Appendix: Materialize CRD Field Descriptions

The name of a secret containing metadata_backend_url and persist_backend_url. It may also contain external_login_password_mz_system, which will be used as the password for the mz_system user if authenticatorKind is Password.

The environmentd image to run.

How to authenticate with Materialize.

Valid values:

• Frontegg:
  Authenticate users using Frontegg.
• Password:
  Authenticate users using internally stored password hashes. The backend secret must contain external_login_password_mz_system.
• Sasl:
  Authenticate users using SASL.
• None (default):
  Do not authenticate users. Trust they are who they say they are without verification.

Default: None

The configuration for generating an x509 certificate using cert-manager for balancerd to present to incoming connections. The dnsNames and issuerRef fields are required.

Number of balancerd pods to create.

Resource requirements for the balancerd pod.

The configuration for generating an x509 certificate using cert-manager for the console to present to incoming connections. The dnsNames and issuerRef fields are required. Not yet implemented.

Number of console pods to create.

Resource requirements for the console pod.

Whether to enable role based access control. Defaults to false.

The value used by environmentd (via the –environment-id flag) to uniquely identify this instance. Must be globally unique, and is required if a license key is not provided. NOTE: This value MUST NOT be changed in an existing instance, since it affects things like the way data is stored in the persist backend.

Default: 00000000-0000-0000-0000-000000000000

If running in AWS, override the IAM role to use to support the CREATE CONNECTION feature.

Extra args to pass to the environmentd binary.

Extra environment variables to pass to the environmentd binary.

Resource requirements for the environmentd pod.

Amount of disk to allocate, if a storage class is provided.

If forcePromote is set to the same value as requestRollout, the current rollout will skip waiting for clusters in the new generation to rehydrate before promoting the new environmentd to leader.

Default: 00000000-0000-0000-0000-000000000000

This value will be written to an annotation in the generated environmentd statefulset, in order to force the controller to detect the generated resources as changed even if no other changes happened. This can be used to force a rollout to a new generation even without making any meaningful changes, by setting it to the same value as requestRollout.

Default: 00000000-0000-0000-0000-000000000000

The cert-manager Issuer or ClusterIssuer to use for database internal communication. The issuerRef field is required. This currently is only used for environmentd, but will eventually support clusterd.

Annotations to apply to the pods.

Labels to apply to the pods.

When changes are made to the environmentd resources (either via modifying fields in the spec here or by deploying a new orchestratord version which changes how resources are generated), existing environmentd processes won’t be automatically restarted. In order to trigger a restart, the request_rollout field should be set to a new (random) value. Once the rollout completes, the value of status.lastCompletedRolloutRequest will be set to this value to indicate completion.

Defaults to a random value in order to ensure that the first generation rollout is automatically triggered.

Default: 00000000-0000-0000-0000-000000000000

Rollout strategy to use when upgrading this Materialize instance.

Valid values:

• WaitUntilReady (default):
  Create a new generation of pods, leaving the old generation around until the new ones are ready to take over. This minimizes downtime, and is what almost everyone should use.

• ImmediatelyPromoteCausingDowntime:
  

  WARNING!

  THIS WILL CAUSE YOUR MATERIALIZE INSTANCE TO BE UNAVAILABLE FOR SOME TIME!!!

  This strategy should ONLY be used by customers with physical hardware who do not have enough hardware for the WaitUntilReady strategy. If you think you want this, please consult with Materialize engineering to discuss your situation.

  Tear down the old generation of pods and promote the new generation of pods immediately, without waiting for the new generation of pods to be ready.

Default: WaitUntilReady

Annotations to apply to the service account.

Annotations on service accounts are commonly used by cloud providers for IAM. AWS uses “eks.amazonaws.com/role-arn”. Azure uses “azure.workload.identity/client-id”, but additionally requires “azure.workload.identity/use”: “true” on the pods.

Labels to apply to the service account.

Name of the kubernetes service account to use. If not set, we will create one with the same name as this Materialize object.

Additional DNS names the certificate will be valid for.

Duration the certificate will be requested for. Value must be in units accepted by Go time.ParseDuration.

Reference to an Issuer or ClusterIssuer that will generate the certificate.

Duration before expiration the certificate will be renewed. Value must be in units accepted by Go time.ParseDuration.

Additional annotations and labels to include in the Certificate object.

Annotations is a key value map to be copied to the target Kubernetes Secret.

Labels is a key value map to be copied to the target Kubernetes Secret.

Name of the resource being referred to.

Group of the resource being referred to.

Kind of the resource being referred to.

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Name of the environment variable. Must be a C_IDENTIFIER.

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. “$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to “”.

Source for the environment variable’s value. Cannot be used if value is not empty.

Selects a key of a ConfigMap.

Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels['<KEY>'], metadata.annotations['<KEY>'], spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.

Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.

Selects a key of a secret in the pod’s namespace

The key of the secret to select from. Must be a valid secret key.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the Secret or its key must be defined

Required: resource to select

Container name: required for volumes, optional for env vars

Specifies the output format of the exposed resources, defaults to “1”

Path of the field to select in the specified API version.

Version of the schema the FieldPath is written in terms of, defaults to “v1”.

The key to select.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Specify whether the ConfigMap or its key must be defined