Skip to main content

Spec reference

Pod configuration for the gateway and metadata components lives on a raw PodTemplateSpec under spec.gateway.template and spec.metadata.template respectively. They use the same shape as FireboltEngineClass.spec.template. The validating webhook restricts what users may set on those templates. See Firebolt Operator-owned fields and Instance reconciliation.
FieldRequiredDefaultDescription
spec.idNo(auto-generated ULID)Stable unique identifier for the instance, used as the metadata account ID. Immutable once set.
spec.metadataYes-Metadata service configuration (can be empty {} for defaults)
spec.metadata.postgresNo(internal)External PostgreSQL connection. If omitted, the Firebolt Operator deploys an internal PostgreSQL StatefulSet.
spec.metadata.postgres.hostYes*-PostgreSQL hostname
spec.metadata.postgres.portNo5432PostgreSQL port
spec.metadata.postgres.databaseYes*-Database name
spec.metadata.postgres.credentialsSecretRef.nameYes*-Secret with username and password keys
spec.metadata.replicasNo1Number of metadata service pods (only 1 is currently supported).
spec.metadata.templateNo(Firebolt Operator default)Pod template merged with the Firebolt Operator-rendered metadata container. See Firebolt Operator-owned fields. Image: spec.metadata.template.spec.containers[name=="metadata"].image.
spec.metadata.engineRegistrationNofalseRegister Engine objects in the metadata service for SQL-level RBAC.
spec.gatewayYes-Envoy gateway proxy configuration (can be empty {} for defaults)
spec.gateway.replicasNo2Number of gateway pods. See Gateway sizing.
spec.gateway.metricsPortNo9090Container port exposing Envoy’s Prometheus metrics endpoint. The Firebolt Operator stamps a corresponding metrics port on the container.
spec.gateway.templateNo(Firebolt Operator default)Pod template merged with the Firebolt Operator-rendered Envoy container. See Firebolt Operator-owned fields. Image: spec.gateway.template.spec.containers[name=="envoy"].image.
spec.authNodisabledAuthentication configuration. Not enforced yet. Reserved for future engine-level auth.
spec.auth.modeYes*-disabled, native, or openid
spec.auth.oidcYes*-OIDC config (required when mode is openid)
* Required when the parent field is set.

Firebolt Operator-owned fields on component templates

spec.gateway.template and spec.metadata.template are full PodTemplateSpec embeds. The validating webhook (vfireboltinstance.compute.firebolt.io) walks every template at admission time and rejects user input on fields the Firebolt Operator manages end-to-end. The same set of pod-level fields is rejected on both components:
Pod-level fieldReason
spec.template.spec.subdomainFirebolt Operator-owned for the headless-DNS contract.
spec.template.spec.hostnameFirebolt Operator-owned.
spec.template.spec.restartPolicyFixed by the Deployment / StatefulSet controller.
spec.template.spec.activeDeadlineSecondsIncompatible with long-lived component pods.
spec.template.spec.terminationGracePeriodSecondsFirebolt Operator-stamped per component (15s gateway, 30s metadata).
spec.template.metadata.labels[firebolt.io/*]Reserved label prefix.
spec.template.metadata.annotations[firebolt.io/*]Reserved annotation prefix (most importantly firebolt.io/config-hash, which drives pod rollouts).
Per-component primary container rejections:
Container fieldGateway (envoy)Metadata (metadata)
command, args, ports, readinessProbe, livenessProbe, startupProbeRejectedRejected
lifecycleRejected (the Firebolt Operator owns the bash /dev/tcp preStop drain hook)Rejected
securityContextRejected (hardened defaults: non-root UID 101, drop ALL caps)Rejected (RunAsUser pinned to the image’s dedicated-pensieve UID)
envRejectedRejected (POSTGRES_USERNAME_FILE / POSTGRES_PASSWORD_FILE are Firebolt Operator-injected)
envFromRejectedRejected
volumeMountsRejected (config-volume / tmp are Firebolt Operator-rendered)Rejected (config / postgres-creds / tmp are Firebolt Operator-rendered)
image, imagePullPolicyAllowedAllowed
resourcesAllowedAllowed
Per-component pass-through (allowed without restriction):
  • All pod-level scheduling fields: nodeSelector, tolerations, affinity, topologySpreadConstraints, priorityClassName.
  • Pod-level: securityContext (PodSecurityContext), imagePullSecrets, serviceAccountName, additional volumes (names that do not collide with Firebolt Operator-owned volume names).
  • Additional containers (sidecars): Appended after the Firebolt Operator-rendered primary container.
  • Additional initContainers: Passed through verbatim.
  • Pod-template metadata.labels and metadata.annotations outside the firebolt.io/ reserved prefix.
A second container or initContainer using the Firebolt Operator-rendered primary name (envoy, metadata) is rejected as a duplicate. The authoritative rule sets live in api/v1alpha1/operatorauthority.go as GatewayPodTemplateRules and MetadataPodTemplateRules.

Instance phases

PhaseMeaning
ProvisioningComponents are being deployed. Not yet ready.
ReadyMetadata service and gateway are healthy
DegradedWas previously Ready, but one or more components became unhealthy
FailedTerminal error requiring manual intervention (e.g., multiple accounts found in metadata)

Status properties

FieldDescription
status.phaseInstance lifecycle phase. See Instance phases.
status.metadataReadyWhether the metadata service Deployment has a ready replica.
status.gatewayReadyWhether the gateway Deployment has a ready replica.
status.metadataEndpointIn-cluster metadata gRPC endpoint (cleared when metadata is not ready).
status.gatewayEndpointIn-cluster gateway HTTP endpoint (cleared when gateway is not ready).
status.conditionsReady, MetadataReady, GatewayReady.
Short name: fire.