metadata.name

new-fep

Name for the Cluster. FEP server container will use this value for Patroni scope.

e.g. new-fep

spec.fep.autoPodRestart

<omitted>

Optional

This parameter affects the behaviour when value(s) of CPU, memory and/or image for FEP and/or optional Backup container are updated in FEPCluster CR.

If it is NOT defined and set to true, operator will automatically create an action CR to make values effective by restarting all pods in an orderly fashion to minmise outage.

If is set to false, automatic restart of PoDs will NOT happen. To make the changes effective, user must restart pods by creating action CR with type ‘pod_restart’ and arguments ‘ALL’

spec.fep.fepVersion

<omitted>

Optional

When deploying a new FEP cluster, this parameter controls which FEP major version will be used for the deployment.

If not specified, Operator will use latest FEP version supported by the Operator.

When fepVersion is defined but not spec.fep.image.image, Operator will deploy the specific version of FEP.

When both fepVersion and image are defined, Operator will use the image and discard the value of fepVersion.

Current support value: 14, 15, 16, 17, 18

Note: Changing fepVersion from one version to another version is not supported after deployment.

spec.fep.customAnnotation.allDeployments

{}

(*)

Contents under this are optional. User can remove {} and add multiple key-value pairs. All of these pair will be added to annotations of FEP statefulSet and FEP Pods. If left at default, no annotation is added to Pods and statefulSets

spec.fep.image.image

<omitted>

FEP server container image to be used

quay.io/fujitsu/fujitsu-enterprise-postgres-18-server:ubi9-18-1.0

It is optional

Image line is omitted by default.

This key has a higher precedence than fepVersion. If both fepVersion and image are omitted, Operator will use the latest FEP version that it supports. If both fepVersion and image are specified, Operator will use the specified image and ignore the value in fepVersion.

spec.fep.image.pullPolicy

IfNotPresent

spec.fep.mcSpec.limits

cpu: 500m

memory: 700Mi

(If spec.fep.databaseSize is medium)
  cpu: 2
  memory: 4Gi

(If spec.fep.databaseSize is large)
  cpu: 4
  memory: 16Gi

spec.fep.mcSpec.requests

cpu: 200m

memory: 512Mi

(If spec.fep.databaseSize is medium)
  cpu: 1
  memory: 2Gi

(If spec.fep.databaseSize is large)
  cpu: 2
  memory: 8Gi

spec.fep.databaseSize

Specifiable values: small, medium, large

The operator defines the values for cpu, memory, and postgresql.conf, matching the specified values.
If the target parameter is defined, it is not overwritten.

Can be set only when creating FEPCluster custom resource.
After you create a FEPCluster custom resource, you customize it by editing each parameter.

spec.fep.sysExtraLogging

false

To turn extra debugging on, set value to true

It can be turned on/off at any time

spec.fep.sysExtraEvent

false

Options

To turn on event notification for custom resource changes, set the value to true. You can turn it on or off at any time.

spec.fep.instances

1

Number of nodes in the cluster, including both Master and Replicas.

In Example CR, it is kept at 1 for certification.

However, user can change it to 3 for 1 master and 2 replicas.

spec.fep.servicePort

27500

TCP port for FEP master service

spec.fep.syncMode

off

Replication Mode:

off - async replication

on - sync replication

spec.fep.standby.enable

false

This parameter enables the hot standby configuration. Enabled at true.

spec.fep.standby.method

Specifies the method for achieving a hot standby configuration.

archive-recovery - Uses continuous recovery.

streaming - Uses streaming replication.

spec.fep.standby.pgBackrestConf

Required for both continuous recovery and streaming replication methods. You must specify the backup storage on which the production environment is backed up. AWS S3 and Azure Blob Storage are available.

spec.fep.standby.streaming.host

Specify this option to use the streaming replication method. Specify the external IP of the LoadBalancer you created in "Defining a Streaming Replication Method" in the User's Guide.

spec.fep.standby.streaming.port

Specify this option to use the streaming replication method. Specify the port defined in the LoadBalancer you created in "Defining a Streaming Replication Method" in the User's Guide.

spec.fep.forceSsl

true

Controls the use of SSL only for communication between FEPCluster containers. The changes are reflected in pg_hba.conf.

Changing this parameter is not reflected in pg_hba.conf if the automatic certificate generation feature is enabled.

spec.fep.locale

<omitted>

(*)

Optional

Can only be specified when creating a FEPCluster.

Database Cluster Locale Settings:

ja_JP - Japanese locale

Default - C

spec.fep.monitoring

This is an Optional section. This defines whether monitoring enabled(true) or disabled(false) , MTLS enabled or disabled & Basic authentication enabled or not

spec.fep.monitoring.enable

false

If set true, the operator will create FEPExporter with given spec

spec.fep.monitoring.fepExporter

This is Optional section. Exporter spec section applied only if enable: true

spec.fep.monitoring.fepExporter.authSecret

This is Optional section. Base Authentication secret to provide username & encrypted password of user

spec.fep.monitoring.fepExporter.authSecret.secretName

( created by user )

Mandatory

Name of secret that contains username and password

spec.fep.monitoring.fepExporter.authSecret.userKey

( created by user )

Mandatory

Key of username in specified secret

spec.fep.monitoring.fepExporter.authSecret.passwordKey

( created by user )

Mandatory

Key of password in specified secret

spec.fep.monitoring.fepExporter.tls

This is optional section. FEPExporter MTLS specs. Mandatory if tls specs defined for Prometheus specs

spec.fep.monitoring.fepExporter.tls.certificateName

( created by user )

Mandatory.This points to Kubernetes TLS secret that contains the certificate of FepExporter. Prometheus will use this for certificate authentication. The certificate itself is stored in the key tls.crt.

spec.fep.monitoring.fepExporter.tls.caName

( created by user )

Mandatory This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt.

spec.fep.monitoring.fepExporter.customLabel

Optional

List of key value pair to be added to Prometheus ServiceMonitor label. The following label will always be added to ServiceMonitor, regardless if a value is specified here or not.
fepsmgrp: sm-fep-exporter

spec.fep.monitoring.prometheus

This is Optional section. Prometheus specs are mandatory if tls specs defined for FEPExporter

spec.fep.monitoring.prometheus.tls

Prometheus MTLS specs

spec.fep.monitoring.prometheus.tls.certificateName

( created by user )

This is an Optional parameter. These points to Kubernetes TLS secret that contains the certificate of Prometheus. FEPExporter will use this for certificate authentication. The certificate itself is stored in the key tls.crt.

spec.fep.monitoring.prometheus.tls.caName

( created by user )

This is an Optional parameter. This point to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt.

spec.fep.externalMonitoring.cloudWatch

This is an Optional section.

Define this option when linking with CloudWatch.

spec.fep.externalMonitoring.cloudWatch.enable

true

Optional

A value of true forwards Fujitsu Enterprise Postgres metrics to CloudWatch.

Specify false to cancel log transfer.

spec.fep.externalMonitoring.cloudWatch.shedule

"0-59/10 * * * *"

You can specify how often to transfer. Specified as a Cron value.

spec.fep.externalMonitoring.cloudWatch.namespace

Specifies the CloudWatch Namespace to which metrics are forwarded.

Required if spec.fep.externalMonitoring.cloudWatch is specified

spec.fep.externalMonitoring.cloudWatch.defaultMetrics

true

Specify true to capture and forward the metrics described in "Metrics Collected by CloudWatch" in the User's Guide.

Specify false to forward only custom metrics to CloudWatch.

spec.fep.externalMonitoring.cloudWatch.customMetrics

Optional

If you want to forward custom metrics, specify the ConfigMap name where you defined the custom metrics.

spec.fep.externalMonitoring.cloudWatch.dimensionName

Optional

If adding a Dimension, specify a name of your choice.

If dimensionValue is omitted, this value is ignored.

spec.fep.externalMonitoring.cloudWatch.dimensionValue

Optional

If adding a Dimension, specify any value.

If dimensionName is omitted, this value is ignored.

spec.fep.externalMonitoring.cloudWatch.authentication.cloudWatchCredentials

Specify a secret name that defines a credentials for a role that has permission to forward metrics to CloudWatch.

Required if spec.fep.externalMonitoring.cloudWatch is specified

spec.fep.externalMonitoring.cloudWatch.authentication.cloudWatchConfig

Specify a ConfigMap name that defines the config information for a role that has permission to forward metrics to CloudWatch.

Required if spec.fep.externalMonitoring.cloudWatch is specified

spec.fep.externalMonitoring.cloudWatch.databases

postgres

Specifies the databases from which to collect metrics, in list format.

The default is to collect metrics from the postgres database.

spec.fep.podAntiAffinity

false

Defines that all the pods should not run on same worker node

spec.fep.podDisruptionBudget

false

Allows to maintain minimum number of pods of an application even when some nodes are voluntarily drained for say, maintenance

spec.fep.replicationSlots

List of Patroni permanent replication slots.

spec.fep.replicationSlots.demo_subscription1

The 'demo_subscription1' is the slot name. This name cannot be same as any pod name (e.g., new-fep-sts-01) in the cluster. Otherwise, the slot will not be created.

spec.fep.replicationSlots.type

logical

Must be 'logical' for logical replication

spec.fep.replicationSlots.database

postgres

Specify the database name for logical replication

spec.fep.replicationSlots.plugin

pgoutput

FEP supports 'pgoutput' by default.

spec.fep.usePodName

Optional
Setting this key to true will make internal POD communication, both Patroni and Postgres to use hostname, instead of IP address. This is important for TLS as the hostname of the POD is predictable and can be used to create Server Certificate, whereas IP address is unpredictable and cannot be used to create Certificate. There is no negative effect setting this key to true even if TLS (i.e. Server Certificate) is not used.

spec.fep.patroni.tls.certificateName

( created by user )

Optional
This point to Kubernetes TLS secret that contains the certificate for Patroni. The certificate itself is stored in the key tls.crt. This field is optional.

When this key is set, the Operator will ignore the value in systemCertificates

spec.fep.patroni.tls.caName

( created by user )

Optional
This points to Kubernetes configmap that contains additional CA for Patroni to verify client. The CA is stored in the key ca.crt. This field is optional.

spec.fep.postgres.tls.certificateName

( created by user )

Optional
This points to Kubernetes TLS secret that contains the certificate for Postgres. The certificate itself is stored in the key tls.crt. This field is optional. When this key is set, Operator will ignore the value in systemCertificates

spec.fep.postgres.tls.caName

( created by user )

Optional
This point to Kubernetes configmap that contains additional CA for Postgres to verify client. The CA is stored in the key ca.crt. This field is optional.

spec.fep.postgres.tls.privateKeyPassword

( created by user )

Optional
This points to Kubernetes secret that contains the password for the above private key. This field is optional.

spec.fep.pgAuditLog.auditLogPath

Use this value for log_directory in pgaudit.conf

If pgAuditLog.auditLogPath is not defined:

use '/database/log/audit'

or '/database/userdata/data/log' when log volume is not defined .

spec.fep.pgAuditLog.schedules

Schedule to upload auditlog

spec.fep.pgAuditLog.schedules.upload

Upload schedule in crontab format

spec.fep.pgAuditLog.endpoint.protocol

http

Optional

Default: http
Supported values:

• ‘http’

• ‘s3’

• ‘blob’

spec.fep.pgAuditLog.endpoint.url

Webserver URL to upload the auditlog files

spec.fep.pgAuditLog.endpoint.customCertificateName

Optional
Secret that contains the certificate to setup communication with Web server

spec.fep.pgAuditLog.endpoint.insecure

false

Optional
equivalent to curl -insecure option

spec.fep.pgAuditLog.endpoint.authentication

Optional
This item is the secret name for endpoint authentication.
The end user needs to provide this secret to use upload feature.
This secret is used for authentication of each protocol accordingly.
Refer to "1.2.16.1 Details of pgAuditLog.endpoint.authentication" for details.
If this is not specified, a default secret <cluster-name>-pgauditlog-auth will be created.

spec.fep.pgAuditLog.endpoint.fileUploadParameter

file

Optional
The file upload parameter defined by the web server

spec.fep.pgAuditLog.endpoint. azureBlobName

Only take effect when protocol is ‘blob’
Optional
The blob name of pgaudit log file.
Default:
[cluster name]-sts-[pod index]-pgauditlog.zip

spec.fep.pgAuditLog.endpoint. azureContainerName

Required with protocol is ‘blob’
This item is the container name of the Azure Storage account

spec.fep.pgAuditLog.config

Optional
Default: none
This item requires a ConfigMap with this name to exist in the same namespace of the FEPCluster.
The ConfigMap will be used as pgAudit config file.
The ConfigMap need to have a key ‘pgaudit.conf’.

spec.fep.pgAuditLog.enable

Optional
Default: false
When set to ‘true’, the pgaudit extension is enabled automatically.

spec.fep.pgBadger.schedules.create

The 'create' schedule to create report and upload it to endpoint

spec.fep.pgBadger.schedules.cleanup

The 'cleanup' schedule to delete the report left in container

spec.fep.pgBadger.options.incremental

false

Default: false; When set to true: create incremental report in pgbadger

spec.fep.pgBadger.endpoint.authentication

a secret to contain authentication info to access endpoint

support basic auth only

spec.fep.pgBadger.endpoint.customCertificateName

Client certitificate reference in customCertificate CR

spec.fep.pgBadger.endpoint.fileUploadParameter

file

The file upload parameter defined by the web server

spec.fep.pgBadger.endpoint.insecure

false

equivalent to curl -insecure option

spec.fep.pgBadger.endpoint.url

Web server url to upload the report file

spec.ldap2pg.enable

true

Setting this to "true" will enable ldap2pg to execute periodically according to schedule defined.

Setting this to "false" will remove the cronjob that execute the ldap2pg.

spec.ldap.caConfigMapRef

If LDAP server certificate is signed by a private CA, this key should point to a configmap that has the chain of certificates that ldap2pg and FEP should trust.

Operator expects the key name in the configmap be ca.crt.

spec.ldap.ldapconfSecretRef

Name of secret that contains the ldap.conf

When spec.ldap is defined but spec.ldap.ldapconfSecretRef is not defined, operator will create a default secret <fep-cluster>-ldapconf.

Operator expects the key name in the secret be ldap.conf.

spec.ldap2pg.ldap2pgymlConfigMapRef

Name of configmap that contains the ldap2pg.yml

When spec.ldap2pg is defined but spec.ldap2pg.ldap2pgymlConfigMapRef is not defined, Operator will create a default configmap <fep-cluster>-ldap2pgyml.

FEP Operator expects the key name in the configmap be ldap2pg.yml.

spec.ldap2pg.mode

check

Whether ldap2pg should run in "check" mode or "real" mode. If not defined, ldap2pg will run in check mode.

spec.ldap2pg.schedule

Schedule to execute ldap2pg in a crontab format.
If defined, Operator will create a cronjob using fep-cronjob container and remotely execute ldap2pg on fep-patroni container on a regular basis.

If the schedule is not provided, Operator will set the schedule to 5/* * * *.

spec.ldap2pg.skipPrivileges

false

Options

Configure synchronization of role attributes and permissions between ldap2pg and FEPCluster.
Specify false if you want to synchronize role attributes with permissions, or true if you do not.
If true, the behavior is the same as the --skip-privileges (-P) option of the ldap2pg command.

spec.fep.feputils.image

<omitted>

FEPUtils container image to use,

quay.io/fujitsu/fujitsu-enterprise-postgres-18-utils:ubi9-18-1.0

Optional.

Omitted by default. In this case, the image URL is obtained from the operator container environment.

If you specify an image, the operator will use that image to deploy the Utils container.

When fepChildCrVal.storage.autoresize.enable is true, use this image to expand the pvc-auto-resize container of the fep-tuning Pod.

spec.fep.fepcronjob.image

<omitted>

FEPCronjob container image to use,

quay.io/fujitsu/fujitsu-enterprise-postgres-cronjob:ubi9-18-1.0

Optional.

Omitted by default. In this case, the image URL is obtained from the operator container environment.

If you specify an image, the operator will use that image to deploy the Cronjob container.

spec.fep.autoTuning.prometheus.prometheusUrl

Required if fepChildCrVal.storage.autoresize.enable is true.

Specifies the URL of the Prometheus for which you want to retrieve metrics.

spec.fep.autoTuning.prometheus.authSecret

Optional

Basic authentication secret that provides the user name and encrypted password

spec.fep.autoTuning.prometheus.authSecret.secretName

Username and password, or the name of the secret that contains the token

spec.fep.autoTuning.prometheus.authSecret.userKey

Key of the Secret given the user name

spec.fep.autoTuning.prometheus.authSecret.passwordKey

Key of the Secret with the password specified

spec.fep.autoTuning.prometheus.authSecret.tokenKey

Key of the Secret given the token

spec.fep.autoTuning.prometheus.authSecret.proxyKey

Key of the Secret specified by the proxy

spec.fep.autoTuning.prometheus.tls

spec.fep.autoTuning.prometheus.tls.certificateName

Refers to the Kubernetes TLS secret that contains the certificate and private key. Prometheus uses this for certificate authentication. The certificate and private key itself are stored in the tls.crt and tls.key keys.

spec.fep.autoTuning.prometheus.tls.caName

Refers to the Kubernetes ConfigMap containing the additional CA that the client uses to verify the server certificate. The CA is stored in the ca.crt key.

spec.fep.autoTuning.prometheus.maxRetry

Specifies the maximum number of retries when a query to Prometheus fails.

If not specified, a maximum of 60 retries are attempted.

spec.fep.velero.enable

false

Optional

Specifies whether the Velero DR feature is used (true) or not (false).

This is omitted by default. In this case, the Velero DR feature is not available.

spec.fep.velero.labels

Optional

If the Velero DR feature is used, specify the label to be given to the resource to be backed up by Velero.

You can specify multiple labels.

If omitted, backup-group: fep-backup is given.

spec.fep.velero.backup

Specifies the object storage information that stores the backup data and archive wal for FEPCluster to be built in a DR environment.

Otherwise, FEPCluster built in a DR environment will fail to back up to object storage.

spec.fep.velero.backup.pgbackrestParams

"|" When nothing is specified, and the parameter set in pgbackrest.conf is described from the line below. (Descriptions vary depending on the provider used)

If you use the same object storage as in production, specify a different object storage path (repo*-path) than fepChildCrVal.backup.pgbackrestParams.

If you specify the same object storage path, you will receive an event notification.

spec.fep.velero.backup.pgbackrestKeyParams

Optional

"|" is fixed, and the following line describes the parameters to be set in pgbackrest.conf. The value described by this parameter is masked with *****.

spec.fep.velero.backup.caName

Optional
Set to use a CA file other than the system default. Specifies the name of the Configmap you created.

If you use a different CA file than the production environment, give the CA file a different name and set it here. It must also be deployed in the DR environment.

spec.fep.velero.backup.repoKeySecretName

Optional
Specifies the name of the Kubernetes Secret generated from the object storage key file. Specify in array format.

If you use a different secret from the production environment, give the secret a different name and set it here. It must also be deployed in the DR environment.

spec.fep.velero.restore.image.image

Optional
Image of the container to perform the restore It is omitted by default. In this case, the URL for image is obtained from the operator container environment.

spec.fep.velero.restore.image.pullPolicy

IfNotPresent

Specifies the pull policy for the image.

• Always

• IfNotPresent

spec.fep.velero.restore.mcSpec.limit

cpu: 200m

memory: 300Mi

Specifies the maximum number of resources to allocate to the restore execution container.

spec.fep.velero.restore.mcSpec.request

cpu: 100m

memory: 200Mi

Specifies the lower number of resources to allocate to the restore execution container.

spec.fep.velero.resotre.restoreTargetRepo

1

Specifies the backup data used to restore FEPCluster to the DR environment and the object storage information where the archive wal is stored.

This is the number of the repo in fepChildCrVal.backup.pgbackrestParams.

spec.fep.fixedStats.scheduleN

Schedule a locked statistics.

Specify an integer for N.

spec.fep.fixedStats.scheduleN.fixSchedule

Time to start locked statistics.

schedule in cron format

The date and time are in UTC time.

spec.fep.fixedStats.scheduleN.unfixSchedule

Options

Time to unpin locked statistics. Returns to regular statistics. If not specified, it is not cleared.

schedule in cron format

The date and time are in UTC time.

spec.fep.fixedStats.scheduleN.targetDb

Specify the database for which you want to locked statistics.

spec.fep.fixedStats.scheduleN.fixedObject

Options

If the scope to be locked is smaller than the database, specify that object.

Specify schema.table.column.

The minimum range is the column and the maximum range is the schema.

spec.fep.fixedStats.endpoint.protocol

Specify the object storage vendor where statistics are stored. s3, blob, gcs can be specified. Also, if you want to directly import a file on the container, specify local.

spec.fep.fixedStats.endpoint.authentication

Specify this option if the protocol is s3, blob, gcs.

Authentication for accessing object storage Specify a secret file that contains confidential information.

spec.fep.fixedStats.scheduleN.url

Specify this option if the protocol is s3, gcs.

Specify the URL from which to download the statistics binary file.

spec.fep.fixedStats.scheduleN.azureBlobName

Specify this if the protocol is a blob. Name of the blob containing the statistics binary file.

spec.fep.fixedStats.scheduleN.azureContainerName

Specify this if the protocol is a blob. This item is the container name of the Azure storage account.

spec.fep.fixedStats.scheduleN.file

Specify this if the protocol is a local. Specify the name of the file deployed on the fep-patropni container.

spec.fep.fixedStats.scheduleN.update

false

Set this setting to true if you want to download statistics to be locked from object storage.

spec.fep.fixedStats.image

The CronJob image to use. If not specified, the operator uses the latest version supported by the operator.

spec.fep.fixedStats.pullPolicy

IfNotPresent

spec.fep.fixedStats.scheduleN.enable

Options

You can specify whether scheduled statistics are to be locked or released. Executed if omitted or true, not if false.

spec.fep.freezingTuples.enable

false

Options

When true is specified, enables periodic execution of freezing operations.

spec.fep.freezingTuples.scheduleN

Options

Specifies the schedule for the freeze operation. You can specify multiple names in dictionary format.

Specify an integer for N.

spec.fep.freezingTuples.scheduleN.start

0 1 * * *

Specifies the date and time for starting processing in cron format.

If omitted, the default values are applied.

spec.fep.freezingTuples.scheduleN.executionTime

3600

Options

Specified value: string

Units: s, m, h,d

Specifies the duration of the processing. If no unit is specified, s is assumed.

If omitted, the default values are applied.

spec.fep.backupStats.enable

false

You can set statistics to be backed up.

If set to false, no backup is performed.

If set to true, backup is performed.

If spec.fep.backupStats.enable is not defined as false when FEPCluster is first built, it is set to true.

If spec.fep.backupStats.schedule1 is not defined when FEPCluster is first built, a backup with default settings is defined in the FEPCluster custom resource.

spec.fep.backupStats.image

The CronJob image to use. If not specified, the operator uses the latest version supported by the operator.

spec.fep.backupStats.pullPolicy

IfNotPresent

spec.fep.backupStats.scheduleN

Schedule a backup of the statistics.

Specify an integer for N.

spec.fep.backupStats.scheduleN.backupSchedule

Time to start taking statistics backups.

schedule in cron format

The date and time are in UTC time.

spec.fep.backupStats.scheduleN.targetDb

Optional

Specify the database to be backed up. If omitted, runs for all databases.

spec.fep.backupStats.scheduleN.fixedObject

Optional

If the backup target is less than the database, specify the object.

Specify schema.table.column.

The minimum range is the column and the maximum range is the schema.

spec.fep.backupStats.scheduleN.comment

Optional

Comments that can be defined when backing up statistics.

If omitted, FepFixedStatsBackup: scheduleN is set.

Do not use the following phrases in comments.

FepFixedStats

spec.fep.backupStats.scheduleN.retention

Options

At the same time as a scheduled backup, you can delete backups that are stored in the target database for a specified number of days or earlier.

Specify an integer.

If omitted, no deletion is performed.

spec.fep.backupStats.scheduleN.enable

Options

You can specify whether scheduled statistics are to be locked or released. Executed if omitted or true, not if false.

spec.fep.multiMasterReplication

-

Options

Define the multi-master replication configuration.

spec.fep.hostName

If you created an SVC to accept connections from outside your deployed Kubernetes cluster, specify the hostname.

spec.fep.port

This is the port used to connect to the deployed Kubernetes from outside.

spec.fep.multiMasterReplication.enable

false

Enable the construction of a multi-master replication configuration.

Once enabled by setting this to true, the feature cannot be disabled.

spec.fep.multiMasterReplication.configMapName

Specify the ConfigMap name defining the FEPCluster or database for bidirectional replication.

spec.fep.multiMasterReplication.replicationHosts[]

Specify the information for the FEPCluster(s) for bidirectional replication in array format.

Only one array can be specified.

spec.fep.multiMasterReplication.replicationHosts[].hostName

Specify the connectable hostname.

spec.fep.multiMasterReplication.replicationHosts[].port

27500

Options

Specify the port of the host that can be connected to.

spec.fep.multiMasterReplication.replicationHosts[].pgAdminPassword

Specifies the password for the postgres user at the replication destination.

After applying to the FEPCluster, this parameter is masked with *.

spec.fepChildCrVal.customCertificates

Optional
An array of elements for defining a certificate. It consists of the following parameters:

• username

• certificateName

• caName

Used to setup SSL connection between publisher and subscriber clusters for logical replication.

spec.fepChildCrVal.customCertificates.userName

Optional
This should be the username of the publisher database. When this parameter is specified, an empty folder is created under FEP Server Container- /tmp/custom_certs/<username>. The custom certificates are mounted in this empty folder. However, if this parameter is not specified, the section is ignored and folder is not created; hence the certificates are not mounted without it.

spec.fepChildCrVal.customCertificates.certificateName

( created by user )

Optional
This points to Kubernetes TLS secret that contains the custom certificate. The certificate itself is stored in the key tls.crt.

spec.fepChildCrVal.customCertificates.caName

( created by user )

Optional
This points to Kubernetes configmap that contains CA certificate to verify server. The CA is stored in the key ca.crt.

spec.fepChildCrVal.backup

Optional
This section is defined to enable fepbackup sidecar for cluster backup feature.

spec.fepChildCrVal.backup.image.image

<omitted>

FEP backup container image to be used

quay.io/fujitsu/fujitsu-enterprise-postgres-18-backup:ubi9-18-1.0

It is optional.

Image line is omitted by default. In such a case, it will pick up URL of image from operator container environment.

If you specify the image, Operator will take that image to deploy backup container

spec.fepChildCrVal.backup.image.pullPolicy

IfNotPresent

spec.fepChildCrVal.backup.mcSpec.limits

cpu: 0.2

memory: "300Mi"

spec.fepChildCrVal.backup.mcSpec.requests

cpu: 0.1

memory: "200Mi"

sepc.fepChildCrVal.backup.type

Optional

Specifiable value: local

Apply the settings for taking a backup to the PV to the custom resource.

Can only be set the first time the FEPCluster custom resource is applied.
You cannot add or change settings after applying.

spec.fepChildCrVal.backup.pgbackrestParams

(If sepc.fepChildCrVal.backup.type is local)

[global]

repo1-retention-full=7

repo1-retention-full-type=time

log-path=/database/log/backup

Specifies the object storage information that stores the backup data and archive wal.

"|" When nothing is specified, and the parameter set in pgbackrest.conf is described from the line below.

The value described by this parameter is masked with *****. (Descriptions vary depending on the provider used)

spec.fepChildCrVal.backup.pgbackrestKeyParams

Optional

"|" is fixed, and the following line describes the parameters to be set in pgbackrest.conf. The value described by this parameter is masked with *****.

spec.fepChildCrVal.backup.caName

Optional

Set to use a CA file other than the system default.

Specifies the name of the Configmap you created.

spec.fepChildCrVal.backup.repoKeySecretName

Optional

Specifies the name of the Kubernetes Secret generated from the object storage key file. Specify in array format.

spec.fepChildCrVal.backup.schedule.num

0

(If sepc.fepChildCrVal.backup.type is local)
2

Number of schedules to set

The maximum number of backup schedules is 5.

spec.fepChildCrVal.backup.scheduleN.schedule

(If sepc.fepChildCrVal.backup.type is local)

schedule1:
  schedule: "15 0 * * 0"
schedule2:
  schedule: "15 0 * * 1-6"

Backup schedule in cron format.

The date and time is UTC time.

spec.fepChildCrVal.backup.scheduleN.type

(If sepc.fepChildCrVal.backup.type is local)

schedule1:
  type: full
schedule2:
  type: incr

full: Perform a full backup (Back up the contents of the database cluster).

incr — Perform an incremental backup (Back up only the database cluster files that were changed to the last backup migration).

spec.fepChildCrVal.backup.scheduleN.repo

1

Optional

Gets a backup in the specified repository.

The range is 1 to 256.

spec.fepChildCrVal.customPgAudit

[output]

logger = 'auditlog'

log_directory = '/database/log/audit'

log_truncate_on_rotation = on

log_filename = 'pgaudit-%a.log'

log_rotation_age = 1d

log_rotation_size = 0

[rule]

PgAudit file content

spec.fepChildCrVal.customPgHba

# define pg_hba custom rules here to be merged with default rules.

# TYPE DATABASE USER ADDRESS METHOD

Entries to be inserted into pg_hba.conf

spec.fepChildCrVal.customPgParams

# define custom postgresql.conf parameters below to override defaults.

# Current values are as per default FEP deployment

shared_preload_libraries='pgx_datamasking,pg_prewarm,pg_stat_statements,fsep_operator_security'

session_preload_libraries='pg_prewarm'

max_prepared_transactions = 100

max_worker_processes = 30

max_connections = 100

work_mem = 1MB

maintenance_work_mem = 12MB

shared_buffers = 128MB

effective_cache_size = 384MB

checkpoint_completion_target = 0.8

# tcp parameters

tcp_keepalives_idle = 30

tcp_keepalives_interval = 10

tcp_keepalives_count = 3

# logging parameters in default fep installation

# if log volume is not defined, log_directory should be

# changed to '/database/userdata/data/log'

log_directory = '/database/log'

log_filename = 'logfile-%a.log'

log_file_mode = 0600

log_truncate_on_rotation = on

log_rotation_age = 1d

log_rotation_size = 0

log_checkpoints = on

log_line_prefix = '%e %t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h'

log_lock_waits = on

log_autovacuum_min_duration = 60s

logging_collector = on

pgaudit.config_file='/opt/app-root/src/pgaudit-cfg/pgaudit.conf'

log_replication_commands = on

log_min_messages = WARNING

log_destination = stderr

# wal_archive parameters in default fep installation

archive_mode = on

archive_command = 'pgbackrest --stanza=backupstanza --config=/database/userdata/pgbackrest.conf archive-push %p'

wal_level = replica

max_wal_senders = 12

wal_keep_segments = 64

track_activities = on

track_counts = on

password_encryption = 'md5'

Postgres configuration in postgresql.conf

If the FEP server container utilizes images with a FEPBaseVersion less than 15, exclude fsep_operator_security from the configuration.

If spec.fep.databaseSize is defined, the default value will be changed as shown below.

shared_buffers = 30% of spec.fep.mcSpec.limits.memory

work_mem = 30% of spec.fep.mcSpec.limits.memory / max_connections / 2

effective_cache_size = 75% of spec.fep.mcSpec.limits.memory

maintenance_work_mem = 10% of spec.fep.mcSpec.limits.memory / (1 + autovacuum_max_workers)

spec.fep.vectorTransformation.enable

false

Setting to true activates the feature of model management in the database.

spec.fep.vectorTransformation.modelRepository.modelOwner.name

-

Set the model owner's name.

spec.fep.vectorTransformation.modelRepository.modelOwner.password

-

Set the model owner's password.

spec.fep.vectorTransformation.modelRepository.modelUser.name

-

Set the model user's name.

spec.fep.vectorTransformation.modelRepository.modelUser.password

-

Set the model user's password.

spec.fep.vectorTransformation.modelRepository.modelLoader.name

-

Set the load user's name.

spec.fep.vectorTransformation.modelRepository.modelLoader.password

-

Set the load user's password.

spec.fep.vectorTransformation.inferenceServer

-

Parameters related to the inference server.

spec.fep.vectorTransformation.inferenceServer.image

-

Required when spec.fep.vectorTransformation.enable is true

Specify the name of the built inference server.

spec.fep.vectorTransformation.inferenceServer.imagePullsecret

-

Required when spec.fep.vectorTransformation.enable is true

Specify the Pullsecret to access the repository where the built inference server is published.

spec.fep.vectorTransformation.inferenceServer.connectionTls.enable

false

Set to true when using mTLS.

spec.fep.vectorTransformation.inferenceServer.connectionTls.certificate.grpcCaName

-

Specifies the TLS secret used for gRPC connections.

spec.fep.vectorTransformation.inferenceServer.connectionTls.certificate.grpcCertificateName

-

Specify the Secret name containing the CA certificate used to verify the server certificate chain for gRPC connections.

spec.fep.vectorTransformation.inferenceServer.connectionTls.certificate.grpcPrivateKey

-

Specifies the Kubernetes secret containing the password for the private key used for gRPC connections.

spec.fep.vectorTransformation.inferenceServer.connectionTls.certificate.tritonGrpcCaName

-

Specifies the TLS secret used for gRPC connections configured on the Triton server.

spec.fep.vectorTransformation.inferenceServer.connectionTls. certificate.tritonGrpcCertificateName

-

Specify the Secret name containing the CA certificate used to verify the server certificate chain for gRPC connections configured on the Triton server.

spec.fep.vectorTransformation.inferenceServer.connectionTls.certificate.tritonGrpcPrivateKey

-

Specify the secret name containing the CA certificate used to verify the server certificate chain for the gRPC connection configured on the Triton server.

spec.fep.vectorTransformation.inferenceServer.mcSpec.limits

cpu:500m

memory:1Gi

Specifies the resource limit for the inference server.

spec.fep.vectorTransformation.inferenceServer.mcSpec.limits.requests

cpu:200m

memory:512Mi

Specifies the minimum resources required by the inference server.

spec.fep.vectorTransformation.inferenceServerPorts.grpcPort

-

Required when spec.fep.vectorTransformation.enable is true.

Specifies the port number for gRPC connections.

spec.fep.vectorTransformation.inferenceServerPorts.metricsPort

-

Required when spec.fep.vectorTransformation.enable is true.

Specifies the port number for acquiring metrics.

spec.fepChildCrVal.storage.dataVol

Mandatory volume

spec.fepChildCrVal.storage.dataVol.size

2Gi

(**)

Size of data volume.

Data volume must be specified

spec.fepChildCrVal.storage.dataVol.storageClass

<omitted>

(*)

StorageClass for data volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

spec.fepChildCrVal.storage.dataVol.accessModes

<omitted>

(*)

accessModes for data volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

spec.fepChildCrVal.storage.walVol

Mandatory volume

spec.fepChildCrVal.storage.walVol.size

1200Mi

(**)

(If spec.fepChildCrVal.storage.dataSize is defined)
5Gi

Size of WAL volume.

WAL volume must be specified

spec.fepChildCrVal.storage.walVol.storageClass

<omitted>

(*)

StorageClass for WAL volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

spec.fepChildCrVal.storage.walVol.accessModes

<omitted>

(*)

accessModes for WAL volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

spec.fepChildCrVal.storage.tablespaceVol

Optional volume

spec.fepChildCrVal.storage.tablespaceVol.size

512Mi

(**)


(If spec.fepChildCrVal.storage.dataSize is defined)
The value specified in spec.fepChildCrVal.storage.dataSize.

Size of tablespace volume.

This volume is optional and can be omitted

spec.fepChildCrVal.storage.tablespaceVol.storageClass

<omitted>

(*)

StorageClass for tablespace volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

spec.fepChildCrVal.storage.tablespaceVol.accessModes

<omitted>

(*)

accessModes for tablespace volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

spec.fepChildCrVal.storage.archivewalVol

Mandatory if backup section is defined.

Optional otherwise

spec.fepChildCrVal.storage.archivewalVol.size

1Gi

(**)

(If spec.fepChildCrVal.storage.dataSize is defined and sepc.fepChildCrVal.backup.type is local)
(spec.fepChildCrVal.storage.dataSize/10)*14

Size of archivewal volume.

This volume is optional and can be omitted

spec.fepChildCrVal.storage.archivewalVol.storageClass

<omitted>

(*)

StorageClass for Archived WAL volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

When the number of instance is more than 1 and backup is not done on S3, both archivewalVol and backupVol must be hosted on Shared storage such as NFS with respective storageClass

spec.fepChildCrVal.storage.archivewalVol.accessModes

<omitted>

(*)

accessModes for Archived WAL volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

When the number of instance is more than 1 and backup is not done on S3, both archivewalVol and backupVol must be hosted on Shared storage such as NFS with accessMode set to [ReadWriteMany]

spec.fepChildCrVal.storage.logVol

Optional volume

spec.fepChildCrVal.storage.logVol.size

1Gi

(**)

(If spec.fepChildCrVal.storage.dataSize is defined)
5Gi

Size of log volume.

This volume is optional and can be omitted

spec.fepChildCrVal.storage.logVol.storageClass

<omitted>

(*)

StorageClass for log volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

spec.fepChildCrVal.storage.logVol.accessModes

<omitted>

(*)

accessModes for log volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

spec.fepChildCrVal.storage.backupVol

Mandatory if backup section is defined.

Optional otherwise

spec.fepChildCrVal.storage.backupVol.size

2Gi

(**)

(If spec.fepChildCrVal.storage.dataSize is defined and sepc.fepChildCrVal.backup.type is local)
spec.fepChildCrVal.storage.dataSize*14

Size of backup volume.

This volume is optional and can be omitted

spec.fepChildCrVal.storage.backupVol.storageClass

<omitted>

(*)

StorageClass for backup volume:

When this line is omitted, the PV created will use default storage class in the Kubernetes cluster

When the number of instance is more than 1 and backup is not done on S3, both archivewalVol and backupVol must be hosted on Shared storage such as NFS with respective storageClass

spec.fepChildCrVal.storage.backupVol.accessModes

<omitted>

(*)

accessModes for backup volume:

Specified as an array of accessModes e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

When the number of instance is more than 1 and backup is not done on S3, both archivewalVol and backupVol must be hosted on Shared storage such as NFS with accessMode set to [ReadWriteMany]

sepc.fepChildCrVal.storage.dataSize

Specify the amount of data at the data storage destination.
The operator defines the size of dataVol, walVol, logVol, tablespaceVol, archivewalVol, and backupVol based on the specified value.

If you specify individual volumes, specify the size of each volume definition.

sepc.fepChildCrVal.storage.accessModes

Specify the accessModes for each volume if you want to specify them in a batch.
If you want to set them individually, specify the accessModes for each volume definition.

sepc.fepChildCrVal.storage.storageClass

Specify the storageClass for each volume if you want to specify them in a batch.
If you want to set them individually, specify the storageClass for each volume definition.

spec.fepChildCrVal.storage.autoresize

spec.fepChildCrVal.storage.autoresize.enable

false

Optional

Specified value: boolean

true to enable auto-extension for PVCs.

spec.fepChildCrVal.storage.autoresize.mcSpec.limits

cpu: 50m

memory: 60Mi

Optional

Specifies the resource limit that can be allocated to pvc-auto-resize container.

spec.fepChildCrVal.storage.autoresize.mcSpec.requests

cpu: 10m

memory: 5Mi

Optional

Specifies the resources to assign that can be allocated to pvc-auto-resize container.

spec.fepChildCrVal.storage.autoresize.interval

30

Optional

Units: s

Specifies the interval between metric checks.

If 0 or less is specified, the PVC is not extended.

spec.fepChildCrVal.storage.autoresize.threshold

80

Optional

Specified value: integer

Unit:%

Specifies the storage utilization threshold.

Extends the PVC when this value is exceeded.

When 0 is specified, storage utilization is not checked.

The xxxVol.threshold applies to all storage that is not defined.

spec.fepChildCrVal.storage.autoresize.increaseType

percent

Optional

Specified value: percent, size

Specifies how the PVC extension is estimated when the threshold is exceeded.

When percent is specified

Expands the PVC by the specified percentage of its original capacity.

If size is specified

Extends the PVC by the specified amount (Gi).

Applies to all storage where xxxVol.increaseType is not defined.

spec.fepChildCrVal.storage.autoresize.increase

25

Optional

Specified value: integer

Units:% or Gi

Specifies the extension amount for the PVC.

The units depend on the value specified for increaseType.

If a value less than or equal to 0 is specified, no extension is performed.

This applies to all storage where xxxVol.increase is not defined.

spec.fepChildCrVal.storage.autoresize.storageLimit

Optional

Specified value: integer

Units: Gi

Specifies the maximum value by which the PVC can be extended.

If not specified, the extension is unrestricted. If you do not specify this value, we recommend that you verify that the storage class being used has a namespace quota.

Do not extend the PVC when less than or equal to disk space is specified.

Applies to all storage where xxxVol.storageLimit is not defined.

spec.fepChildCrVal.storage.xxxVol

xxx is the contents of data, wal, log, tablespace, archivewal, backup

spec.fepChildCrVal.storage.xxxVol.threshold

Optional

Specified value: integer

Unit:%

Specifies the storage utilization threshold.

Extends the PVC when this value is exceeded.

When 0 is specified, storage utilization is not checked.

If not specified, it follows the value specified in autoresize.threshold.

spec.fepChildCrVal.storage.xxxVol.increaseType

Optional

Specified value: percent, size

Specifies how the PVC extension is estimated when the threshold is exceeded.

When percent is specified

Expands the PVC by the specified percentage of its original capacity.

If size is specified

Extends the PVC by the specified amount (Gi).

If not specified, the value specified by autoresize.increaseType.

spec.fepChildCrVal.storage.xxxVol.increase

Optional

Specified value: integer

Units:% or Gi

Specifies the extension amount for the PVC.

The units depend on the value specified for increaseType.

If not specified, the value specified by autoresize.increase.

spec.fepChildCrVal.storage.xxxVol.storageLimit

Optional

Specified value: integer

Units: Gi

Specifies the maximum capacity by which the PVC can be extended.

Do not expand if the specification is less than or equal to the disk capacity.

If not specified, it follows the value specified by autoresize.storageLimit.

spec.fepChildCrVal.storage.inferenceVol.size

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the size of the model to mount.

spec.fepChildCrVal.storage.inferenceVol.storageClass

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the name of the storage class to mount.

spec.fepChildCrVal.storage.inferenceVol.accessMode

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the access mode for the storage to mount.

spec.fepChildCrVal.storage.modelRepositoryVol.size

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the size of the model to mount.

spec.fepChildCrVal.storage. modelRepositoryVol.storageClass

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the name of the storage class to mount.

spec.fepChildCrVal.storage. modelRepositoryVol.accessMode

-

Required when spec.fep.vectorTransformation.enable.enable is true

Specifies the access mode for the storage to mount.

spec.fepChildCrVal.sysUsers.pgAdminPassword

<omitted>

Password for user "postgres"

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

If this parameter is omitted, the Operator automatically generates a password.

If the FEP server container uses an image with a FEPBaseVersion less than 15, be sure to specify this parameter.

spec.fepChildCrVal.sysUsers.pgdb

mydb

(*)

Database to be created during provisioning

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Upper case letters are treated as lower case letters.

Maximum string length

63 characters

spec.fepChildCrVal.sysUsers.pguser

mydbuser

(*)

Database user to be created during provisioning

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Upper case letters are treated as lower case letters.

Maximum string length

63 characters

This database user is the owner of the database defined in "spec.fepChildCrVal.sysUsers.pgdb" and has the role of database administrator.

This user has the following privileges:.
NOSUPERUSER, NOREPLICATION, NOBYPASSRLS, CREATEDB, INHERIT, LOGIN, CREATEROLE

(NOCREATEROLE when spec.fepChildCrVal.sysUsers.pgSecurityUser is defined)

They also belong to the following roles:.
pg_monitor, pg_signal_backend

spec.fepChildCrVal.sysUsers.pgpassword

mydbpassword

Password for database user pguser

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

spec.fepChildCrVal.sysUsers.pgrepluser

repluser

(*)

Database user for replication

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Maximum string length

63 characters

spec.fepChildCrVal.sysUsers.pgreplpassword

repluserpwd

Alphanumeric characters

spec.fepChildCrVal.sysUsers.tdepassphrase

tde-passphrase

TDE keystore passphrase

spec.fepChildCrVal.sysUsers.pgRewindUser

rewind_user

Database user for Rewind

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Maximum string length

63 characters

spec.fepChildCrVal.sysUsers.pgRewindUserPassword

rewind_password

Password for database user rewinduser

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

spec.fepChildCrVal.sysUsers.pgMetricsUser

Optional

user for FEPExporter connection. Can be defined afterwards

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Upper case letters are treated as lower case letters.

Maximum string length

63 characters

spec.fepChildCrVal.sysUsers.pgMetricsUserPassword

Optional

Password for metrics user. Can be defined afterwards

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

spec.fepChildCrVal.sysUsers.pgSecurityUser

Options

Username of the security administrator user. Can be defined later.

This parameter is optional, but cannot be changed or deleted after it has been defined.

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), and underscores (_)

However, you cannot start with a number.

Upper case letters are treated as lower case letters.

Maximum string length

63 characters

spec.fepChildCrVal.sysUsers.pgSecurityPassword

Options

Defines the password for the sensitive administrator user.

This parameter is optional but required when "pgSsecurityUser" is defined.

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

spec.fepChildCrVal.sysUsers.passwordValid

Options

Manage password expiration for database users.

Sets the expiration date for database user passwords defined in the FEPCluster custom resource below.

• pgpassword, pgSecurityPassword

In addition, if shared_preload_libraries in customPgParams is set to "fsep_operator_security" and the "CREATE ROLE" or "ALTER ROLE" command is used to update the password of a database user with login privileges and the expiration time is not defined or is longer than the specified expiration time, the operation will fail.

Updates the password expiration date for database users with login privileges that have not expired when the specified expiration date is updated.

spec.fepChildCrVal.sysUsers.passwordValid.days

Options

Specifies the number of days the database role is valid.

Specify an integer value greater than or equal to 0.

If any other value is entered, it is treated as 0 (no expiration date is set).

The 'days' option is not available when using the Cloud-based Secret Management feature.

When you take advantage of the Cloud-based Secret Management feature, the database user password expiration can be managed by a rotation policy provided by an external secret store service.

spec.fepChildCrVal.sysUsers.pgAdminTls.certificateName

This points to Kubernetes TLS secret that contains the certificate of Postgres user "postgres". Patroni will use this for certificate authentication. The certificate itself is stored in the key tls.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgAdminTls.caName

This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgAdminTls.sslMode

prefer

Specify the type of TLS negotiation with the server.

• disable

• allow

• prefer

• require

• verify-ca

• verify-full

spec.fepChildCrVal.sysUsers.pgreplUserTls.certificateName

This points to Kubernetes TLS secret that contains the certificate of Postgres user "repluser". Patroni will use this for certificate authentication. The certificate itself is stored in the key tls.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgreplUserTls.caName

This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgreplUserTls.sslMode

prefer

Specify the type of TLS negotiation with the server.

• disable

• allow

• prefer

• require

• verify-ca

• verify-full

spec.fepChildCrVal.sysUsers.pgRewindUserTls.certificateName

This points to Kubernetes TLS secret that contains the certificate of Postgres user "rewinduser". Patroni will use this for certificate authentication. The certificate itself is stored in the key tls.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgRewindUserTls.caName

This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt. This field is optional.

spec.fepChildCrVal.sysUsers.pgRewindUserTls.sslMode

prefer

Specify the type of TLS negotiation with the server.

• disable

• allow

• prefer

• require

• verify-ca

• verify-full

spec.fepChildCrVal.sysUsers.pgMetricsUserTls.certificateName

Optional
This points to Kubernetes TLS secret that contains the certificate of Postgres user defined by pgMetricsUser. FEPExporter will use this for certificate authentication. The certificate itself is stored in the key tls.crt.

spec.fepChildCrVal.sysUsers.pgMetricsUserTls.caName

Optional
This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt.

spec.fepChildCrVal.sysUsers.pgMetricsUserTls.sslMode

prefer

Optional
Specify the type of TLS negotiation when FEPExporter connects to FEP server.

• disable

• allow

• prefer

• require

• verify-ca

• verify-full

spec.fepChildCrVal.sysUsers.vectorizerPassword

Optional
Specifies the password for "vectorizerrole," which will be created as the database role used by the automatic vector converter to perform vector conversions in the background.

Available character types

Alphanumeric characters (A-Z, a-z), numbers (0 -9), symbols (~! @ # $% ^ & * () - = < >,.? ; : |/+)

If this parameter is omitted, the Operator automatically generates a password.

spec.fepChildCrVal.sysUsers.vectorizerTls.certificateName

This points to Kubernetes TLS secret that contains the certificate of Postgres user "vectorizerrole". Patroni will use this for certificate authentication. The certificate itself is stored in the key tls.crt. This field is optional.

spec.fepChildCrVal.sysUsers.vectorizerTls.caName

This points to Kubernetes configmap that contains additional CA the client use to verify a server certificate. The CA is stored in the key ca.crt. This field is optional.

spec.fepChildCrVal.sysUsers.vectorizerTls.sslMode

prefer

Specify the type of TLS negotiation with the server.

• disable

• allow

• prefer

• require

• verify-ca

• verify-full

spec.fepChildCrVal.sysTde

(*)

Optional
If the user selects a file-based TDE, you do not need to define it.
Required when implementing TDE with a key management system (KMS).

spec.fepChildCrVal.sysTde.tdeType

(*)

Optional
The parameter itself is optional, but required when spec.fepChildCrVal.sysTde is defined.
Specify tdek.

spec.fepChildCrVal.sysTde.tdek

Optional
Defines the connection information to the KMS.
Required when tdek is specified for spec.fepChildCrVal.sysTde.tdeType.

spec.fepChildCrVal.sysTde.tdek.targetKmsName

Specify one of the key management system names defined in kmsDefinition[*].name as the name of the key management system to use as the keystore.

spec.fepChildCrVal.sysTde.tdek.targetKeyId

Specifies the key ID (Identifier attribute in KMIP) attached to the encryption key in KMS.
When you update this parameter, the Operator automatically updates the master key.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition

Specifies KMS connection information.
Specify in array format. You can specify connection information for multiple KMS.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].name

(＊)

The name given to the KMS (key management system name) specified in spec.fepChildCrVal.sysTde.tdek.targetKmsName.
The KMS name must be a string of no more than 63 characters beginning with a-z, consisting of a-z, numbers (0 -9), and underscores. Upper and lower case letters are the same.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].type

(*)

Specifies the type of KMS.
You can specify either kmip, awskms, or azurekeyvault.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].address

(*)

Specifies the host name or IP address of the KMIP server.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].port

(*)

Specifies the port of KMIP server.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].authＭethod

(*)

Specifies the authentication method in KMIP server.
Currently, the only possible value is cert.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].sslpassphrase

Optional
Specifies the passphrase of the client certificate private key file when connecting to KMIP server. This can be omitted if no passphrase is set in the private key file.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].cert

Optional
Specifies the name of the Secret/ConfigMap containing the certificate file, etc., when cert is specified as authMethod.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].cert.certificateName

(*)

Specifies the TLS Secret name that contains the client certificate and private key for TLS communication with KMIP server.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].cert.caName

(*)

Specifies the ConfigMap name that contains the file name of the SSL Certificate Authority certificate.
Used to verify the server certificate of the connection destination.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].profile

Specify a profile that uses AWS KMS. For more information about profile, see the official AWS documentation.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].awsKmsCredentials

Specify a Secret that contains credentials (access key id and secret access key) to AWS KMS.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].awsKmsConfig

Specify a ConfigMap that contains configuration information for the AWS KMS CLI.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].appid

Enter the application ID when using Azure Key Vault. You can get this when you create a service principal.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].tenantid

Specify tenantid when using Azure Key Vault. You can get this when you create a service principal.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].encAlgorithm

Specifies when using Azure Key Vault. See the appendix for the algorithms you can select, refer to "Available Algorithms" in the User's Guide.

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].azureKeyVaultClientPassphrase

Used to authenticate to Azure Key Vault. Specifies the secret that contains the client Secret (password).

spec.fepChildCrVal.sysTde.tdek.kmsDefinition[*].azureKeyVaultClientCert

Used to authenticate to Azure Key Vault. Specifies the Secret that contains the client certificate.

spec.fepChildCrVal.systemCertificates.key

Use spec.fep.postgres.tls specification instead.

spec.fepChildCrVal.systemCertificates.crt

Use spec.fep.postgres.tls specification instead.

spec.fepChildCrVal.systemCertificates. cacrt

Use spec.fep.postgres.tls specification instead.

spec.fepChildCrVal.autoscale.scaleout.policy

off

Specifies whether to use the automatic scale out feature and the metric to base on.

Specify one of the following:

- cpu_utilization (if based on CPU utilization)
- connection_number (if based on number of connections)
- off (without automatic scale out)

If omitted, off is assumed.

spec.fepChildCrVal.autoscale.scaleout.threshold

40

Specifies an integer as the threshold for performing scale out.

- When cpu_utilization is specified for policy
Specifies the average CPU utilization as a percentage for the threshold. If this option is omitted, 40 (40%) is assumed.

- When connection_number is specified for policy
Specifies the average value of the number of connections as a threshold. If you omit this option, 40 is assumed.

spec.fepChildCrVal.autoscale.scaleout.metricName

pg_capacity_connection_average

Specify this parameter if policy is connection_number. Ignored if policy is cpu_utilization.

The custom metrics server must publish the average number of connections in the FEP cluster under this name.

If omitted, pg_capacity_connection_average is assumed.

spec.fepChildCrVal.autoscale.scaleout.stabilizationWindowSeconds

0

This parameter controls the stability of scaling (variation in the number of replicas). Scale out is not performed unless the metric exceeds the threshold for more than the number of seconds specified for this parameter.

If omitted, 0 is assumed.

spec.fepChildCrVal.autoscale.limits.maxReplicas

2

Maximum number of replicas (0 to 15)

(Value out of range)

Do not perform auto scale out

spec.fepChildCrVal.restore

Optional

Defines to restore specified backup data stored in object storage.

spec.fepChildCrVal.restore.pgbackrestParams

Optional

"|" is fixed, and the following line describes the parameters to be set in pgbackrest.conf.

Specifies the object storage where the backup data is stored.

If you need to use a root certificate other than the default, specify the following:

repo1-storage-ca-path =/pgbackrest/storage-certs/filename

The CA file is registered in ConfigMap and the ConfigMap name is listed in spec.fepChildCrVal.restore.caName.

spec.fepChildCrVal.restore.pgbackrestKeyParams

Optional

"|" is fixed, and the following line describes the parameters to be set in pgbackrest.conf. The value described by this parameter is masked with *****. Specify the parameter you want to mask, such as a password.

spec.fepChildCrVal.restore.caName

Optional

Set to use a CA file other than the system default.

Specifies the name of the ConfigMap created, in list format.

The ConfigMap specified is mounted in /pgbackrest/storage-certs.

spec.fepChildCrVal.restore.repoKeySecretName

Optional

Specifies the name of the Kubernetes Secret generated from the object storage key file.

Specify in array format. The specified Secret will be mounted in /pgbackrest/storage-key.

spec.fepChildCrVal.restore.mcSpec.limits

cpu: 200m

memory: 300Mi

Optional

CPU and memory allocated to the container performing the restore

spec.fepChildCrVal.restore.mcSpec.requests

cpu: 100m

memory: 200Mi

Optional

CPU and memory allocated to the container performing the restore

spec.fepChildCrVal.restore.restoretype

latest

Optional

Select the type of restore (latest or PITR).

spec.fepChildCrVal.restore.restoredate

Optional

Specifies the date to restore when spec.fepChildCrVal.restore.restoretype is "PITR".

spec.fepChildCrVal.restore.restoretime

Optional

Specifies the time to restore when spec.fepChildCrVal.restore.restoretype is "PITR".

spec.fepChildCrVal.restore.image

Optional

Image of the container to perform the restore

It is omitted by default. In this case, the URL for image is obtained from the operator container environment.

spec.fepChildCrVal.restore.imagePullPolicy

IfNotPresent

Optional

spec.fepChildCrVal.upgrade

Optional

When this field is defined, a major version upgrade is performed.

However, if spec.fepChildCrVal.restore is defined, the FEPCluster build stops.

spec.fepChildCrVal.upgrade.sourceCluster

Specifies the FEPClusterCR name from which to migrate data.

Required if spec.fepChildCrVal.upgrade is defined.

spec.fepChildCrVal.upgrade.mcSpec.limits

cpu: 200m

memory: 300Mi

Optional

Specifies the maximum number of resources to allocate to the upgrade execution container.

spec.fepChildCrVal.upgrade.mcSpec.requests

cpu: 100m

memory: 200Mi

Optional

Specifies the lower limit of resources allocated to the upgrade execution container.

spec.fepChildCrVal.upgrade.image

Optional

By default, the URL of image is obtained from the operator container environment.

spec.fepChildCrVal.upgrade.imagePullPolicy

IfNotPresent

Optional

Specifies the pull policy for the container image.

• Always

• IfNotPresent

• Never

spec.fepChildCrVal.upgrade.source.pgAdminTls.certificateName

Optional

If you do not define spec.fepChildCrVal.sysUsers.pgAdminTls.certificateName for the data source, it points to the Kubernetes TLS secret that contains the certificate for the Postgres user "postgres" in the data source.

If the data source FEP has set the authentication method for the upgrade execution container to "cert", then the upgrade execution container uses the certificate defined as secret.

spec.fepChildCrVal.upgrade.destination.pgAdminTls.certificateName

Optional

If you have not defined the spec.fepChildCrVal.sysUsers.pgAdminTls.certificateName of the newly created FEPCluster, it points to the Kubernetes TLS secret that contains the certificate of the Postgres user "postgres" in the data source.

If you create a new FEP with the "cert" authentication method for the upgrade execution container, the upgrade execution container uses the certificate defined as secret.

spec.fepChildCrVal.upgrade.storage

Optional

Defines the storage for storing dump files.

spec.fepChildCrVal.upgrade.storage.storageClass

Optional

If omitted, the default storage class for your environment is used.

spec.fepChildCrVal.upgrade.storage.size

2Gi

Optional

Specifies the size of the storage to store the dump file.

spec.fepChildCrVal.upgrade.storage.accessModes

ReadWriteOnce

Optional

accessModes for store the dump file

Specified as an array of accessModes

e.g. [ReadWriteMany]

If omitted, it will be treated as [ReadWriteOnce]

spec.fep.remoteLogging.enable

Set to true to forward logs from fluentbit to fluentd

spec.fep.remoteLogging.image

Optional

Fluentbit image to be used. If not specified, Operator will use the latest version that is supported by the Operator.

spec.fep.remoteLogging.pullPolicy

IfNotPresent

Optional

spec.fep.remoteLogging.fluentdName

Optional

The name of the FEPLogging CR to which logs are transferred.

Specify this option to use the FEPLogging function to transfer logs.

spec.fep.remoteLogging.tls.certificateName

Optional

Kubernetes secret name which holds fluentbit certificate. FEPLogging will use this for certificate authentication. The certificate itself is stored in the key tls.crt.

spec.fep.remoteLogging.tls.caName

Optional

Kubernetes configmap which holds cacert of Fluentd to which fluentbit will use to perform MTLS.

spec.fep.remoteLogging.mcSpec.limits.cpu

50m

Optional

CPU allocation limit for fluentbit.

spec.fep.remoteLogging.mcSpec.limits.memory

60Mi

Optional

Memory allocation limit for fluentbit.

spec.fep.remoteLogging.mcSpec.requests.cpu

10m

Optional

CPU allocation request for fluentbit.

spec.fep.remoteLogging.mcSpec.requests.memory

5Mi

Optional

Memory allocation request for fluentbit.

spec.fep.remoteLogging.fluentbitParams.memBufLimit

5MB

Optional

Defines the Mem_Buf_Limit in Fluentbit. This will affect all sections that use this parameter.

spec.fep.remoteLogging.fluentbitConfigSecretRef

Optional

Specifies the name of the secret containing fluent-bit.yaml when using the log transfer feature with remote logging.

If fluentbitConfigSecretRef is not defined, or if fluentbitConfigSecretRef is defined but the referenced secret does not exist, the operator creates a default Secret <fep-cluster>-fluent-bit-conf and updates this parameter with <fep-cluster>-fluent-bit-conf.

If the referenced secret exists, the named secret is mounted to fep-logging-fluent-bit under/fluent-bit/etc.

spec.fep.remoteLogging.awsCredentialSecretRef

Optional

Specify the name of the Secret that contains authentication information to the AWS service.

Authentication information stores configuration files and authentication information files.

The configuration file must be named "config" and the credentials file must be named "credentials".

If the referenced secret exists, the named secret is mounted to fep-logging-fluent-bit under/fluent-bit/aws.

spec.fepChildCrVal.secretStore.csi.providerName

Optional

Provider name. Can be one of the following:

Azure/AWS/GCP/Vault.

Must be "Azure" or "azure" in case of azure provider

spec.fepChildCrVal.secretStore.csi.azureProvider.credentials

Optional

Secret created by User that contains the required credentials to connect to Azure keyvault

spec.fepChildCrVal.secretStore.csi.azureProvider.tenantid

Optional

Tenant id where keyvault is created

spec.fepChildCrVal.secretStore.csi.azureProvider.keyvaultName

Optional

Name of the keyvault where secrets are stored

spec.fepChildCrVal.secretStore.csi.azureProvider.fepSecrets

Optional

List of the parameters and their corresponding secret created in the Vault

Eg:
<fep parameter name>: <secret in keyvault>

spec.fepChildCrVal.secretStore.csi.azureProvider.fepCustomCert

Optional

Only defined when logical replication feature is enabled

spec.fepChildCrVal.secretStore.csi.awsProvider.region

Optional

AWS Region where EKS cluster is created

spec.fepChildCrVal.secretStore.csi.awsProvider.roleName

Optional

Role Name for the IAM trust policy

spec.fepChildCrVal.secretStore.csi.awsProvider.fepSecrets

Optional

List of the parameters and their corresponding secret created in the Vault

Eg:
<fep parameter name>: <secret in keyvault>

spec.fepChildCrVal.secretStore.csi.awsProvider.fepCustomCert

Optional

Only defined when logical replication feature is enabled

spec.fepChildCrVal.secretStore.csi.gcpProvider.credentials

Optional

Secret created by User that contains the required credentials to connect to GCP Secret Manager

spec.fepChildCrVal.secretStore.csi.gcpProvider.fepSecrets

Optional

List of the parameters and their corresponding secret created in the Vault

Eg:
<fep parameter name>: <secret in keyvault>

spec.fepChildCrVal.secretStore.csi.gcpProvider.fepCustomCert

Optional

Only defined when logical replication feature is enabled

spec.fepChildCrVal.secretStore

Optional

Not required to be defined if user opts to store all secrets in kubernetes environment

spec.fepChildCrVal.secretStore.csi.vaultProvider.roleName

Optional

roleName created by user in the Vault

spec.fepChildCrVal.secretStore.csi.vaultProvider.vaultAddress

Optional

Address of the vault that is accessible from the FEP environment

spec.fepChildCrVal.secretStore.csi.vaultProvider.fepSecrets

Optional

List of the parameters and their corresponding secret created in the Vault

Eg:
<fep parameter name> : </path/to/secret/secretName> in vault>

spec.fepChildCrVal.secretStore.csi.vaultProvider.fepCustomCert

Optional

Only defined when logical replication feature is enabled

spec.fep.measurement.recallForVector.enable

false

When specified as true, enables vector database recall measurement.

spec.fep.measurement.recallForVector.schedule

15 0 1 * *

Optional

The date and time to start the measurement, in Cron format.

spec.fep.measurement.recallForVector.parallelJobs

5

Optional

Specifies the number of jobs to be executed concurrently.

Increasing the number of parallelisms reduces the measurement time, but increases the system load on the database container. Adjust this parameter based on system load and measurement completion time.

spec.fep.measurement.recallForVector.maxDuration

0

Optional

Units: s, m, h, d

If you do not specify a unit, it is s (seconds).

Specifies the end time of the measurement. If the measurement is not completed during the end period, the measurement is terminated.

If 0 is specified, it does not stop until all measurements are complete.

spec.fep.measurement.recallForVector.sampleSize

100

Optional

Specifies the number of samples to use for the recall measurement.

The larger the number of samples, the more accurate the recall is, but the more time it takes to measure.

Adjust this parameter based on estimation error and calculation time.

spec.fep.measurement.recallForVector.topK

5

Optional

SELECT the top K items for which the recall is to be calculated.

We recommend that you use the same value as LIMIT when performing a search on a vector database.

spec.fep.measurement.recallForVector.alertThreshold

0

Optional

If the recall falls below this threshold, an alert is issued to the AlertManager. The value can be between 0 and 1. If 0 is specified, no alert is created.

spec.fep.measurement.recallForVector.targets[]

Specifies what the recall is measured for.

You can specify multiple values in array format.

At least one database object must be specified when enabling vector database recall measurement.

spec.fep.measurement.recallForVector.targets[].database

The name of the database to measure recall.

spec.fep.measurement.recallForVector.targets[].tableConfigs[]

Specifies the table information to retrieve.

You can specify multiple values in array format.

spec.fep.measurement.recallForVector.targets[].tableConfigs[].schemaObject

For objects whose recall is to be measured, specify the schema, table, and column separated by dots(.).

spec.fep.measurement.recallForVector.targets[].tableConfigs[].distanceMetric

cosine

Optional

Specifies the distance calculation method (cosine, inner_product, l2). Choose the same distance calculation that the embedded model uses during training.

spec.globalEnvSec

Specifies the name of the Kubernetes secret that contains variables common to all containers. The defined key-value pairs are added to all containers running on FEPCluster.

spec.fep.fepEnvSec

Specifies the name of the Kubernetes secret that contains key/value pairs specific to the fep-patroni container.

spec.fep.feputils.fepUtilsEnvSec

Specifies the name of the Kubernetes secret that contains key-value pairs specific to fep-utils sidecar.

spec.fep.remoteLogging.fluentBitEnvSec

Specifies the name of the Kubernetes secret that contains key-value pairs specific to the fep-logging-fluent-bit sidecar.

spec.fep.monitoring.fepExporter.fepExporterEnvSec

Specifies the name of the Kubernetes secret that contains key-value pairs specific to the prometheus-fep-exporter sidecar.

spec.fepChildCrVal.backup.fepBackupEnvSec

Specifies the name of the Kubernetes secret that contains key-value pairs specific to fepbackup sidecar.

status.fepStatus.fepClusterReady

Will be true or false to reflect if the whole cluster is ready. Kubernetes cluster information is fetched to check number of instances 'READY' & 'RUNNING' is equal to number of Configured instances.