Skip to main content

Overview

Debezium Server is a standalone Change Data Capture (CDC) application that tails a database’s transaction log and streams row-level change events to a messaging system. Unlike Debezium connectors that run inside Kafka Connect, Debezium Server runs as a self-contained process — no Kafka Connect cluster required. This template deploys Debezium Server on Control Plane with configurable source connectors, multiple sink options, flexible offset storage, and Universal Cloud Identity integration for AWS and GCP sinks.

Architecture

  • Debezium workload — Reads the source database’s replication stream (WAL for PostgreSQL, binlog for MySQL, oplog for MongoDB), converts each change to a structured event, and delivers it to the configured sink. Stateful when using file-based offset storage; stateless when using Redis or JDBC offset storage.
  • pgdog.toml / application.properties — Rendered as a secret and mounted at startup. Defines the source, sink, serialization format, and offset storage settings.

What Gets Created

  • Standard Debezium Server Workload — Single-replica CDC workload.
  • Volume Set — For offset and schema history persistence (only when using file offset storage).
  • Identity & Policy — Identity with access to credential secrets, and cloud account access when using Kinesis or Pub/Sub sinks.
  • Secrets — Three opaque secrets: Debezium configuration (application.properties), credentials (passwords for source, sink, offset storage), and a startup entrypoint script.
This template does not create a GVC. You must deploy it into an existing GVC.

Prerequisites

Source Database

Configure your source database to allow Debezium to read its replication stream before deploying.
1

Enable logical replication

Add the following to postgresql.conf and restart PostgreSQL:
When using the PostgreSQL Highly Available template, set postgres.walLevel: logical in its values before installing.
2

Create a publication

Debezium creates the replication slot automatically on first connect.
3

Grant permissions

Cloud Sinks (Kinesis / Pub/Sub)

For AWS Kinesis or GCP Pub/Sub sinks, set up a Cloud Account in Control Plane before installing: To install, follow the instructions for your preferred method:

UI

Browse, install, and manage templates visually

CLI

Manage templates from your terminal

Terraform

Declare templates in your Terraform configurations
Pulumi Icon Streamline Icon: https://streamlinehq.com

Pulumi

Declare templates in your Pulumi programs

Configuration

Quick Start Examples

PostgreSQL → Kafka:
MySQL → Redis Streams:
PostgreSQL → AWS Kinesis (Universal Cloud Identity):

Full values.yaml

Supported Sources

Supported Sinks

Offset Storage

Debezium tracks its position in the source database’s replication stream using offset storage. If the process restarts, it resumes from the last committed offset.

Schema History (MySQL and SQL Server only)

MySQL and SQL Server connectors track DDL changes in a schema history store. Configure source.schemaHistory.storage with the same backend options as offset storage (file, redis, or jdbc).

Serialization Formats

Events can be serialized as JSON, Avro, or Protobuf. For Avro or Protobuf, configure a Schema Registry:

Universal Cloud Identity

AWS Kinesis and GCP Pub/Sub sinks support credential-free access via Control Plane’s Universal Cloud Identity — no access keys or service account JSON files are needed. Enable by setting cloudAccount.enabled: true and providing the Cloud Account name registered in Control Plane:

Health Checks

Debezium Server exposes Quarkus health endpoints:

Troubleshooting

  • Verify database hostname and port are reachable from the GVC (check firewall.external.outboundAllowCIDR).
  • Confirm the database user has the required replication permissions.
  • View startup logs: cpln workload logs {release-name}-debezium --gvc {gvc}
  • File storage: confirm the Volume Set is mounted and has sufficient capacity.
  • Redis/JDBC: verify connectivity, credentials, and that the backend is accessible within the GVC.
  • Verify the sink endpoint is reachable from the workload.
  • For Kinesis/Pub/Sub: confirm the Cloud Account is configured and has the correct IAM/IAM permissions.
  • For Kafka with SASL: verify saslUsername, saslPassword, and saslMechanism match the broker config.

External References

Debezium Server Documentation

Full Debezium Server configuration reference

Debezium Connectors

Source connector configuration for each supported database

CDC Pipeline Template

Deploy a complete CDC pipeline (PostgreSQL HA + Kafka + Debezium) in one step

Create a Cloud Account

Set up AWS or GCP cloud accounts for Kinesis and Pub/Sub sinks