As an AlloyDB Omni customer, you are responsible for configuring and operating AlloyDB Omni to make sure that your workloads get the most value from the service.
| Layer | Google's responsibility | Customer responsibility | |
|---|---|---|---|
| Hardware and host | Physical infrastructure | Provide minimum and recommended requirements (if applicable) | Provision physical servers, VMs, or edge devices like power, cooling, and hardware. |
| Host operating system (OS) | Provide minimum and recommended requirements (if applicable) | Manage the Linux kernel, apply OS security patches, and harden the host nodes. | |
| Kubernetes | Cluster management | Provide minimum and recommended requirements (if applicable) | Manage the cluster on a daily basis—including upgrades—following industry-standard best practices. |
| Storage (CSI/PV) | Provide minimum and recommended requirements (if applicable) | Provision the storage class and manage the underlying appliances. | |
| Networking (CNI) | Provide minimum and recommended requirements (if applicable) | Provision and manage the network layer—for example, pod networking, ingress controllers, load balancers, and firewall rules between nodes. | |
| Role-based access control (RBAC) | Provide the service accounts, roles, and role bindings required for the AlloyDB Omni Kubernetes operator. | Apply these role-based access control (RBAC) rules to the cluster and make sure that they align with internal security policies. To access AlloyDB Omni resources, create additional RBAC roles and role bindings. | |
| Secret management | Read standard Kubernetes Secrets to provision resources, such as the
initial postgres user. |
Create, secure, and rotate Kubernetes Secrets in the cluster. | |
| Certificate management | Rely on standard bare Kubernetes Secrets and cert-manager
for certificate integration. |
Install, configure, and manage the lifecycle of
cert-manager. |
|
| Operator software | Development and release | Develop the AlloyDB Omni operator logic and CRDs and publish container images, Helm charts, and OLM bundles. | None. Customers can use artifacts stored in Artifact Registry for their deployments. |
| Installation and lifecycle | Provide documentation and upgrade artifacts. | ||
| Database engine | Database binary | Provide the AlloyDB container images with proprietary optimizations like the columnar engine and AI acceleration. | None. |
| Patching | Release security patches and minor and major version updates for the engine. Provide upgrade instructions. | Schedule upgrades as soon as possible, depending on the criticality of each release. | |
| User management |
|
|
|
| Data management | Backups | Provide the `BackupPlan` and `Backup` CRDs and logic to manage backups,
which are managed using pgBackrest with S3-compatible
integration. |
Configure backup schedules and retention, and provision the local, S3 or Cloud Storage target storage bucket. |
| High availability (HA) | Provide the auto-failover logic and healing mechanisms. | Provision sufficient nodes and zones to provide a standby target to support failover. | |
| Encryption (at rest) | None. | Manage storage layer encryption to make sure that it meets your requirements. | |
| Encryption (in transit) | Provide mTLS for internal operator components and to configure server-side TLS for user-to-database connections. | Connect to the database using secure TLS clients and manage the underlying certificate infrastructure. | |
| Observability | Metrics | Expose internal database metrics using a Prometheus-compatible endpoint. | Deploy and manage the scraper using Prometheus, Open Telemetry, or other compatible solutions and their storage stack. Monitor the overall health of the system. |
| Logging | Write PostgreSQL and audit logs to files on disk in the container, and rotate them. | Deploy log collectors—for example, Fluentd and Fluent Bit—to ship logs to a storage backend (like Splunk or ELK). Make sure that the log collectors are extracted to preserve logs for a recommended minimum of one month. | |
| Visualization | Provide sample metrics and log dashboards to monitor standard workloads. | Deploy and monitor the health of the visualization tool, like Grafana. Create dashboards and incorporate them in your daily operational tasks. | |
| Alerting | None | Manage the alerting pipeline—for example, PagerDuty integration. | |
| Support | Troubleshooting | Provide support for software bugs and engine errors. To obtain this support, you need a license subscription. | Provide initial support through documentation and knowledge base. Debug infrastructure-related issues. |