docs: add external PostgreSQL configuration guide

docs.json

@@ -439,6 +439,7 @@
           "enterprise/enterprise-vs-oss",
           "enterprise/quick-start",
           "enterprise/analytics",
+          "enterprise/external-postgres",
           {
             "group": "K8s Install",
             "pages": [

enterprise/external-postgres.mdx

@@ -0,0 +1,109 @@
+---
+title: External PostgreSQL
+description: Configure OpenHands Enterprise to use your own PostgreSQL database
+icon: database
+---
+
+OpenHands Enterprise can connect to an external PostgreSQL instance instead of using
+the bundled database. This is useful when you have existing database infrastructure,
+need specific backup/recovery procedures, or require high availability configurations.
+
+## PostgreSQL Version
+
+OpenHands Enterprise requires **PostgreSQL 16.4.0 or above**. PostgreSQL 17 is also supported.
+
+## Required Databases
+
+OpenHands Enterprise uses the following databases:
+
+| Database | Purpose |
+|----------|---------|
+| `openhands` | Core application data |
+| `bitnami_keycloak` | Identity and access management |
+| `litellm` | LLM proxy configuration and usage tracking |
+| `runtime_api_db` | Runtime/sandbox management |
+| `automations` | Scheduled tasks and automation workflows |
+
+## Database User Requirements
+
+The PostgreSQL user provided to OpenHands Enterprise needs specific privileges depending
+on your preferred setup approach.
+
+### Option 1: Automatic Database Creation (Recommended)
+
+If you provide a database user with the `CREATEDB` privilege, OpenHands Enterprise will
+automatically create all required databases during installation.
+
+```sql
+-- Create user with CREATEDB privilege
+CREATE USER openhands_user WITH PASSWORD 'your-secure-password' CREATEDB;
+```
+
+When the user creates its own databases, it will automatically have all necessary privileges
+on them including the ability to manage the `public` schema.
+
+### Option 2: Manual Database Creation
+
+If your security policies prevent granting `CREATEDB`, you must manually create all
+databases before installation:
+
+```sql
+-- Create the databases
+CREATE DATABASE openhands;
+CREATE DATABASE bitnami_keycloak;
+CREATE DATABASE litellm;
+CREATE DATABASE runtime_api_db;
+CREATE DATABASE automations;
+
+-- Create user without CREATEDB
+CREATE USER openhands_user WITH PASSWORD 'your-secure-password';
+
+-- Grant privileges on each database
+GRANT ALL PRIVILEGES ON DATABASE openhands TO openhands_user;
+GRANT ALL PRIVILEGES ON DATABASE bitnami_keycloak TO openhands_user;
+GRANT ALL PRIVILEGES ON DATABASE litellm TO openhands_user;
+GRANT ALL PRIVILEGES ON DATABASE runtime_api_db TO openhands_user;
+GRANT ALL PRIVILEGES ON DATABASE automations TO openhands_user;
+
+-- Connect to each database and grant schema privileges
+\c openhands
+GRANT USAGE, CREATE ON SCHEMA public TO openhands_user;
+
+\c bitnami_keycloak
+GRANT USAGE, CREATE ON SCHEMA public TO openhands_user;
+
+\c litellm
+GRANT USAGE, CREATE ON SCHEMA public TO openhands_user;
+
+\c runtime_api_db
+GRANT USAGE, CREATE ON SCHEMA public TO openhands_user;
+
+\c automations
+GRANT USAGE, CREATE ON SCHEMA public TO openhands_user;
+```
+
+## Network Requirements
+
+Ensure your PostgreSQL instance is accessible from:
+
+- The OpenHands application pods/services
+- The Keycloak service
+- The LiteLLM proxy service
+- The Runtime API service
+
+If using network policies or firewalls, allow connections on the PostgreSQL port (default: 5432)
+from the OpenHands deployment.
+
+## Configuration
+
+When configuring OpenHands Enterprise, provide your external PostgreSQL connection details
+in the Admin Console or Helm values:
+
+- **Host**: Your PostgreSQL server hostname or IP
+- **Port**: PostgreSQL port (default: 5432)
+- **Username**: The database user created above
+- **Password**: The user's password
+
+<Note>
+  For production deployments, we recommend enabling SSL/TLS for database connections.
+</Note>

enterprise/k8s-install/index.mdx

@@ -1,7 +1,7 @@
 ---
 title: Kubernetes Installation
 description: Deploy OpenHands Enterprise into your own Kubernetes cluster using Helm
 icon: dharmachakra
 ---
 
 OpenHands Enterprise can be deployed into an existing Kubernetes cluster using Helm.
@@ -35,8 +35,8 @@
 |-----------|-------------|
 | **OpenHands Server** | Main application server handling UI, API, and agent orchestration |
 | **Runtime API** | Manages sandbox lifecycle—provisioning, scaling, and cleanup |
 | **Runtimes (Sandboxes)** | Isolated containers where agents execute code |
 | **Keycloak** | Identity and access management |
 | **LiteLLM Proxy** | Routes requests to your LLM provider(s) |
 | **PostgreSQL** | Persistent storage for application data |
 | **Redis** | Caching and session management |
@@ -50,6 +50,10 @@
 
 ## Guides
 
+<Card title="External PostgreSQL" icon="database" href="/enterprise/external-postgres">
+  Configure OpenHands to use your own PostgreSQL database instead of the bundled instance.
+</Card>
+
 <Card title="Resource Limits" icon="gauge-high" href="/enterprise/k8s-install/resource-limits">
   Configure memory, CPU, and storage for optimal performance.
 </Card>

enterprise/quick-start.mdx

@@ -148,6 +148,7 @@
 - Inbound ports are open: `80`, `443`, and `30000`
 - Outbound domains are reachable from the VM
 - GitHub App prerequisites are prepared
+- (Optional) [External PostgreSQL](/enterprise/external-postgres) instance provisioned if using your own database
 
 <Warning>
   Do not run the installer until preflight checks pass.
@@ -175,9 +176,9 @@
 done
 ```
 
 Expected: each hostname above resolves to your VM's public IP address.
 
 Test that a runtime wildcard hostname resolves:
 
 ```bash
 getent hosts "test.runtime.${BASE_DOMAIN}" || nslookup "test.runtime.${BASE_DOMAIN}"
@@ -212,7 +213,7 @@
 done
 ```
 
 Any HTTP response code other than `000` is acceptable for reachability checks
 (for example `200`, `301`, `302`, `401`, `403`, `405`).
 
 If any check fails, stop and resolve before continuing:
@@ -223,10 +224,10 @@
 
 | Requirement | Why It Exists |
 |------------|----------------|
 | `443/TCP` inbound | Primary HTTPS entrypoint for users and service hostnames |
 | `30000/TCP` inbound | Replicated/KOTS Admin Console for install and configuration |
 | `80/TCP` inbound | HTTP entrypoint used for ingress/redirect behavior |
 | `*.runtime.<domain>` DNS + cert SAN | Runtime sandboxes are addressed by dynamic runtime-specific hostnames |
 | `replicated.app`, `proxy.replicated.com` | Replicated control-plane/license/install paths |
 | `images.r9...`, `charts.r9...`, `updates.r9...`, `install.r9...` | Vendor distribution image/chart/update/install endpoints |
 | `traefik.github.io` | Embedded cluster ingress chart repository |
@@ -292,7 +293,7 @@
 ### 5. Upload TLS certificate (if not provided with the install command)
 
 If you did not provide certificates with the `install` command, select **"Upload your own"**,
 enter your base domain under **Hostname**, upload your private key and SSL certificate, then click **Continue**.
 
 ![Upload TLS certificate](./images/upload-tls-certificate.png)
 
@@ -317,7 +318,7 @@
 
 ### Domain Configuration
 
 - Select **"Derive hostnames from domain (recommended)"**
 - Enter your base domain (e.g., `openhands.example.com`)
 
 ### Certificate Configuration
@@ -330,6 +331,13 @@
 
 Enter your Anthropic API key from the [Anthropic Console](https://console.anthropic.com/).
 
+### Database Configuration
+
+By default, OpenHands Enterprise uses a bundled PostgreSQL database. If you need to use your
+own PostgreSQL instance (for example, to integrate with existing database infrastructure or
+meet specific backup/HA requirements), see [External PostgreSQL](/enterprise/external-postgres)
+for setup instructions.
+
 ### GitHub Authentication
 
 Enable GitHub Authentication in the Admin Console, then follow these steps to create and