# Use an External Service

You may want to refer to an external service rather than the small-scale services running in the cluster from a reference deployment.

Examples include:

* PostgreSQL
* Kafka

{% hint style="danger" %}
**Warning**

**CRITICAL SECURITY REQUIREMENT**

**NEVER commit files containing secrets such as `.env` or `JWT`** **to version control.** These files must be managed securely.

As part of updating the inputs for your deployment:

1. **Review** the template secret files

2. **Set strong secrets** for the values, such as strong passwords

3. **Store the secret securely** outside your repository using one of these methods:
   * Cloud secrets management service
   * Enterprise secrets vault solution
   * Kubernetes Secrets with encryption at rest
   * Secure file system with restricted access (development only)

4. **Configure your deployment** to retrieve credentials from your secure storage at runtime

5. **Add the secrets files to your** **`.gitignore`** **file immediately**
   {% endhint %}

6. You should create your secret values in a secure location and reflect them in Kubernetes Secrets.

7. The name of the secret should be the one already used by the respective deployment, e.g. **`ess-webid-postgres-credentials`** for the WebID Service database

8. Continue with the rest of the [Applying Your Customizations](https://docs.inrupt.com/ess/2.5/installation/customize-configurations) procedure.