PostgreSQL as Metadata Store
Starting with Ververica Platform 3.1.1, you can use PostgreSQL 15+ as the metadata persistence backend instead of MySQL or MariaDB. This page explains how to configure, operate, and troubleshoot a PostgreSQL-backed Ververica Platform installation.
Supported Versions
| Database | Supported Version |
|---|---|
| PostgreSQL | 15+ |
| MySQL | 8.x |
| MariaDB | 11.4.5+ |
PostgreSQL wire-compatible databases such as EnterpriseDB are also supported. Set global.database.provider to postgresql for these deployments.
Helm Configuration
The following example shows a complete PostgreSQL database configuration. Only provider, host, port, user, and password are required. All other fields are optional.
global:
database:
provider: postgresql # mariadb | mysql | postgresql
host: my-postgres.example.com
port: 5432
user: vvp
password: "<your-password>"
createIfMissing: true # requires CREATEDB privilege. Set to false to pre-create databases manually.
urlParams: "?ssl=true&sslmode=require" # optional. Include the leading "?".
initContainer:
image: harbor.internal.example.com/library/postgres:15-alpine
imagePullPolicy: IfNotPresent
The following sections describe each configuration option in detail.
provider
| Field | Type | Required | Default |
|---|---|---|---|
global.database.provider | string | No | mariadb |
Set to postgresql for PostgreSQL and PostgreSQL wire-compatible backends. The values mariadb and mysql are equivalent and represent the default behavior from previous releases. Existing MySQL and MariaDB deployments do not require any changes.
createIfMissing
| Field | Type | Required | Default |
|---|---|---|---|
global.database.createIfMissing | bool | No | true |
Controls whether Ververica Platform automatically creates the required service databases on startup if they do not exist. When provider is set to postgresql, the configured database user must have the CREATEDB privilege for automatic creation to work.
If CREATEDB is unavailable, set createIfMissing: false and create the databases manually before installing the chart. See Manual Database Creation.
urlParams
| Field | Type | Required | Default |
|---|---|---|---|
global.database.urlParams | string | No | none |
A JDBC query string appended verbatim to the connection URL. Use this field to pass connection parameters such as TLS settings. See TLS/SSL Configuration for an example.
initContainer
| Field | Type | Required | Default |
|---|---|---|---|
global.database.initContainer.image | string | No | docker.io/postgres:15-alpine |
global.database.initContainer.imagePullPolicy | string | No | none |
Overrides the image used by the database-creation init container. This init container only runs when provider is set to postgresql and createIfMissing is true. Use this option in air-gapped or private-registry environments that cannot pull docker.io/postgres:15-alpine.
Registry authentication is handled by the pod's image pull secrets, configured once via the chart's imagePullSecretName. No separate field is needed. See Air-Gapped Environments for an example.
Manual Database Creation
If the database user does not have the CREATEDB privilege, set createIfMissing: false in your values.yaml file and create the following databases before installing the chart:
CREATE DATABASE "vvp-appmanager" OWNER vvp;
CREATE DATABASE "vvp-autopilot" OWNER vvp;
CREATE DATABASE "vvp-meta" OWNER vvp;
CREATE DATABASE "vvp-gateway" OWNER vvp;
CREATE DATABASE "vvp-advisor" OWNER vvp;
CREATE DATABASE "vvp-premise" OWNER vvp;
CREATE DATABASE "vvp-k8soperator" OWNER vvp;
CREATE DATABASE "accesscontrol" OWNER vvp;
Replace vvp with the username configured in global.database.user.
TLS/SSL Configuration
To enable TLS for the PostgreSQL connection, use the urlParams field:
global:
database:
provider: postgresql
urlParams: "?ssl=true&sslmode=require"
The query string is appended verbatim to the JDBC connection URL. Refer to your PostgreSQL provider's documentation for the full list of supported JDBC parameters.
Air-Gapped Environments
In environments that cannot pull images from docker.io, use initContainer.image to specify a mirrored image:
global:
database:
provider: postgresql
createIfMissing: true
initContainer:
image: harbor.internal/library/postgres:15-alpine
imagePullPolicy: IfNotPresent
Registry authentication uses the pod's existing image pull secrets, configured via the chart's imagePullSecretName.
Alternatively, set createIfMissing: false and create the databases manually as described in Manual Database Creation.
Operational Guidelines
Backup and Restore
Use standard PostgreSQL backup tooling for your deployment:
- Self-managed instances: use
pg_dumpandpg_restore. - Managed services (such as AWS RDS, Azure Database for PostgreSQL, or Google Cloud SQL): use the automated snapshot features provided by your cloud provider.
Back up all eight service databases listed in Manual Database Creation.
Troubleshooting
Connection Refused or Authentication Failure
Verify the following:
global.database.host,global.database.port,global.database.user, andglobal.database.passwordare correct.global.database.provideris set topostgresql. Using the default value (mariadbormysql) against a PostgreSQL server causes connection errors.- The PostgreSQL server is configured to accept connections from the Kubernetes cluster. Check
pg_hba.confor your firewall rules.
Database Creation Fails at Startup
If Ververica Platform pods fail to start with errors indicating that service databases could not be created, check whether the database user has the CREATEDB privilege:
SELECT rolcreatedb FROM pg_roles WHERE rolname = '{your-db-user}';
If the user lacks the privilege, either grant it or create the databases manually and set createIfMissing: false. See Manual Database Creation.
SSL/TLS Handshake Errors
If you see SSL-related errors in the application logs, check the following:
- The
urlParamsvalue is a valid JDBC query string starting with?. - The PostgreSQL server has SSL enabled.
- The server certificate is trusted by the Java runtime in the Ververica Platform containers. For self-signed certificates, you might need to add
&sslmode=verify-caand supply a trust store.