This topic gives you reference information about the Google PostgreSQL service (csb-google-postgres). It details the plans, configuration parameters, and binding credentials.
Plans
A default plan becomes available when installing the tile. This plan is for reference only, and is not intended for production use. Remove this default plan and create plans that fit your requirements.
Plan Configuration Parameters
When configuring Cloud Service Broker for GCP you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for GCP.
The following table lists parameters that can be configured at a plan level:
| Parameter name | Values | Default | Required |
|---|---|---|---|
name |
The plan name. | n/a | Yes |
id |
A unique GUID. | n/a | Yes |
description |
Description of the new plan. | n/a | Yes |
display_name |
Name to use when displaying the plan in the Marketplace. | n/a | No |
free |
When false, service instances of this service plan have a cost. | true | No |
bindable |
Specifies whether service instances of the service plan can bind to applications. | true | No |
plan_updateable |
Specifies whether the plan supports upgrade/downgrade/sidegrade to another version. | true | No |
metadata.displayName |
Name to use when displaying the plan in the Marketplace. | n/a | No |
metadata.bullets |
List of bullet points to display in Apps Manager. | n/a | No |
You can also add any of the configuration parameters listed in the parameters section to your plan.
To create plans with specific sizes and versions, set the tier, storage_gb, and postgres_version properties.
If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.
Caution When editing a plan configuration, consider the implications for existing services. If you change a default value, this value is applied to existing service instances when they are updated. For example, if you change the region, then when a service instance is updated, an attempt is made to change the region. This is not a supported operation in GCP and might result in data loss.
Configuration Parameters
You can provision a service by running:
cf create-service csb-google-postgres PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
You can update the configuration parameters for a service instance by running:
cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, by using the -c flag, when provisioning or updating a csb-google-postgres service. The Operation column displays whether a parameter is supported for both provision and update, or for provision only:
| Parameter Name | Type | Description | Default | Operation |
|---|---|---|---|---|
tier |
string | Required unless defined in plan. Google machine tier. This determines the CPU and RAM resource. It can be a legacy machine type, such as db-f1-micro, db-g1-small, db-n1-standard-8, db-n1-highmem-16, or a custom machine type such as db-custom-8-8192. For more information about machine types, see the Google Cloud documentation. |
None | provision and update |
postgres_version |
string | Required unless defined in the plan. The version for the PostgreSQL instance. POSTGRES_11, POSTGRES_12, POSTGRES_13, or POSTGRES_14, POSTGRES_15. |
POSTGRES_13 |
provision |
storage_gb |
number | Required unless defined in the plan. Size of storage volume for service instance. 10–4096 GB. | 10 |
provision and update |
instance_name |
string | Name for the PostgreSQL instance. | csb-postgres-INSTANCE-ID |
provision |
db_name |
string | Name for the database. | csb-db |
provision |
region |
string | The region of the PostgreSQL instance. | The value the operator entered for Region in Tanzu Operations Manager. | provision |
require_ssl |
boolean | Require TLS for the connection between PostgreSQL and the apps bound to the service. | true |
provision and update |
authorized_network |
string | The name of the Google Compute Engine network to which the instance is connected. The authorized_network_id takes precedence if set. |
default |
provision and update |
authorized_network_id |
string | Self link of the Google Compute Engine network to which the instance is connected. It has the format https://www.googleapis.com/compute/v1/projects/PROJECT-NAME/global/networks/VPC-NAME. |
The value the operator entered for authorized_network_id in Tanzu Operations Manager. If that is empty then authorized_network is used. |
provision and update |
authorized_networks_cidrs |
array | CIDR notation IPv4 or IPv6 addresses that are allowed to access this instance. | [] |
provision and update |
public_ip |
Boolean | Assigns a static public IPv4 IP to the database. You must configure authorized_networks_cidrs on the selected network to enable access. For more information, see the Google Cloud documentation. |
false |
provision and update |
backups_retain_number |
integer | The number of backups to retain. Set this to zero to deactivate backups. | 7 |
provision and update |
backups_location |
string | The location where backups are stored. | us |
provision and update |
backups_start_time |
string | Start of the backup time window in UTC. | 07:00 |
provision and update |
backups_point_in_time_log_retain_days |
integer | The number of days to retain point in time logs. Set to zero to deactivate point in time logging. Before you set this property, you must first enable backups using the backups_retain_number property. |
7 |
provision and update |
highly_available |
boolean | Enable regional high availability for the service instance. This results in a hot standby instance deployed to a different zone in the same region, and affects billing accordingly. Requires backups_point_in_time_log_retain_days and backups_retain_number properties other than zero.For more information, see the Google Cloud Documentation. |
false |
provision and update |
location_preference_zone |
string | Preferred zone in the instance region for the primary instance in a highly available setup. For example, a or c.When not specified, one of the available zones is chosen automatically. For a list of available zones, see the Google Cloud Documentation. |
"" |
provision and update |
location_preference_secondary_zone |
string | Preferred zone in the instance region for the standby instance in a highly available setup. For example, b or f.In a highly available configuration, when the secondary zone is not specified, a zone other than the one specified for the primary instance is chosen automatically. For a list of available zones, see the Google Cloud Documentation. |
"" |
provision and update |
credentials |
string | The GCP credentials. | The value the operator entered for Credentials in Tanzu Operations Manager. | provision and update |
project |
string | The GCP project to use. | The value the operator entered for Project in Tanzu Operations Manager. | provision |
Binding
You can bind a service by running:
cf bind-service APP-NAME SERVICE-INSTANCE-NAME --binding-name BINDING-NAME
A binding or service key corresponds to a user in PostgreSQL. By default, PostgreSQL users do not have have access to data written by other users.
For bindings to have access to the same data, the public schema can be used, or a schema can be created and access can be granted to other users.
When a binding or service key is deleted, data that the PostgreSQL user owns is re-assigned to a role called binding_user_group before the user is deleted. This ensures that other bindings still have access to the data.
Binding Process
For each new binding, the Google PostgreSQL service creates a new user with the role binding_user_group. When the binding is deleted, all the objects the user owns are re-assigned to the role binding_user_group, and the user is deleted.
The client certificate exposed through the binding credentials is created during provisioning, and is shared between all binding users. The client certificate is managed in this manner for the following reasons:
- Each CloudSQL instance is limited to 10 certificates. For more information, see the Google Cloud documentation.
- The lifetime of a client certificate is set to 10 years.
- The client certificate is used to authorize only the connection and never the user.
Currently, the Google PostgreSQL service does not provide a mechanism for TLS certificate rotation.
Binding Credentials
The format for binding credentials for Google PostgreSQL is as follows:
{
"name" : "DATABASE-NAME",
"hostname" : "DATABASE-SERVER-HOST",
"port" : "DATABASE-SERVER-PORT",
"username" : "AUTHENTICATION-USERNAME",
"password" : "AUTHENTICATION-PASSWORD",
"require_ssl" : true,
"uri" : "DATABASE-CONNECTION-URI",
"jdbcUrl" : "JDBC-FORMAT-CONNECTION-URL",
"sslcert" : "SSL_CLIENT_CERT",
"sslkey" : "SSL_CLIENT_CERT_KEY",
"sslrootcert" : "SSL_ROOT_CERT"
}
