Deploy a Pulsar cluster on Kubernetes

Before deploying a Pulsar cluster, you need to prepare Kubernetes resources and then continue with the following steps.

  1. Select configuration options
  2. Install dependent charts
  3. Prepare Helm release
  4. Deploy your Pulsar cluster using Helm

Select configuration options

Specify how to run Pulsar using Helm’s --set option.name=value command line option. In each section, collect the options that are combined to use with the helm install command.

Kubernetes namespace

By default, the Pulsar Helm Chart is installed in a namespace called pulsar.

  1. namespace: pulsar

To install the Pulsar Helm Chart into a different Kubernetes namespace, you can include this option in the helm install command.

  1. --set namespace=<different-k8s-namespace>

By default, the Pulsar Helm Chart doesn’t create the namespace.

  1. namespaceCreate: false

To use the Pulsar Helm Chart to create the Kubernetes namespace automatically, you can include this option in the helm install command.

  1. --set namespaceCreate=true

Persistence

By default, the Pulsar Helm Chart creates Volume Claims with the expectation that a dynamic provisioner creates the underlying Persistent Volumes.

  1. volumes:
  2. persistence: true

Deploy - 图1note

Before installing the production instance of Pulsar, ensure to plan the storage settings to avoid extra storage migration work. Because after initial installation, you must edit Kubernetes objects manually if you want to change storage settings.

The Pulsar Helm Chart is designed for production use. To use the Pulsar Helm Chart in a development environment (such as Minikube), you can disable persistence by including this option in your helm install command.

  1. --set volumes.persistence=false

Affinity

By default, anti-affinity is enabled to ensure pods of the same component can run on different nodes.

  1. affinity:
  2. anti_affinity: true

To use the Pulsar Helm Chart in a development environment (such as Minikube), you can disable anti-affinity by including this option in your helm install command.

  1. --set affinity.anti_affinity=false

Components

The Pulsar Helm Chart is designed for production usage. It deploys a production-ready Pulsar cluster, including Pulsar core components and monitoring components.

You can customize the components to be deployed by turning on/off individual components.

  1. ## Components
  2. ##
  3. ## Control what components of Apache Pulsar to deploy for the cluster
  4. components:
  5. # zookeeper
  6. zookeeper: true
  7. # bookkeeper
  8. bookkeeper: true
  9. # bookkeeper - autorecovery
  10. autorecovery: true
  11. # broker
  12. broker: true
  13. # functions
  14. functions: true
  15. # proxy
  16. proxy: true
  17. # toolset
  18. toolset: true
  19. # pulsar manager
  20. pulsar_manager: true
  21. ## Monitoring Components
  22. ##
  23. ## Control what components of the monitoring stack to deploy for the cluster
  24. monitoring:
  25. # monitoring - prometheus
  26. prometheus: true
  27. # monitoring - grafana
  28. grafana: true

Docker images

The Pulsar Helm Chart is designed to enable controlled upgrades. So it can configure independent image versions for components. You can customize the images by setting individual components.

  1. ## Images
  2. ##
  3. ## Control what images to use for each component
  4. images:
  5. zookeeper:
  6. repository: apachepulsar/pulsar-all
  7. tag: 3.1.1
  8. pullPolicy: IfNotPresent
  9. bookie:
  10. repository: apachepulsar/pulsar-all
  11. tag: 3.1.1
  12. pullPolicy: IfNotPresent
  13. autorecovery:
  14. repository: apachepulsar/pulsar-all
  15. tag: 3.1.1
  16. pullPolicy: IfNotPresent
  17. broker:
  18. repository: apachepulsar/pulsar-all
  19. tag: 3.1.1
  20. pullPolicy: IfNotPresent
  21. proxy:
  22. repository: apachepulsar/pulsar-all
  23. tag: 3.1.1
  24. pullPolicy: IfNotPresent
  25. functions:
  26. repository: apachepulsar/pulsar-all
  27. tag: 3.1.1
  28. pulsar_manager:
  29. repository: apachepulsar/pulsar-manager
  30. tag: v0.3.0
  31. pullPolicy: IfNotPresent
  32. hasCommand: false

TLS

The Pulsar Helm Chart can be configured to enable TLS (Transport Layer Security) to protect all the traffic between components. Before enabling TLS, you have to provision TLS certificates for the required components.

Provision TLS certificates using cert-manager

To use the cert-manager to provision the TLS certificates, you have to install the cert-manager before installing the Pulsar Helm Chart. After successfully installing the cert-manager, you can set certs.internal_issuer.enabled to true. Therefore, the Pulsar Helm Chart can use the cert-manager to generate selfsigning TLS certificates for the configured components.

  1. certs:
  2. internal_issuer:
  3. enabled: false
  4. component: internal-cert-issuer
  5. type: selfsigning

You can also customize the generated TLS certificates by configuring the fields as the following.

  1. tls:
  2. # common settings for generating certs
  3. common:
  4. # 90d
  5. duration: 2160h
  6. # 15d
  7. renewBefore: 360h
  8. organization:
  9. - pulsar
  10. keySize: 4096
  11. keyAlgorithm: rsa
  12. keyEncoding: pkcs8
Enable TLS

After installing the cert-manager, you can set tls.enabled to true to enable TLS encryption for the entire cluster.

  1. tls:
  2. enabled: false

You can also configure whether to enable TLS encryption for individual components.

  1. tls:
  2. # settings for generating certs for proxy
  3. proxy:
  4. enabled: false
  5. cert_name: tls-proxy
  6. # settings for generating certs for broker
  7. broker:
  8. enabled: false
  9. cert_name: tls-broker
  10. # settings for generating certs for bookies
  11. bookie:
  12. enabled: false
  13. cert_name: tls-bookie
  14. # settings for generating certs for zookeeper
  15. zookeeper:
  16. enabled: false
  17. cert_name: tls-zookeeper
  18. # settings for generating certs for recovery
  19. autorecovery:
  20. cert_name: tls-recovery
  21. # settings for generating certs for toolset
  22. toolset:
  23. cert_name: tls-toolset

Authentication

By default, authentication is disabled. You can set auth.authentication.enabled to true to enable authentication. Currently, the Pulsar Helm Chart only supports the JWT authentication provider. You can set auth.authentication.provider to jwt to use the JWT authentication provider.

  1. # Enable or disable broker authentication and authorization.
  2. auth:
  3. authentication:
  4. enabled: false
  5. provider: "jwt"
  6. jwt:
  7. # Enable JWT authentication
  8. # If the token is generated by a secret key, set the usingSecretKey as true.
  9. # If the token is generated by a private key, set the usingSecretKey as false.
  10. usingSecretKey: false
  11. superUsers:
  12. # broker to broker communication
  13. broker: "broker-admin"
  14. # proxy to broker communication
  15. proxy: "proxy-admin"
  16. # pulsar-admin client to broker/proxy communication
  17. client: "admin"

To enable authentication, you can run prepare helm release to generate token secret keys and tokens for three super users specified in the auth.superUsers field. The generated token keys and super user tokens are uploaded and stored as Kubernetes secrets prefixed with <pulsar-release-name>-token-. You can use the following command to find those secrets.

  1. kubectl get secrets -n <k8s-namespace>

Authorization

By default, authorization is disabled. Authorization can be enabled only when authentication is enabled.

  1. auth:
  2. authorization:
  3. enabled: false

To enable authorization, you can include this option in the helm install command.

  1. --set auth.authorization.enabled=true

CPU and RAM resource requirements

By default, the resource requests and the number of replicas for the Pulsar components in the Pulsar Helm Chart are adequate for small production deployment. If you deploy a non-production instance, you can reduce the defaults to fit into a smaller cluster.

Once you have all of your configuration options collected, you can install dependent charts before installing the Pulsar Helm Chart.

Install dependent charts

Install storage provisioner

For more information about storage provisioner, refer to Kubernetes documentation. Note that you need to create a storage class for your Kubernetes cluster and configure the storage class name in the Helm Chart.

If you want to use local persistent volumes as the persistent storage, you need to install a local storage provisioner. Here are two options:

Install cert-manager

The Pulsar Helm Chart uses the cert-manager to provision and manage TLS certificates automatically. To enable TLS encryption for brokers or proxies, you need to install the cert-manager in advance.

For details about how to install the cert-manager, follow the official instructions.

Alternatively, we provide a bash script install-cert-manager.sh to install a cert-manager release to the namespace cert-manager.

  1. git clone https://github.com/apache/pulsar-helm-chart
  2. cd pulsar-helm-chart
  3. ./scripts/cert-manager/install-cert-manager.sh

Prepare Helm release

Once you have installed all the dependent charts and collected all of your configuration options, you can run prepare_helm_release.sh to prepare the Helm release.

  1. git clone https://github.com/apache/pulsar-helm-chart
  2. cd pulsar-helm-chart
  3. ./scripts/pulsar/prepare_helm_release.sh -n <k8s-namespace> -k <helm-release-name>

The prepare_helm_release creates the following resources:

  • A Kubernetes namespace for installing the Pulsar release.
  • JWT secret keys and tokens for three super users: broker-admin, proxy-admin, and admin. By default, it generates an asymmetric public/private key pair. You can choose to generate a symmetric secret key by specifying --symmetric.
    • the broker-admin role is used for inter-broker communications.
    • the proxy-admin role is used for proxies to communicate with brokers.
    • the admin role is used by the admin tools.

Deploy Pulsar cluster using Helm

Once you have finished the above steps, you can install a Helm release.

In this example, the Helm release is named pulsar.

  1. helm repo add apache https://pulsar.apache.org/charts
  2. helm repo update
  3. helm install pulsar apache/pulsar \
  4. --timeout 10m \
  5. --set [your configuration options]

You can also use the --version <installation version> option if you want to install a specific version of Pulsar Helm Chart.

Deploy - 图2tip

A list of installed resources is output once the Pulsar cluster is deployed. This may take 5-10 minutes.

To check the status of the deployment, run the helm status pulsar command. It can also be done while the deployment is taking place if you run the command in another terminal.

Access Pulsar cluster

The default values will create a ClusterIP for the following resources, which you can use to interact with the cluster.

  • Proxy: You can use the IP address to produce and consume messages to the installed Pulsar cluster.
  • Pulsar Manager: You can access the Pulsar Manager UI at http://<pulsar-manager-ip>:9527.
  • Grafana Dashboard: You can access the Grafana dashboard at http://<grafana-dashboard-ip>:3000.

To find the IP addresses of those components, run the following command:

  1. kubectl get service -n <k8s-namespace>

Troubleshoot

Although we have done our best to make these charts as seamless as possible, troubles do go out of our control occasionally. We have been collecting tips and tricks for troubleshooting common issues. Check it first before raising an issue, and feel free to add your solutions by creating a Pull Request.

Uninstall

To uninstall the Pulsar Helm Chart, run the following command:

  1. helm uninstall <pulsar-release-name>

For the purposes of continuity, some Kubernetes objects in these charts cannot be removed by using the helm uninstall command. It is recommended to consciously remove these items, as they affect re-deployment.

  • PVCs for stateful data: remove these items.
    • ZooKeeper: This is your metadata.
    • BookKeeper: This is your data.
    • Prometheus: This is your metrics data, which can be safely removed.
  • Secrets: if the secrets are generated by the prepared release script, they contain secret keys and tokens. You can use the cleanup release script to remove these secrets and tokens as needed.