Neo4jEnterpriseCluster API Reference The Neo4jEnterpriseCluster Custom Resource Definition (CRD) manages Neo4j Enterprise clusters with high availability, automatic failover, and horizontal scaling capabilities.
API Version : neo4j.neo4j.com/v1alpha1Kind : Neo4jEnterpriseClusterSupported Neo4j Versions : 5.26.x (last semver LTS) and 2025.01.0+ (CalVer)Architecture : Server-based deployment with unified StatefulSetMinimum Servers : 2 (required for clustering)Maximum Servers : 20 (validated limit)
Server-Based Architecture : Neo4jEnterpriseCluster uses a unified server-based architecture introduced in Neo4j 5.26.x:
Single StatefulSet : {cluster-name}-server with configurable replica countServer Pods : Named {cluster-name}-server-0, {cluster-name}-server-1, etc.Self-Organization : Servers automatically organize into primary/secondary roles for databasesCentralized Backup : Optional {cluster-name}-backup-0 pod for centralized backup operationsRole Flexibility : Servers can host multiple databases with different roles
When to Use :
Production workloads requiring high availability
Multi-database deployments with different topology requirements
Workloads needing horizontal read scaling
Enterprise features like advanced backup, security, and monitoring
Large datasets requiring property sharding (Neo4j 2025.12+)
For single-node deployments , use Neo4jEnterpriseStandalone
The Neo4jEnterpriseClusterSpec defines the desired state of a Neo4j Enterprise cluster.
Core Configuration (Required)
Field
Type
Description
imageImageSpecThe Neo4j Docker image configuration
topologyTopologyConfigurationCluster topology (number of servers)
storageStorageSpecStorage configuration for data persistence
authAuthSpecAuthentication configuration
Field
Type
Description
resources*corev1.ResourceRequirementsCPU and memory resources
env[]corev1.EnvVarEnvironment variables for Neo4j pods
nodeSelectormap[string]stringNode selector constraints
tolerations[]corev1.TolerationPod tolerations
affinity*corev1.AffinityPod affinity rules
securityContext*SecurityContextSpecPod/container security overrides
Field
Type
Description
configmap[string]stringCustom Neo4j configuration
Field
Type
Description
serviceServiceSpecService configuration for external access
Field
Type
Description
repostringImage repository (default: "neo4j")
tagstringImage tag
pullPolicystringPull policy: "Always", "IfNotPresent", "Never"
pullSecrets[]stringImage pull secrets
Defines the cluster server topology and role constraints.
Field
Type
Description
serversint32Required . Number of Neo4j servers (minimum: 2, maximum: 20)
serverModeConstraintstringGlobal server mode constraint: "NONE" (default), "PRIMARY", "SECONDARY"
serverRoles[]ServerRoleHintPer-server role constraints (overrides global constraint)
placement*PlacementConfigAdvanced placement and scheduling configuration
availabilityZones[]stringTarget availability zones for server distribution
enforceDistributionboolEnforce server distribution across topology domains
Server Role Management :
Servers self-organize into primary/secondary roles at the database level
Role constraints influence which databases a server can host:
NONE: Server can host databases in any mode (default)PRIMARY: Server only hosts databases in primary modeSECONDARY: Server only hosts databases in secondary mode
Use serverRoles for granular per-server control
Validation :
Minimum 2 servers required for clustering
Cannot configure all servers as SECONDARY (cluster needs primaries)
Server indices in serverRoles must be within range (0 to servers-1)
Specifies role constraints for individual servers.
Field
Type
Description
serverIndexint32Required . Server index (0-based, must be < servers count)
modeConstraintstringRequired . Role constraint: "NONE", "PRIMARY", "SECONDARY"
Field
Type
Description
classNamestringStorage class name
sizestringStorage size (e.g., "10Gi")
retentionPolicystringPVC retention policy: "Delete" (default) or "Retain"
backupStorage*BackupStorageSpecAdditional storage for backups
Field
Type
Description
classNamestringStorage class name for backup volumes
sizestringStorage size for backup volumes
Field
Type
Description
providerstringAuth provider: "native", "ldap", "jwt", "kerberos" (default: "native")
adminSecretstringSecret containing admin username and password
secretRefstringSecret containing provider-specific configuration
externalSecrets*ExternalSecretsConfigExternal secrets configuration
passwordPolicy*PasswordPolicySpecPassword policy configuration
jwt*JWTAuthSpecJWT authentication configuration
ldap*LDAPAuthSpecLDAP authentication configuration
kerberos*KerberosAuthSpecKerberos authentication configuration
Field
Type
Description
validation*JWTValidationSpecJWT validation settings
claimsMappingmap[string]stringClaims mapping
Field
Type
Description
jwksUrlstringJWKS endpoint URL
issuerstringJWT issuer
audience[]stringJWT audience
Field
Type
Description
urls[]stringLDAP server URLs
tlsboolEnable TLS for LDAP connection
insecureSkipVerifyboolSkip TLS certificate verification
Field
Type
Description
baseDNstringSearch base DN
filterstringSearch filter
scopestringSearch scope: "base", "one", "sub"
Field
Type
Description
realmstringKerberos realm
servicePrincipalstringService principal
keytab*KerberosKeytabSpecKeytab configuration
Field
Type
Description
secretRefstringSecret containing keytab file
keystringKey in secret containing keytab (default: "keytab")
Field
Type
Description
podSecurityContext*corev1.PodSecurityContextPod-level security settings
containerSecurityContext*corev1.SecurityContextContainer-level security settings
Field
Type
Description
modestringTLS mode: "cert-manager" (default) or "disabled"
issuerRef*IssuerRefcert-manager issuer reference
certificateSecretstringTLS secret name (manual certificates)
externalSecrets*ExternalSecretsConfigExternal Secrets configuration
duration*stringCertificate duration (e.g., "2160h")
renewBefore*stringRenewal window before expiry (e.g., "360h")
subject*CertificateSubjectCertificate subject fields
usages[]stringCertificate usages
Field
Type
Description
namestringRequired. Issuer resource name
kindstringIssuer resource kind. Default: "ClusterIssuer". Use "Issuer" for namespace-scoped issuers, or any external issuer kind (e.g. "AWSPCAClusterIssuer", "VaultIssuer", "GoogleCASClusterIssuer")
groupstringAPI group of the issuer. Default: cert-manager.io. Set to the external issuer's API group when using third-party issuers (e.g. "awspca.cert-manager.io")
Examples :
# Standard cert-manager ClusterIssuer (default)issuerRef :
name : ca-cluster-issuer
kind : ClusterIssuer
# Namespace-scoped IssuerissuerRef :
name : my-issuer
kind : Issuer
# AWS Private CA (external issuer)issuerRef :
name : aws-pca-issuer
kind : AWSPCAClusterIssuer
group : awspca.cert-manager.io
# HashiCorp VaultissuerRef :
name : vault-issuer
kind : VaultIssuer
group : cert.cert-manager.io
Field
Type
Description
organizations[]stringOrganization names
countries[]stringCountry codes
organizationalUnits[]stringOrganizational units
localities[]stringLocalities
provinces[]stringProvinces/States
Field
Type
Description
enabledboolEnable External Secrets integration
secretStoreRef*SecretStoreRefSecretStore or ClusterSecretStore reference
refreshIntervalstringRefresh interval (e.g., "1h")
data[]ExternalSecretDataExternal secret data mappings
Field
Type
Description
namestringSecretStore name
kindstring"SecretStore" or "ClusterSecretStore"
Field
Type
Description
keystringExternal secret key
propertystringProperty within the secret
versionstringSecret version
Enables integration with Neo4j Aura Fleet Management for monitoring this cluster from the Aura console. The fleet-management plugin is pre-bundled in all Neo4j Enterprise images (no internet access required).
Field
Type
Description
enabledboolEnable Aura Fleet Management integration (default: false)
tokenSecretRef*AuraTokenSecretRefReference to the Kubernetes Secret holding the Aura registration token (optional; registration deferred if omitted)
Status fields (read-only, set by the operator):
Field
Description
status.auraFleetManagement.registeredtrue once fleetManagement.registerToken succeeded
status.auraFleetManagement.lastRegistrationTimeTimestamp of last successful registration
status.auraFleetManagement.messageHuman-readable status or error detail
Example :
auraFleetManagement :
enabled : true
tokenSecretRef :
name : aura-fleet-token # kubectl create secret generic aura-fleet-token --from-literal=token='<token>'key : token # defaults to "token"See Aura Fleet Management Guide for full setup instructions.
Field
Type
Description
namestringRequired. Name of the Kubernetes Secret containing the registration token
keystringKey within the Secret (default: "token")
Configures property sharding for horizontal scaling of large datasets. Property sharding separates graph structure from properties, distributing properties across multiple databases for better scalability. Available in Neo4j 2025.12+ Enterprise.
Field
Type
Description
enabledboolEnable property sharding for this cluster (default: false)
configmap[string]stringAdvanced property sharding configuration
System Requirements (validated by operator):
Neo4j Version : 2025.12+ EnterpriseMinimum Servers : 2 servers (3+ recommended for HA graph shard primaries)Memory : 4GB minimum, 8GB+ recommended per serverCPU : 1+ core minimum, 2+ cores recommended per serverAuthentication : Admin secret requiredStorage : Persistent storage class required
Required Configuration (automatically applied when enabled):
internal.dbms.sharded_property_database.enabled: "true"db.query.default_language: "CYPHER_25"internal.dbms.sharded_property_database.allow_external_shard_access: "false"
Performance Tuning Options :
propertySharding :
enabled : true
config :
# Transaction log retention (critical for shard sync)db.tx_log.rotation.retention_policy : " 14 days" # Property synchronization intervalinternal.dbms.sharded_property_database.property_pull_interval : " 10ms" # Memory optimizationserver.memory.heap.max_size : " 12G" server.memory.pagecache.size : " 6G" # Connection pooling for cross-shard queriesserver.bolt.thread_pool_min_size : " 10" server.bolt.thread_pool_max_size : " 100" Resource Recommendations :
Development:
resources :
requests :
memory : 4Gi # Absolute minimum for dev/testcpu : 2000m # 2 cores for cross-shard querieslimits :
memory : 8Gi # Recommended for productioncpu : 2000m Production:
resources :
requests :
memory : 4Gi # Minimum requirementcpu : 2000m # Cross-shard performancelimits :
memory : 8Gi # Recommended for productioncpu : 4000m # Handle peak loadsValidation Errors :
Error
Cause
Resolution
property sharding requires Neo4j 2025.12+Old Neo4j version
Upgrade to 2025.12+ Enterprise
spec.topology.servers in body should be greater than or equal to 2Invalid server count
Increase server count to 2+ (3+ recommended for HA)
property sharding requires minimum 4GB memoryInsufficient memory
Increase memory to 8GB+ (recommended)
property sharding requires minimum 1 CPU coreInsufficient CPU
Increase CPU to 2+ cores (recommended)
For detailed configuration, see the Property Sharding Guide .
Field
Type
Description
defaultStorage*StorageLocationDefault storage location for backups
cloud*CloudBlockCloud provider configuration (credentials/identity)
Field
Type
Description
typestringStorage type: "s3", "gcs", "azure", "pvc"
bucketstringBucket name (for cloud storage)
pathstringPath within bucket or PVC
pvc*PVCSpecPVC configuration (for pvc type)
cloud*CloudBlockCloud provider configuration
Field
Type
Description
namestringName of existing PVC to use
storageClassNamestringStorage class name
sizestringSize for new PVC (e.g., "100Gi")
Field
Type
Description
providerstringCloud provider: "aws", "gcp", "azure"
identity*CloudIdentityCloud identity configuration
Field
Type
Description
providerstringIdentity provider: "aws", "gcp", "azure"
serviceAccountstringService account name for cloud identity
autoCreate*AutoCreateSpecAuto-create service account and annotations
Field
Type
Description
enabledboolEnable auto-creation of service account (default: true)
annotationsmap[string]stringAnnotations to apply to auto-created service account
Query performance monitoring and analytics configuration.
Field
Type
Description
enabledboolEnable query monitoring (default: true)
slowQueryThresholdstringSlow query threshold (default: "5s")
explainPlanboolEnable query plan explanation (default: true)
indexRecommendationsboolEnable index recommendations (default: true)
sampling*QuerySamplingConfigQuery sampling configuration
metricsExport*QueryMetricsExportConfigMetrics export configuration
Query sampling configuration for performance monitoring.
Field
Type
Description
ratestringSampling rate (0.0 to 1.0)
maxQueriesPerSecondint32Maximum queries to sample per second
Metrics export configuration for query monitoring.
Field
Type
Description
prometheusboolExport to Prometheus
customEndpointstringExport to custom endpoint
intervalstringExport interval
Advanced placement and scheduling configuration.
Field
Type
Description
topologySpread*TopologySpreadConfigTopology spread constraints
antiAffinity*PodAntiAffinityConfigPod anti-affinity rules
nodeSelectormap[string]stringNode selection constraints
requiredDuringSchedulingboolHard placement requirements
Controls how servers are distributed across cluster topology.
Field
Type
Description
enabledboolEnable topology spread constraints
topologyKeystringTopology domain (e.g., "topology.kubernetes.io/zone")
maxSkewint32Maximum allowed imbalance between domains
whenUnsatisfiablestringAction when constraints can't be satisfied
minDomains*int32Minimum number of eligible domains
Prevents servers from being scheduled on the same nodes/zones.
Field
Type
Description
enabledboolEnable anti-affinity rules
topologyKeystringAnti-affinity topology domain
typestringConstraint type: "required" or "preferred"
Configures how Neo4j is exposed outside the Kubernetes cluster.
Field
Type
Description
typestringService type: "ClusterIP", "NodePort", "LoadBalancer" (default: "ClusterIP")
annotationsmap[string]stringService annotations (e.g., for cloud load balancer configuration)
loadBalancerIPstringStatic IP for LoadBalancer service (cloud provider specific)
loadBalancerSourceRanges[]stringIP ranges allowed to access LoadBalancer
externalTrafficPolicystringExternal traffic policy: "Cluster" or "Local"
ingressIngressSpecIngress configuration
routeRouteSpecOpenShift Route configuration
Configures an Ingress resource for HTTP(S) access to Neo4j Browser.
Field
Type
Description
enabledboolEnable Ingress creation
classNamestringIngress class name (e.g., "nginx")
annotationsmap[string]stringIngress annotations
hoststringHostname for the Ingress
tlsSecretNamestringTLS secret name for Ingress
Field
Type
Description
enabledboolEnable OpenShift Route creation
hoststringHostname for the Route (optional)
pathstringPath for the Route (default: "/")
annotationsmap[string]stringRoute annotations
tls*RouteTLSSpecTLS settings for the Route
targetPortint32Target service port (default: 7474)
Field
Type
Description
terminationstringTLS termination: "edge", "reencrypt", "passthrough"
insecureEdgeTerminationPolicystring"None", "Allow", "Redirect"
secretNamestringSecret containing certificate (reencrypt/passthrough)
Optional MCP server deployment for the cluster using the official mcp/neo4jgithub.com/neo4j/mcp ). Requires the APOC plugin for the get-schema tool.
HTTP transport (default): no credentials stored in the pod — each client request carries a Basic Auth or Bearer token Authorization header. A Service is created at <name>-mcp:8080; the endpoint path is /mcp (fixed).
STDIO transport : NEO4J_USERNAME and NEO4J_PASSWORD are injected from the admin secret (or a custom secret via spec.mcp.auth). No Service is created.
For client configuration, see the MCP Client Setup Guide .
Field
Type
Description
enabledboolEnable MCP server deployment (default: false)
image*ImageSpecMCP server image. Defaults to mcp/neo4j:latest. Pin a version with image.tag.
transportstringTransport mode: "http" (default) or "stdio"
readOnlyboolDisable the write-cypher tool when true (default: true)
databasestringDefault Neo4j database for MCP queries
schemaSampleSize*int32Schema sampling size for get-schema. Use -1 to sample entire graph.
telemetry*boolEnable anonymous usage telemetry sent to Neo4j. When unset, uses the server default (true). Set to false to opt out.
logLevelstringLog verbosity: debug, info, notice, warning, error, critical, alert, emergency
logFormatstringLog output format: text (default) or json
http*MCPHTTPConfigHTTP transport configuration (only used when transport: http)
auth*MCPAuthSpecOverride Neo4j credentials for STDIO transport. Ignored in HTTP mode (credentials come per-request from the client).
replicas*int32Number of MCP pod replicas (default: 1). Only meaningful for HTTP.
resources*corev1.ResourceRequirementsResource requirements for MCP pods
env[]corev1.EnvVarExtra environment variables. Operator-managed vars (NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD, NEO4J_TRANSPORT_MODE, NEO4J_MCP_HTTP_*, etc.) are silently ignored.
securityContext*SecurityContextSpecPod/container security context overrides
HTTP transport configuration. Only applied when spec.mcp.transport: http.
Field
Type
Description
hoststringHTTP bind host (default: 0.0.0.0)
portint32HTTP bind port. Default: 8080 without TLS, 8443 with TLS.
tls*MCPTLSSpecOptional container-level TLS. When unset, handle TLS at the Ingress layer instead.
authHeaderNamestringName of the HTTP header carrying credentials (default: Authorization). Override when a proxy rewrites the standard header.
service*MCPServiceSpecKubernetes Service and Ingress/Route exposure settings
Enables container-level TLS on the mcp/neo4j HTTP server by mounting a Kubernetes TLS secret and injecting NEO4J_MCP_HTTP_TLS_ENABLED=true with the cert/key file paths. For most deployments, Ingress-level TLS termination is simpler.
Field
Type
Description
secretNamestringRequired. Name of a Kubernetes TLS secret (type: kubernetes.io/tls) containing the certificate and private key.
certKeystringKey in the secret for the certificate file (default: tls.crt)
keyKeystringKey in the secret for the private key file (default: tls.key)
Field
Type
Description
typestringService type: "ClusterIP" (default), "NodePort", "LoadBalancer"
annotationsmap[string]stringService annotations
loadBalancerIPstringStatic LoadBalancer IP
loadBalancerSourceRanges[]stringAllowed source ranges
externalTrafficPolicystringExternal traffic policy: "Cluster" or "Local"
portint32Service port for MCP HTTP (default: same as container port)
ingress*IngressSpecIngress configuration. Path is always /mcp (fixed by the official image).
route*RouteSpecOpenShift Route configuration
Overrides the Neo4j credentials injected into the MCP pod. Only effective for STDIO transport. In HTTP mode the server authenticates per-request using the client's Authorization header.
Field
Type
Description
secretNamestringSecret containing username/password keys. Defaults to the cluster admin secret when unset.
usernameKeystringUsername key name (default: username)
passwordKeystringPassword key name (default: password)
Field
Type
Description
enabledboolEnable Neo4j UI deployment
ingress*IngressSpecUI ingress configuration
resources*corev1.ResourceRequirementsResource requirements for UI pods
pathTypestringPath type: "Prefix", "Exact", "ImplementationSpecific"
tlsEnabledboolEnable TLS on the Ingress
tlsSecretNamestringTLS certificate secret name
annotationsmap[string]stringIngress annotations
The Neo4jEnterpriseClusterStatus represents the observed state of the cluster.
Field
Type
Description
phasestringCluster phase: "Initializing", "Running", "Failed", "Upgrading", "Scaling"
readyboolWhether the cluster is ready
messagestringHuman-readable status message
conditions[]metav1.ConditionCluster conditions
replicasmap[string]ReplicaStatusStatus of each replica
clusterIDstringNeo4j cluster ID
endpointsEndpointStatusService endpoints
versionstringCurrent Neo4j version
upgradeStatus*UpgradeStatusUpgrade status
lastBackup*metav1.TimeLast backup timestamp
observedGenerationint64Last observed generation
Service endpoints and connection information.
Field
Type
Description
boltURLstringBolt protocol endpoint
httpURLstringHTTP endpoint for Neo4j Browser
httpsURLstringHTTPS endpoint for Neo4j Browser
internalURLstringInternal cluster communication endpoint
connectionExamplesConnectionExamplesExample connection strings
Example connection strings for various scenarios.
Field
Type
Description
portForwardstringkubectl port-forward command
browserURLstringNeo4j Browser URL
boltURIstringBolt connection URI
neo4jURIstringNeo4j driver URI
pythonExamplestringPython driver connection example
javaExamplestringJava driver connection example
Detailed upgrade progress tracking.
Field
Type
Description
phasestringUpgrade phase: "Pending", "InProgress", "Paused", "Completed", "Failed"
startTime*metav1.TimeWhen the upgrade started
completionTime*metav1.TimeWhen the upgrade completed
currentStepstringCurrent upgrade step description
previousVersionstringVersion before upgrade
targetVersionstringVersion being upgraded to
progress*UpgradeProgressUpgrade progress statistics
messagestringAdditional upgrade details
lastErrorstringLast error encountered during upgrade
Upgrade progress across servers.
Field
Type
Description
totalint32Total number of servers to upgrade
upgradedint32Number of servers successfully upgraded
inProgressint32Number of servers currently being upgraded
pendingint32Number of servers pending upgrade
servers*NodeUpgradeProgressServer upgrade details
Server-specific upgrade progress.
Field
Type
Description
totalint32Total number of servers
upgradedint32Number of servers successfully upgraded
inProgressint32Number of servers currently being upgraded
pendingint32Number of servers pending upgrade
currentLeaderstringCurrent leader server
apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : basic-cluster
spec :
image :
repo : neo4j # Note: field name is 'repo', not 'repository'tag : " 5.26.0-enterprise" topology :
servers : 3 # Creates StatefulSet basic-cluster-server with 3 replicasstorage :
className : standard
size : 10Gi
auth :
adminSecret : neo4j-admin-secret # Note: field name is 'adminSecret'resources :
requests :
cpu : " 1" memory : 4Gi
limits :
cpu : " 2" memory : 8Gi Cluster with Server Role Constraints apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : role-constrained-cluster
spec :
image :
repo : neo4j
tag : " 5.26.0-enterprise" topology :
servers : 5
# Global constraint: all servers default to any roleserverModeConstraint : NONE
# Per-server role hints (overrides global constraint)serverRoles :
- serverIndex : 0
modeConstraint : PRIMARY # Server-0: only primary databasesserverIndex : 1
modeConstraint : PRIMARY # Server-1: only primary databasesserverIndex : 2
modeConstraint : SECONDARY # Server-2: only secondary databasesserverIndex : 3
modeConstraint : SECONDARY # Server-3: only secondary databasesserverIndex : 4
modeConstraint : NONE # Server-4: any database mode# Advanced placement for high availabilityplacement :
topologySpread :
enabled : true
topologyKey : topology.kubernetes.io/zone
maxSkew : 1
whenUnsatisfiable : DoNotSchedule
antiAffinity :
enabled : true
topologyKey : kubernetes.io/hostname
type : required
availabilityZones :
- us-east-1a
- us-east-1b
- us-east-1c
enforceDistribution : true
storage :
className : fast-ssd
size : 50Gi
auth :
adminSecret : neo4j-admin-secret Cluster with Centralized Backup apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : monitored-cluster
spec :
image :
repo : neo4j
tag : " 5.26.0-enterprise" topology :
servers : 3 # Creates monitored-cluster-server StatefulSetstorage :
className : fast-ssd
size : 50Gi
auth :
adminSecret : neo4j-admin-secret
# Centralized backup configurationbackups :
defaultStorage :
type : s3
bucket : neo4j-backups
path : production/
cloud :
provider : aws
identity :
provider : aws
serviceAccount : neo4j-backup-sa # Uses IAM roles for pods# Enhanced query monitoringqueryMonitoring :
enabled : true
slowQueryThreshold : " 1s" explainPlan : true
indexRecommendations : true
sampling :
rate : " 0.1" maxQueriesPerSecond : 100
metricsExport :
prometheus : true
interval : " 30s" Create Scheduled Backup (Separate Resource) # Note: Backups are now managed via Neo4jBackup CRDapiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jBackup
metadata :
name : daily-cluster-backup
spec :
target :
kind : Cluster
name : monitored-cluster
storage :
type : s3
bucket : neo4j-backups
path : daily/
schedule : " 0 2 * * *" # Daily at 2 AMretention :
maxAge : " 30d" maxCount : 30
options :
compress : true
backupType : FULL Cluster with LoadBalancer Service apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : public-cluster
spec :
image :
repo : neo4j
tag : " 5.26.0-enterprise" topology :
servers : 5 # Creates public-cluster-server StatefulSet with 5 replicasstorage :
className : standard
size : 20Gi
auth :
adminSecret : neo4j-admin-secret
# LoadBalancer service configurationservice :
type : LoadBalancer
annotations :
# AWS NLB exampleservice.beta.kubernetes.io/aws-load-balancer-type : " nlb" service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled : " true" loadBalancerSourceRanges :
- " 10.0.0.0/8" # Corporate network" 172.16.0.0/12" # VPN rangeexternalTrafficPolicy : Local # Preserve client IPsapiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : ingress-cluster
spec :
image :
repo : neo4j
tag : " 5.26.0-enterprise" topology :
servers : 3 # Creates ingress-cluster-server StatefulSetstorage :
className : fast-ssd
size : 20Gi
auth :
adminSecret : neo4j-admin-secret
# TLS configurationtls :
mode : cert-manager
issuerRef :
name : letsencrypt-prod
kind : ClusterIssuer
# Ingress configurationservice :
ingress :
enabled : true
className : nginx
host : neo4j.example.com
tlsSecretName : neo4j-tls
annotations :
cert-manager.io/cluster-issuer : letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol : " HTTPS" # Create a cluster# List clusters# Get cluster details# Check cluster status# Port forward for local access# Scale cluster (change server count)' {"spec":{"topology":{"servers":5}}}' # Update Neo4j version' {"spec":{"image":{"tag":"2025.01.0-enterprise"}}}' # Check cluster healthexec my-cluster-server-0 -- cypher-shell -u neo4j -p password " SHOW SERVERS" # Monitor server podsMulti-Database Architecture # 1. Create cluster with role-optimized serversapiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : multi-db-cluster
spec :
topology :
servers : 6
serverRoles :
- serverIndex : 0
modeConstraint : PRIMARY # Dedicated for write workloadsserverIndex : 1
modeConstraint : PRIMARY
- serverIndex : 2
modeConstraint : SECONDARY # Dedicated for read workloadsserverIndex : 3
modeConstraint : SECONDARY
- serverIndex : 4
modeConstraint : NONE # Mixed workloadsserverIndex : 5
modeConstraint : NONE
# ... other configuration# 2. Create databases with specific topologiesapiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jDatabase
metadata :
name : user-database
spec :
clusterRef : multi-db-cluster
name : users
topology :
primaries : 2 # Uses servers 0-1 (PRIMARY constraint)secondaries : 2 # Uses servers 2-3 (SECONDARY constraint)apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jDatabase
metadata :
name : analytics-database
spec :
clusterRef : multi-db-cluster
name : analytics
topology :
primaries : 1 # Uses server 4 or 5 (NONE constraint)secondaries : 3 # Uses remaining serversDevelopment vs Production # Development cluster (minimal resources)apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : dev-cluster
spec :
topology :
servers : 2 # Minimum for clusteringstorage :
className : standard
size : 10Gi
resources :
requests :
cpu : 200m
memory : 1Gi
limits :
cpu : 1
memory : 2Gi
tls :
mode : disabled
---
# Property Sharding cluster (Neo4j 2025.12+)apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : sharding-cluster
spec :
image :
repo : neo4j
tag : 2025.12-enterprise
topology :
servers : 7 # Sufficient for property sharding workloadsstorage :
className : fast-ssd
size : 100Gi
resources :
requests :
cpu : 2
memory : 8Gi
limits :
cpu : 4
memory : 16Gi
propertySharding :
enabled : true
config :
db.tx_log.rotation.retention_policy : " 14 days" internal.dbms.sharded_property_database.property_pull_interval : " 5ms" server.memory.heap.max_size : " 12G" server.memory.pagecache.size : " 6G" tls :
mode : cert-manager
issuerRef :
name : ca-cluster-issuer
kind : ClusterIssuer
---
# Production cluster (high availability)apiVersion : neo4j.neo4j.com/v1alpha1
kind : Neo4jEnterpriseCluster
metadata :
name : prod-cluster
spec :
topology :
servers : 5
placement :
topologySpread :
enabled : true
topologyKey : topology.kubernetes.io/zone
maxSkew : 1
antiAffinity :
enabled : true
type : required
availabilityZones : [us-east-1a, us-east-1b, us-east-1c]
enforceDistribution : true
storage :
className : fast-ssd
size : 100Gi
resources :
requests :
cpu : 2
memory : 8Gi
limits :
cpu : 4
memory : 16Gi
tls :
mode : cert-manager
issuerRef :
name : ca-cluster-issuer
kind : ClusterIssuer
auth :
passwordPolicy :
minLength : 12
requireSpecialChars : true
Resource Planning : Allocate sufficient memory (≥4Gi) and CPU for Neo4j Enterprise workloadsHigh Availability : Use odd number of servers (3, 5) and distribute across availability zonesServer Role Optimization : Use role constraints to optimize server usage for specific workload patternsStorage : Use fast SSD storage classes (fast-ssd, premium-ssd) for production workloadsSecurity : Always enable TLS and use strong password policies in productionMonitoring : Enable query monitoring and centralized logging for performance insightsBackup Strategy : Use centralized backup with appropriate retention policiesScaling : Plan for growth - scaling up is easier than scaling down
# Check cluster formationexec my-cluster-server-0 -- cypher-shell -u neo4j -p password " SHOW SERVERS" # Check pod status# Check operator logs# Verify split-brain detection# Check resource version conflicts# Force reconciliation with a no-op annotation change" $( date +%s) " For more information: