The Kubernetes secret named px-kvdb-auth is used to store authentication credentials required for Portworx to connect to a secure, external key-value database (KVDB) like etcd or Consul. When the external KVDB is secured using TLS, this secret must contain the necessary client certificate, client private key, and the CA certificate. The Portworx Operator or DaemonSet references this secret to establish a secure, authenticated connection to the KVDB for storing cluster metadata.

A. px-kvdb: This is an incorrect name. While related to the KVDB, it is not the standard name for the secret containing TLS authentication certificates.

B. px-kvdb-cert: This name is descriptive but not the one specified in the official Portworx documentation for storing KVDB authentication materials.

1. Portworx Enterprise Documentation - Install Portworx on Kubernetes -> Prerequisites -> Key-value store: "If you are using a secure etcd

you need to create a secret called px-kvdb-auth in the kube-system namespace with the following files: ca.crt

etcd-client.crt

etcd-client.key." This section explicitly names the secret.

2. Portworx Enterprise Documentation - Use an external key-value store -> Secure etcd with TLS: "Create a Kubernetes secret called px-kvdb-auth with the client certificate

key

and CA certificate you generated in the previous section." This guide provides a step-by-step process

reinforcing the required secret name.

3. Portworx Enterprise Documentation - Reference -> StorageCluster -> kvdb: The StorageCluster Custom Resource Definition (CRD) includes the field spec.kvdb.authSecret. The documentation notes: "Name of the secret that has the credentials for the KVDB. If the secret is not provided

Portworx will use the default secret name px-kvdb-auth." This confirms the default and expected name.