Enable Database Initialization Job
+
+`dbInitJob` automatically creates the `postgres_litellm` database and user during Helm deployment. It is **disabled by default**.
+
+```yaml
+dbInitJob:
+  # highlight-next-line
+  enabled: true
+  initImage: alpine/psql:18.3
+  pgAdminSecret:
+    name: codemie-postgresql  # Secret with PostgreSQL admin credentials
+    userKey: PG_USER
+    passwordKey: PG_PASS
+```
+
+:::info
+When enabled, the deployment script (`helm-charts.sh`) automatically creates the `codemie-postgresql` secret using admin credentials from `deployment_outputs.env` — either `CODEMIE_POSTGRES_DATABASE_USER`/`CODEMIE_POSTGRES_DATABASE_PASSWORD` (shared database) or `LITELLM_POSTGRES_DATABASE_USER`/`LITELLM_POSTGRES_DATABASE_PASSWORD` (dedicated LiteLLM database). For manual deployment, create this secret before running Helm — see [Manual Deployment](./deployment/manual-deployment#step-52-create-secrets-and-configmaps).
+:::
+
 ### Redis Configuration
 
 By default, Redis deployment is **disabled** (`enabled: false`). Redis is an optional component that enhances LiteLLM proxy capabilities for specific use cases.

docs/admin/deployment/extensions/01-litellm-proxy/03-auth-secrets.md → docs/admin/deployment/extensions/01-litellm-proxy/02-auth-secrets.md

@@ -1,14 +1,14 @@
 ---
 id: auth-secrets
 sidebar_label: Authentication
-sidebar_position: 4
-title: Step 3 - Cloud Provider Authentication
+sidebar_position: 3
+title: Step 2 - Cloud Provider Authentication
 description: Configure authentication secrets for AWS, Azure, and GCP
 pagination_prev: admin/deployment/extensions/litellm-proxy/litellm-proxy-overview
 pagination_next: null
 ---
 
-# Step 3: Cloud Provider Authentication Secrets
+# Step 2: Cloud Provider Authentication Secrets
 
 LiteLLM Proxy requires credentials to authenticate with cloud provider services. The recommended authentication method depends on where your Kubernetes cluster is hosted and which AI services you intend to use.
 

docs/admin/deployment/extensions/01-litellm-proxy/04-model-config.md → docs/admin/deployment/extensions/01-litellm-proxy/03-model-config.md

@@ -1,14 +1,14 @@
 ---
 id: model-config
 sidebar_label: Model Configuration
-sidebar_position: 5
-title: Step 4 - LiteLLM Model Configuration
+sidebar_position: 4
+title: Step 3 - LiteLLM Model Configuration
 description: Configure LLM models and regions
 pagination_prev: admin/deployment/extensions/litellm-proxy/litellm-proxy-overview
 pagination_next: null
 ---
 
-# Step 4: LiteLLM Proxy Model Configuration
+# Step 3: LiteLLM Proxy Model Configuration
 
 The core of the LiteLLM Proxy configuration is the model list, which defines the LLM models the proxy will manage. Sample configuration files are provided in the Helm chart for each major cloud provider.
 

docs/admin/deployment/extensions/01-litellm-proxy/05-deployment/automated-deployment.md → docs/admin/deployment/extensions/01-litellm-proxy/04-deployment/automated-deployment.md

@@ -27,6 +27,8 @@ Before running the script, ensure you have completed the following configuration
 
 3. **Configure LLM Models:** Review and customize your desired models and regions in the `litellm/config/litellm-<cloud>-config.yaml` file, as detailed in [Model Configuration](../model-config).
 
+4. **Database Initialization:** Ensure `dbInitJob.enabled: true` is set in `litellm/values-<cloud>.yaml`. The script will automatically create the required secrets to initialize the `postgres_litellm` database and user. Admin credentials are read from `deployment_outputs.env` — either `CODEMIE_POSTGRES_DATABASE_*` (shared database) or `LITELLM_POSTGRES_DATABASE_*` (dedicated database), depending on your setup.
+
 :::warning
 
 Completing all configuration steps mentioned in the checklist is **mandatory** for a successful installation.
@@ -38,11 +40,19 @@ Completing all configuration steps mentioned in the checklist is **mandatory** f
 Once all configurations are in place, execute the following command from the root of the repository. Replace `<cloud_name>` with your target cloud (`aws`, `azure`, or `gcp`) and specify the desired version.
 
 ```bash
-bash helm-charts.sh --cloud <cloud_name> --version=x.y.z --mode all --optional litellm
+bash helm-charts.sh --cloud <cloud_name> --version x.y.z --mode all --optional litellm
 ```
 
 During execution, the script may prompt you to enter authentication details if you are deploying for Azure or GCP.
 
+If LiteLLM uses a **shared database** (no `LITELLM_POSTGRES_DATABASE_HOST` in `deployment_outputs.env`), the script will also prompt:
+
+```
+Enter the LITELLM_POSTGRES_DATABASE_PASSWORD:
+```
+
+This password is set for the `litellm` database user created by the db-init job.
+
 ## Next Steps
 
 After successful deployment:

docs/admin/deployment/extensions/01-litellm-proxy/05-deployment/index.md → docs/admin/deployment/extensions/01-litellm-proxy/04-deployment/index.md

@@ -1,14 +1,14 @@
 ---
 id: deployment-overview
 sidebar_label: Deployment
-sidebar_position: 6
-title: Step 5 - Deployment
+sidebar_position: 5
+title: Step 4 - Deployment
 description: Deploy LiteLLM Proxy using automated or manual methods
 pagination_prev: admin/deployment/extensions/litellm-proxy/litellm-proxy-overview
 pagination_next: null
 ---
 
-# Step 5: Deployment
+# Step 4: Deployment
 
 Choose one of the following methods to deploy the LiteLLM Proxy. **Automated Deployment** is recommended for most users as it automates secret creation, Helm deployment, and integration configuration.