OCI Components
Reference for every Oracle Cloud Infrastructure (OCI) offer in the Fractal Cloud catalogue. Parameters and their required flags are sourced from the agent param contract; each offer includes a fully-parameterized JSON example.
APIManagement
APIManagement.CaaS.Ambassador
Ambassador is an open-source, Envoy-based API gateway deployed onto an OCI Kubernetes (OKE) cluster, providing edge routing, TLS termination, and authentication for containerized workloads.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
host | Hostname the Ambassador edge serves traffic for | ambassador.example.com | No |
hostOwnerEmail | Email address of the host owner, used for ACME certificate notifications | admin@example.com | Yes |
acmeProviderAuthority | ACME certificate authority endpoint used to provision TLS certificates | https://acme-v02.api.letsencrypt.org/directory | Yes |
tlsSecretName | Kubernetes secret name holding the TLS certificate material | ambassador-tls-secret | Yes |
licenseKey | Optional Ambassador license key for commercial features | license-key-string | No |
namespace | Kubernetes namespace where Ambassador is deployed | ambassador | Yes |
Example (fully parameterized):
{
"type": "APIManagement.CaaS.Ambassador",
"parameters": {
"host": "ambassador.example.com",
"hostOwnerEmail": "admin@example.com",
"acmeProviderAuthority": "https://acme-v02.api.letsencrypt.org/directory",
"tlsSecretName": "ambassador-tls-secret",
"licenseKey": "",
"namespace": "ambassador"
}
}
APIManagement.CaaS.Traefik
Traefik is a modern reverse proxy and load balancer deployed onto an OKE cluster, offering dynamic service discovery, TLS termination, OIDC-based authentication, and security-header enforcement.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
entryPoints | List of network entry points (ports/protocols) Traefik listens on | ["web", "websecure"] | Yes |
hostname | Hostname for the Traefik dashboard and routing | traefik.example.com | No |
loadbalancerIp | Static IP to assign to the Traefik load balancer service | 10.0.1.100 | No |
oidcIssuerUrl | OpenID Connect issuer URL for authentication | https://auth.example.com | Conditional — part of the all-or-nothing OIDC config group |
oidcClientId | OIDC client identifier | traefik-client-id | Conditional — part of the all-or-nothing OIDC config group |
oidcClientSecretId | Secret identifier for the OIDC client secret | oidc-secret-id | Conditional — part of the all-or-nothing OIDC config group |
forwardAuthSecretId | Secret identifier for forward-authentication configuration | forward-auth-secret-id | Conditional — part of the all-or-nothing OIDC config group |
securityHeadersSettings | Map of HTTP security headers to apply to responses | {} | No |
tlsCertificates | List of TLS certificate configurations | [] | No |
tlsSettings | TLS settings such as minimum version and cipher suites | {} | No |
tracing | Distributed-tracing configuration | {} | No |
namespace | Kubernetes namespace where Traefik is deployed | traefik | Yes |
Example (fully parameterized):
{
"type": "APIManagement.CaaS.Traefik",
"parameters": {
"entryPoints": ["web", "websecure"],
"hostname": "traefik.example.com",
"loadbalancerIp": "10.0.1.100",
"oidcIssuerUrl": "https://auth.example.com",
"oidcClientId": "traefik-client-id",
"oidcClientSecretId": "oidc-secret-id",
"forwardAuthSecretId": "forward-auth-secret-id",
"securityHeadersSettings": {},
"tlsCertificates": [],
"tlsSettings": {},
"tracing": {},
"namespace": "traefik"
}
}
APIManagement.SaaS.Unmanaged
Represents an externally provisioned API-management resource that Fractal Cloud does not manage directly; it wires an out-of-band secret (e.g. a gateway endpoint or credential) into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | api-gateway-endpoint | No |
secretValue | The secret value to store (endpoint, token, or credential) | https://gateway.example.com | Yes |
Example (fully parameterized):
{
"type": "APIManagement.SaaS.Unmanaged",
"parameters": {
"secretName": "api-gateway-endpoint",
"secretValue": "https://gateway.example.com"
}
}
BigData
BigData.CaaS.MinioTenant
A MinIO tenant deployed onto an OKE cluster, providing S3-compatible object storage backed by per-server persistent volumes.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
minioVersion | MinIO image release tag | RELEASE.2025-03-12T18-04-18Z | No |
servers | Number of MinIO server pods in the tenant | 4 | No |
volumesPerServer | Number of persistent volumes attached per server | 4 | No |
volumeSize | Size of each persistent volume | 100Gi | No |
storageClass | Kubernetes storage class for the volumes | oci-bv | No |
cpuRequest | CPU request per server pod | 500m | No |
cpuLimit | CPU limit per server pod | 2 | No |
memoryRequest | Memory request per server pod | 1Gi | No |
memoryLimit | Memory limit per server pod | 4Gi | No |
requestAutoCert | Whether MinIO should auto-generate TLS certificates | true | No |
namespace | Kubernetes namespace where the tenant is deployed | minio | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.MinioTenant",
"parameters": {
"minioVersion": "RELEASE.2025-03-12T18-04-18Z",
"servers": 4,
"volumesPerServer": 4,
"volumeSize": "100Gi",
"storageClass": "",
"cpuRequest": "500m",
"cpuLimit": "2",
"memoryRequest": "1Gi",
"memoryLimit": "4Gi",
"requestAutoCert": true,
"namespace": "minio"
}
}
BigData.CaaS.SparkCluster
A long-running Apache Spark cluster managed by the Spark Operator on an OKE cluster, with configurable driver and executor resourcing.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
sparkVersion | Apache Spark version | 3.5.3 | No |
image | Container image used for the Spark pods | apache/spark:3.5.3 | No |
driverCores | CPU cores for the Spark driver | 1 | No |
driverMemory | Memory for the Spark driver | 1g | No |
executorCores | CPU cores per Spark executor | 2 | No |
executorMemory | Memory per Spark executor | 2g | No |
executorInstances | Number of Spark executor instances | 2 | No |
sparkOperatorName | Name of the Spark Operator instance that manages this cluster | spark-operator | Yes |
namespace | Kubernetes namespace where the cluster is deployed | spark | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.SparkCluster",
"parameters": {
"sparkVersion": "3.5.3",
"image": "apache/spark:3.5.3",
"driverCores": "1",
"driverMemory": "1g",
"executorCores": "2",
"executorMemory": "2g",
"executorInstances": 2,
"sparkOperatorName": "spark-operator",
"namespace": "spark"
}
}
BigData.CaaS.SparkJob
A Spark application (batch or scheduled) submitted via the Spark Operator on an OKE cluster. Supports one-shot and cron-scheduled execution with configurable driver/executor resourcing and retry behavior.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
type | Application language/type | Java, Scala, Python, R | No |
mode | Spark deploy mode | cluster, client | No |
image | Container image used to run the job | apache/spark:3.5.3 | No |
mainClass | Fully qualified main class (JVM jobs) | com.example.MyJob | No |
mainApplicationFile | Path/URI to the application artifact | local:///opt/app/job.jar | No |
arguments | List of application arguments | ["--input", "s3://bucket/in"] | No |
sparkVersion | Apache Spark version | 3.5.3 | No |
sparkConf | Map of additional Spark configuration entries | {"spark.sql.shuffle.partitions": "200"} | No |
driverCores | CPU cores for the Spark driver | 1 | No |
driverMemory | Memory for the Spark driver | 1g | No |
executorCores | CPU cores per Spark executor | 2 | No |
executorMemory | Memory per Spark executor | 2g | No |
executorInstances | Number of Spark executor instances | 2 | No |
restartPolicy | Restart policy for the job | Never, Always, OnFailure | No |
maxRetries | Maximum number of retry attempts on failure | 3 | No |
schedule | Cron expression; when set, runs the job as a scheduled job | 0 2 * * * | No |
concurrencyPolicy | Concurrency policy for scheduled runs | Forbid, Allow, Replace | No |
sparkOperatorName | Name of the Spark Operator instance that runs this job | spark-operator | Yes |
namespace | Kubernetes namespace where the job runs | spark | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.SparkJob",
"parameters": {
"type": "Java",
"mode": "cluster",
"image": "apache/spark:3.5.3",
"mainClass": "com.example.MyJob",
"mainApplicationFile": "local:///opt/app/job.jar",
"arguments": ["--input", "s3://bucket/in"],
"sparkVersion": "3.5.3",
"sparkConf": {"spark.sql.shuffle.partitions": "200"},
"driverCores": "1",
"driverMemory": "1g",
"executorCores": "2",
"executorMemory": "2g",
"executorInstances": 2,
"restartPolicy": "Never",
"maxRetries": 3,
"schedule": "0 2 * * *",
"concurrencyPolicy": "Forbid",
"sparkOperatorName": "spark-operator",
"namespace": "spark"
}
}
BigData.CaaS.SparkMlExperiment
An MLflow tracking server deployed onto an OKE cluster for recording Spark ML experiments, with configurable backend store and artifact root.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
mlflowVersion | MLflow version | 2.21.3 | No |
backendStoreUri | Backend store URI for experiment metadata | sqlite:///mlflow/mlflow.db | No |
artifactRoot | Root path/URI where artifacts are stored | /mlflow/artifacts | No |
replicas | Number of MLflow server replicas | 2 | No |
cpuRequest | CPU request per replica | 250m | No |
cpuLimit | CPU limit per replica | 1 | No |
memoryRequest | Memory request per replica | 512Mi | No |
memoryLimit | Memory limit per replica | 1Gi | No |
servicePort | Port the MLflow service listens on | 5000 | No |
namespace | Kubernetes namespace where MLflow is deployed | mlflow | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.SparkMlExperiment",
"parameters": {
"mlflowVersion": "2.21.3",
"backendStoreUri": "sqlite:///mlflow/mlflow.db",
"artifactRoot": "/mlflow/artifacts",
"replicas": 2,
"cpuRequest": "250m",
"cpuLimit": "1",
"memoryRequest": "512Mi",
"memoryLimit": "1Gi",
"servicePort": 5000,
"namespace": "mlflow"
}
}
BigData.CaaS.SparkOperator
The Kubernetes Spark Operator deployed onto an OKE cluster. It manages the lifecycle of Spark clusters and jobs and is a prerequisite for the SparkCluster and SparkJob offers.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
operatorVersion | Spark Operator chart/image version | 2.5.0 | No |
sparkVersion | Default Apache Spark version the operator targets | 3.5.3 | No |
enableWebhook | Whether to enable the mutating admission webhook | true | No |
enableMetrics | Whether to expose operator metrics | true | No |
namespace | Kubernetes namespace where the operator is deployed | spark-operator | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.SparkOperator",
"parameters": {
"operatorVersion": "2.5.0",
"sparkVersion": "3.5.3",
"enableWebhook": true,
"enableMetrics": true,
"namespace": "spark-operator"
}
}
BigData.CaaS.SparkUnityCatalog
A Unity Catalog server deployed onto an OKE cluster, providing a unified catalog/metastore for Spark data assets.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
unityCatalogVersion | Unity Catalog version | 0.3.0 | No |
replicas | Number of catalog server replicas | 2 | No |
cpuRequest | CPU request per replica | 250m | No |
cpuLimit | CPU limit per replica | 1 | No |
memoryRequest | Memory request per replica | 512Mi | No |
memoryLimit | Memory limit per replica | 1Gi | No |
namespace | Kubernetes namespace where the catalog is deployed | unity-catalog | Yes |
Example (fully parameterized):
{
"type": "BigData.CaaS.SparkUnityCatalog",
"parameters": {
"unityCatalogVersion": "0.3.0",
"replicas": 2,
"cpuRequest": "250m",
"cpuLimit": "1",
"memoryRequest": "512Mi",
"memoryLimit": "1Gi",
"namespace": "unity-catalog"
}
}
BigData.SaaS.Unmanaged
Represents an externally provisioned big-data resource that Fractal Cloud does not manage directly; it wires an out-of-band secret (e.g. a connection string or token) into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | bigdata-connection | No |
secretValue | The secret value to store | jdbc://... | Yes |
Example (fully parameterized):
{
"type": "BigData.SaaS.Unmanaged",
"parameters": {
"secretName": "bigdata-connection",
"secretValue": "jdbc://..."
}
}
CustomWorkloads
CustomWorkloads.CaaS.KubernetesWorkload
A GitOps-driven custom workload deployed onto an OKE cluster. The agent syncs Kubernetes manifests from a Git repository (over SSH), wires in environment secrets and roles, and can enable OKE workload identity.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
sshRepositoryURI | SSH URI of the Git repository holding the workload manifests | git@github.com:org/repo.git | Yes |
repoId | Identifier of the repository within Fractal Cloud | repo-123 | Yes |
branchName | Git branch to sync from | main | Yes |
privateSSHKeySecretId | Secret id holding the private SSH key | ssh-key-secret-id | No |
privateSSHKeyEnvironmentSecretShortName | Environment secret short name for the private SSH key | ssh-key | No |
privateSSHKeyPassphraseSecretId | Secret id holding the SSH key passphrase | ssh-passphrase-secret-id | No |
privateSSHKeyPassphraseEnvironmentSecretShortName | Environment secret short name for the SSH key passphrase | ssh-passphrase | No |
ciCdProfileShortName | Short name of the CI/CD profile to apply | default-cicd | No |
environmentSecretShortNames | List of environment secret short names to inject | ["db-password", "api-token"] | No |
roles | List of roles to bind to the workload | ["reader", "writer"] | No |
workloadSecretIdKey | Key under which the workload secret id is referenced | secret-id | No |
workloadSecretPasswordKey | Key under which the workload secret password is referenced | secret-password | No |
workloadIdentityEnabled | Whether OKE workload identity is enabled | true | No |
namespace | Kubernetes namespace where the workload is deployed | apps | Yes |
Example (fully parameterized):
{
"type": "CustomWorkloads.CaaS.KubernetesWorkload",
"parameters": {
"sshRepositoryURI": "git@github.com:org/repo.git",
"repoId": "repo-123",
"branchName": "main",
"privateSSHKeySecretId": "ssh-key-secret-id",
"privateSSHKeyEnvironmentSecretShortName": "ssh-key",
"privateSSHKeyPassphraseSecretId": "ssh-passphrase-secret-id",
"privateSSHKeyPassphraseEnvironmentSecretShortName": "ssh-passphrase",
"ciCdProfileShortName": "default-cicd",
"environmentSecretShortNames": ["db-password", "api-token"],
"roles": ["reader", "writer"],
"workloadSecretIdKey": "secret-id",
"workloadSecretPasswordKey": "secret-password",
"workloadIdentityEnabled": true,
"namespace": "apps"
}
}
CustomWorkloads.SaaS.Unmanaged
Represents an externally provisioned custom workload that Fractal Cloud does not manage directly; it wires an out-of-band secret into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | workload-config | No |
secretValue | The secret value to store | some-secret-value | Yes |
Example (fully parameterized):
{
"type": "CustomWorkloads.SaaS.Unmanaged",
"parameters": {
"secretName": "workload-config",
"secretValue": "some-secret-value"
}
}
Messaging
Messaging.CaaS.Kafka
A Strimzi-managed Apache Kafka cluster deployed onto an OKE cluster, with configurable broker count, resourcing, and per-broker storage.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
replicas | Number of Kafka broker replicas | 5 | No |
kafkaVersion | Apache Kafka version | 4.2.0 | No |
memoryRequest | Memory request per broker | 16Gi | No |
memoryLimit | Memory limit per broker | 32Gi | No |
cpuRequest | CPU request per broker | 4 | No |
cpuLimit | CPU limit per broker | 8 | No |
storageSize | Persistent storage size per broker | 1Ti | No |
namespace | Kubernetes namespace where Kafka is deployed | kafka | Yes |
Example (fully parameterized):
{
"type": "Messaging.CaaS.Kafka",
"parameters": {
"replicas": 5,
"kafkaVersion": "4.2.0",
"memoryRequest": "16Gi",
"memoryLimit": "32Gi",
"cpuRequest": "4",
"cpuLimit": "8",
"storageSize": "1Ti",
"namespace": "kafka"
}
}
Messaging.CaaS.KafkaTopic
A Kafka topic provisioned on a managed Kafka cluster, with configurable partition count, replication factor, and retention.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
partitions | Number of topic partitions | 50 | No |
replicas | Replication factor for the topic | 2 | No |
retentionMs | Message retention in milliseconds | 172800000 | No |
clusterName | Name of the Kafka cluster that hosts the topic | kafka | Yes |
namespace | Kubernetes namespace of the Kafka cluster | kafka | Yes |
Example (fully parameterized):
{
"type": "Messaging.CaaS.KafkaTopic",
"parameters": {
"partitions": 50,
"replicas": 2,
"retentionMs": 172800000,
"clusterName": "kafka",
"namespace": "kafka"
}
}
Messaging.CaaS.KafkaUser
A Kafka user (principal) provisioned on a managed Kafka cluster, with an optional set of ACLs governing topic and group access.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
acls | List of ACL rules granted to the user | [{"resource": "topic", "operation": "Read"}] | No |
clusterName | Name of the Kafka cluster the user belongs to | kafka | Yes |
namespace | Kubernetes namespace of the Kafka cluster | kafka | Yes |
Example (fully parameterized):
{
"type": "Messaging.CaaS.KafkaUser",
"parameters": {
"acls": [{"resource": "topic", "operation": "Read"}],
"clusterName": "kafka",
"namespace": "kafka"
}
}
Messaging.SaaS.Unmanaged
Represents an externally provisioned messaging resource that Fractal Cloud does not manage directly; it wires an out-of-band secret (e.g. a broker connection string) into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | kafka-bootstrap | No |
secretValue | The secret value to store | broker.example.com:9092 | Yes |
Example (fully parameterized):
{
"type": "Messaging.SaaS.Unmanaged",
"parameters": {
"secretName": "kafka-bootstrap",
"secretValue": "broker.example.com:9092"
}
}
NetworkAndCompute
NetworkAndCompute.IaaS.OciComputeInstance
A native OCI compute (VM) instance. Shape, image, SSH key, and cloud-init user data are all configurable; when omitted, defaults are resolved at reconcile time.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
availabilityZone | Availability domain to place the instance in | AD-1 | No |
shape | OCI compute shape | VM.Standard.E4.Flex | No |
imageId | OCID of the image to boot from | ocid1.image.oc1..exampleuniqueID | No |
keyName | Name of the SSH key to inject | my-ssh-key | No |
userData | Cloud-init user data (base64 or plain script) | #!/bin/bash\necho hello | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.IaaS.OciComputeInstance",
"parameters": {
"availabilityZone": "",
"shape": "VM.Standard.E4.Flex",
"imageId": "",
"keyName": "",
"userData": ""
}
}
NetworkAndCompute.IaaS.OciLoadBalancer
A native OCI Load Balancer. The bandwidth shape and public/private placement are configurable.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
lbType | Load balancer bandwidth shape | 100Mbps, 400Mbps, 8000Mbps | No |
isPrivate | Whether the load balancer is private (no public IP) | false | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.IaaS.OciLoadBalancer",
"parameters": {
"lbType": "100Mbps",
"isPrivate": false
}
}
NetworkAndCompute.IaaS.OciNetworkSecurityGroup
A native OCI Network Security Group (NSG). Carries an optional description and a list of ingress rules; when the description is omitted it defaults to the component id.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
description | Human-readable description of the NSG | web-tier-nsg | No |
ingressRules | List of ingress security rules | [{"protocol": "tcp", "fromPort": 443, "toPort": 443}] | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.IaaS.OciNetworkSecurityGroup",
"parameters": {
"description": "web-tier-nsg",
"ingressRules": [{"protocol": "tcp", "fromPort": 443, "toPort": 443}]
}
}
NetworkAndCompute.IaaS.OciSubnet
A native OCI subnet within a VCN. The CIDR block may be provided explicitly or resolved automatically via IPAM at reconcile time.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
cidrBlock | CIDR range for the subnet; resolved by IPAM when blank | 10.0.1.0/24 | No |
availabilityZone | Availability domain to place the subnet in | AD-1 | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.IaaS.OciSubnet",
"parameters": {
"cidrBlock": "",
"availabilityZone": ""
}
}
NetworkAndCompute.IaaS.OciVcn
A native OCI Virtual Cloud Network (VCN). The CIDR block may be provided explicitly or resolved automatically via IPAM at reconcile time.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
cidrBlock | CIDR range for the VCN; resolved by IPAM when blank | 10.0.0.0/16 | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.IaaS.OciVcn",
"parameters": {
"cidrBlock": ""
}
}
NetworkAndCompute.PaaS.Kubernetes
An abstract managed-Kubernetes offer satisfied by OCI Container Engine for Kubernetes (OKE). The agent provisions and reconciles the cluster; no parameters are read from the component map.
No configurable parameters.
Example (fully parameterized):
{
"type": "NetworkAndCompute.PaaS.Kubernetes",
"parameters": {}
}
NetworkAndCompute.PaaS.OKE
OCI Container Engine for Kubernetes (OKE), Oracle's managed Kubernetes service. The agent provisions and reconciles the cluster; no parameters are read from the component map.
No configurable parameters.
Example (fully parameterized):
{
"type": "NetworkAndCompute.PaaS.OKE",
"parameters": {}
}
NetworkAndCompute.PaaS.OciContainerInstance
A native OCI Container Instance — a serverless way to run a single container image without managing a cluster. CPU, memory, networking, and restart behavior are configurable.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
imageUrl | Container image URL to run | region.ocir.io/tenancy/app:1.0 | Conditional — required at reconcile time; reconcile fails when blank |
ocpus | Number of OCPUs allocated | 1.0 | No |
memoryInGBs | Memory allocated, in GB | 2.0 | No |
shape | Container instance shape | CI.Standard.E4.Flex | No |
port | Port the container exposes | 8080 | No |
availabilityDomain | Availability domain to place the instance in | AD-1 | No |
assignPublicIp | Whether to assign a public IP | false | No |
containerRestartPolicy | Restart policy for the container instance | ALWAYS, NEVER, ON_FAILURE | No |
Example (fully parameterized):
{
"type": "NetworkAndCompute.PaaS.OciContainerInstance",
"parameters": {
"imageUrl": "region.ocir.io/tenancy/app:1.0",
"ocpus": 1.0,
"memoryInGBs": 2.0,
"shape": "CI.Standard.E4.Flex",
"port": 8080,
"availabilityDomain": "",
"assignPublicIp": false,
"containerRestartPolicy": "ALWAYS"
}
}
NetworkAndCompute.SaaS.Unmanaged
Represents an externally provisioned network/compute resource that Fractal Cloud does not manage directly; it wires an out-of-band secret into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | external-endpoint | No |
secretValue | The secret value to store | https://service.example.com | Yes |
Example (fully parameterized):
{
"type": "NetworkAndCompute.SaaS.Unmanaged",
"parameters": {
"secretName": "external-endpoint",
"secretValue": "https://service.example.com"
}
}
Observability
Observability.CaaS.Elastic
An Elasticsearch stack deployed onto an OKE cluster via the Elastic (ECK) operator, optionally with Kibana and APM, for log and observability data.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
elasticVersion | Elasticsearch version | 8.13.0 | Yes |
elasticInstances | Number of Elasticsearch node instances | 3 | Yes |
storage | Persistent storage size per node | 100Gi | Yes |
storageClassName | Kubernetes storage class for the volumes | oci-bv | No |
memory | Memory per node, in GB | 8 | No |
cpu | CPU per node, in cores | 8 | No |
isApmRequired | Whether to deploy the APM server | false | No |
isKibanaRequired | Whether to deploy Kibana | true | No |
secrets | Map of additional secrets to mount | {} | No |
namespace | Kubernetes namespace where the stack is deployed | observability | Yes |
Example (fully parameterized):
{
"type": "Observability.CaaS.Elastic",
"parameters": {
"elasticVersion": "8.13.0",
"elasticInstances": 3,
"storage": "100Gi",
"storageClassName": "",
"memory": 8,
"cpu": 8,
"isApmRequired": false,
"isKibanaRequired": true,
"secrets": {},
"namespace": "observability"
}
}
Observability.CaaS.Jaeger
A Jaeger distributed-tracing stack deployed onto an OKE cluster, with configurable persistent storage.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
storageClassName | Kubernetes storage class for Jaeger storage | oci-bv | No |
storageSettings | Map of additional storage configuration | {"size": "50Gi"} | No |
namespace | Kubernetes namespace where Jaeger is deployed | observability | Yes |
Example (fully parameterized):
{
"type": "Observability.CaaS.Jaeger",
"parameters": {
"storageClassName": "",
"storageSettings": {"size": "50Gi"},
"namespace": "observability"
}
}
Observability.CaaS.Prometheus
A Prometheus monitoring stack deployed onto an OKE cluster, optionally configured with Grafana settings from a referenced secret.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
grafanaConfigSecretId | Secret id holding Grafana configuration | grafana-config-secret | No |
namespace | Kubernetes namespace where Prometheus is deployed | observability | Yes |
Example (fully parameterized):
{
"type": "Observability.CaaS.Prometheus",
"parameters": {
"grafanaConfigSecretId": "",
"namespace": "observability"
}
}
Observability.SaaS.Elastic
A reference to an externally hosted Elastic/Kibana deployment, wired into the live system by its Kibana endpoint and version.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
kibanaUri | URI of the external Kibana instance | https://kibana.example.com | Yes |
version | Elastic stack version | 8.13.0 | Yes |
operatorVersion | Elastic operator version | 2.12.0 | Yes |
Example (fully parameterized):
{
"type": "Observability.SaaS.Elastic",
"parameters": {
"kibanaUri": "https://kibana.example.com",
"version": "8.13.0",
"operatorVersion": "2.12.0"
}
}
Observability.SaaS.Jaeger
A reference to an externally hosted Jaeger deployment, wired into the live system by its frontend URI and version.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
frontendUri | URI of the external Jaeger frontend | https://jaeger.example.com | Yes |
version | Jaeger version | 1.57.0 | Yes |
Example (fully parameterized):
{
"type": "Observability.SaaS.Jaeger",
"parameters": {
"frontendUri": "https://jaeger.example.com",
"version": "1.57.0"
}
}
Observability.SaaS.Prometheus
A reference to an externally hosted Prometheus/Grafana deployment, wired into the live system by its API gateway URL and a Grafana config secret.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
apiGatewayUrl | URL of the external Prometheus API gateway | https://prometheus.example.com | Yes |
grafanaConfigSecretId | Secret id holding Grafana configuration | grafana-config-secret | Yes |
Example (fully parameterized):
{
"type": "Observability.SaaS.Prometheus",
"parameters": {
"apiGatewayUrl": "https://prometheus.example.com",
"grafanaConfigSecretId": "grafana-config-secret"
}
}
Security
Security.CaaS.Ocelot
Ocelot is an API gateway / BFF-style security layer deployed onto an OKE cluster, providing host-based routing, CORS, cookie/session handling, and role-based access control.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
host | Hostname the Ocelot gateway serves | gateway.example.com | Yes |
corsOrigins | List of allowed CORS origins | ["https://app.example.com"] | No |
cookieMaxAgeSec | Session cookie max age, in seconds | 900 | No |
pathPrefix | Path prefix the gateway routes on | /* | No |
roles | List of roles for access control | ["admin", "user"] | No |
namespace | Kubernetes namespace where Ocelot is deployed | security | Yes |
Example (fully parameterized):
{
"type": "Security.CaaS.Ocelot",
"parameters": {
"host": "gateway.example.com",
"corsOrigins": ["https://app.example.com"],
"cookieMaxAgeSec": 900,
"pathPrefix": "/*",
"roles": ["admin", "user"],
"namespace": "security"
}
}
Security.SaaS.Unmanaged
Represents an externally provisioned security resource that Fractal Cloud does not manage directly; it wires an out-of-band secret into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | idp-client-secret | No |
secretValue | The secret value to store | some-secret-value | Yes |
Example (fully parameterized):
{
"type": "Security.SaaS.Unmanaged",
"parameters": {
"secretName": "idp-client-secret",
"secretValue": "some-secret-value"
}
}
Storage
Storage.CaaS.CnpgCluster
A CloudNativePG (CNPG) PostgreSQL cluster deployed onto an OKE cluster, with configurable instance count, resourcing, storage, and a bootstrap database.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
instances | Number of PostgreSQL instances (1 primary + replicas) | 3 | No |
postgresqlVersion | PostgreSQL version | 17.2 | No |
storageSize | Persistent storage size per instance | 10Gi | No |
storageClass | Kubernetes storage class for the volumes | oci-bv | No |
cpuRequest | CPU request per instance | 500m | No |
cpuLimit | CPU limit per instance | 1 | No |
memoryRequest | Memory request per instance | 512Mi | No |
memoryLimit | Memory limit per instance | 1Gi | No |
database | Name of the bootstrap database | app | No |
databaseOwner | Owner role of the bootstrap database | app | No |
enableSuperuserAccess | Whether to enable the PostgreSQL superuser | false | No |
namespace | Kubernetes namespace where the cluster is deployed | databases | Yes |
Example (fully parameterized):
{
"type": "Storage.CaaS.CnpgCluster",
"parameters": {
"instances": 3,
"postgresqlVersion": "17.2",
"storageSize": "10Gi",
"storageClass": "",
"cpuRequest": "500m",
"cpuLimit": "1",
"memoryRequest": "512Mi",
"memoryLimit": "1Gi",
"database": "app",
"databaseOwner": "app",
"enableSuperuserAccess": false,
"namespace": "databases"
}
}
Storage.CaaS.CnpgDatabase
An additional database created within an existing CloudNativePG (CNPG) cluster, with configurable owner, encoding, and locale.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
databaseName | Name of the database to create | app | No |
databaseOwner | Owner role of the database | app | No |
encoding | Character encoding | UTF8 | No |
localeCollate | Collation locale | en_US.UTF-8 | No |
localeCType | Character-type locale | en_US.UTF-8 | No |
cnpgClusterName | Name of the parent CNPG cluster | my-cnpg-cluster | Yes |
namespace | Kubernetes namespace of the CNPG cluster | databases | Yes |
Example (fully parameterized):
{
"type": "Storage.CaaS.CnpgDatabase",
"parameters": {
"databaseName": "app",
"databaseOwner": "app",
"encoding": "UTF8",
"localeCollate": "",
"localeCType": "",
"cnpgClusterName": "my-cnpg-cluster",
"namespace": "databases"
}
}
Storage.CaaS.Elastic
An Elasticsearch stack deployed onto an OKE cluster via the Elastic (ECK) operator, used here as a storage/search backend, optionally with Kibana and APM.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
elasticVersion | Elasticsearch version | 8.13.0 | Yes |
elasticInstances | Number of Elasticsearch node instances | 3 | Yes |
storage | Persistent storage size per node | 100Gi | Yes |
storageClassName | Kubernetes storage class for the volumes | oci-bv | No |
memory | Memory per node, in GB | 8 | No |
cpu | CPU per node, in cores | 8 | No |
isApmRequired | Whether to deploy the APM server | false | No |
isKibanaRequired | Whether to deploy Kibana | true | No |
secrets | Map of additional secrets to mount | {} | No |
namespace | Kubernetes namespace where the stack is deployed | databases | Yes |
Example (fully parameterized):
{
"type": "Storage.CaaS.Elastic",
"parameters": {
"elasticVersion": "8.13.0",
"elasticInstances": 3,
"storage": "100Gi",
"storageClassName": "",
"memory": 8,
"cpu": 8,
"isApmRequired": false,
"isKibanaRequired": true,
"secrets": {},
"namespace": "databases"
}
}
Storage.CaaS.MinioTenant
A MinIO tenant deployed onto an OKE cluster, providing S3-compatible object storage backed by per-server persistent volumes.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
minioVersion | MinIO image release tag | RELEASE.2025-03-12T18-04-18Z | No |
servers | Number of MinIO server pods in the tenant | 4 | No |
volumesPerServer | Number of persistent volumes attached per server | 4 | No |
volumeSize | Size of each persistent volume | 100Gi | No |
storageClass | Kubernetes storage class for the volumes | oci-bv | No |
cpuRequest | CPU request per server pod | 500m | No |
cpuLimit | CPU limit per server pod | 2 | No |
memoryRequest | Memory request per server pod | 1Gi | No |
memoryLimit | Memory limit per server pod | 4Gi | No |
requestAutoCert | Whether MinIO should auto-generate TLS certificates | true | No |
namespace | Kubernetes namespace where the tenant is deployed | minio | Yes |
Example (fully parameterized):
{
"type": "Storage.CaaS.MinioTenant",
"parameters": {
"minioVersion": "RELEASE.2025-03-12T18-04-18Z",
"servers": 4,
"volumesPerServer": 4,
"volumeSize": "100Gi",
"storageClass": "",
"cpuRequest": "500m",
"cpuLimit": "2",
"memoryRequest": "1Gi",
"memoryLimit": "4Gi",
"requestAutoCert": true,
"namespace": "minio"
}
}
Storage.SaaS.Unmanaged
Represents an externally provisioned storage resource that Fractal Cloud does not manage directly; it wires an out-of-band secret (e.g. a connection string) into the live system.
| Parameter | Description | Example / possible values | Required |
|---|---|---|---|
secretName | Name under which the secret is stored | db-connection | No |
secretValue | The secret value to store | postgres://user:pass@host:5432/db | Yes |
Example (fully parameterized):
{
"type": "Storage.SaaS.Unmanaged",
"parameters": {
"secretName": "db-connection",
"secretValue": "postgres://user:pass@host:5432/db"
}
}