Installing Solace Cloud in STACKIT Kubernetes Engine (SKE)

Deploying Solace Cloud to STACKIT Kubernetes Engine (SKE) is a Controlled-Availability (CA) feature. Contact Solace to see if this feature is suitable for your use case and deployment requirements.

STACKIT Kubernetes Engine (SKE) is a robust, scalable, and managed Kubernetes service that enables self-service cluster creation via the STACKIT Cloud Portal. SKE supplies CNCF-compliant Kubernetes clusters, and makes it easy to provide standard Kubernetes applications and containerized workloads. SKE manages the control plane components while you deploy and manage your applications. For more information, see the STACKIT Kubernetes Engine documentation.

This deployment guide is intended for customers installing Solace Cloud in a Customer-Controlled Cluster in SKE. For a list of deployment options, see Solace Cloud Deployment Ownership Models.

You must perform a number of environment-specific steps to install Solace Cloud.

  • Before you perform the environment-specific steps described below, ensure that you review and fulfill the general requirements listed in Common Kubernetes Prerequisites.

  • Solace does not support event broker service integration with service meshes. Service meshes include Istio, Cilium, Linkerd, Consul, and others. If deploying to a cluster with a service mesh, you must:

Solace provides reference Terraform projects for deploying a Kubernetes cluster to AKS, EKS, GKE, and SKE. These Terraform projects have the recommended configuration settings, such as worker node sizes, resource configurations, taints, and labels optimized to install Solace Cloud.

You can download the reference Terraform projects from our GitHub repository: https://github.com/SolaceLabs/customer-controlled-region-reference-architectures

Beware that all sample scripts, Terraform modules, and examples are provided as-is. You can modify the files as required and are responsible for maintaining the modified files for your Kubernetes cluster.

For more information, see the following sections:

SKE Prerequisites

Before running the Solace Terraform to create your STACKIT Network Area (SNA), Kubernetes cluster, and deploy Solace Cloud, you must ensure you meet the following prerequisites:

STACKIT Account Requirements

Your STACKIT account must have the following permissions:

  • SKE cluster creation and management permissions (ske.admin or ske.editor role)
  • Network resource management (VPC, subnets, security groups)
  • Load balancer creation and configuration
  • Block storage volume management
  • Compute instance management

Project Type Requirements

SKE managed Kubernetes can only be used within projects of type:

  • Public - Internet-facing clusters with automatic infrastructure provisioning
  • Network Area (SNA) - Private connectivity across projects and on-premises environments for hybrid cloud scenarios

Software Requirements

You must have the following software installed:

SKE Cluster Setup

Solace provides a reference Terraform to configure your SKE Kubernetes cluster. After the Terraform creates the cluster, use a Helm chart provided by Solace in the Private Regions tab of the Cloud Console to deploy the Mission Control Agent to the SKE Cluster.

The Solace Terraform provisions the following cluster infrastructure:

Networking Configuration

The Solace Terraform creates a STACKIT Network Area (SNA) at the organization level with project-scoped networks for cluster worker nodes.

Network Architecture

The network architecture created by the Terraform includes:

  • Network Area (SNA): Organization-level network infrastructure
  • Region Bindings: Network area bindings to the eu01 (Heilbronn/Germany) region
  • Project Networks: Isolated networks for worker node communication
  • Private API Server: Cluster API accessible only from within the network by default

IP Address Allocation

When creating the network, the Terraform allocates the following IP addresses:

  • 1 IP per worker node
  • 5 IPs per load balancer service
  • 1 IP for router interface
  • Additional IPs for rolling updates (temporary node overlap during upgrades)

Worker nodes do not receive public IPs. External exposure requires load balancer services. Network size cannot be modified after cluster creation.

Node Pool Architecture

The Solace Terraform creates a default system node pool, and 12 event broker service node pools (four service tiers across three availability zones). Each pool is locked to a single availability zone. The following table shows the instance types per node pool:

All event broker service nodes use 50 GiB premium boot volumes. Autoscaling is enabled on all pools.

Node Type Instance Type Approximate Resources

System

c2i.2

2 vCPU / 4 GiB RAM

Monitoring

g3i.2

2 vCPU / 8 GiB RAM

Enterprise-100 Standalone,
Enterprise 250,
Enterprise 1K

m2i.2

2 vCPU / 16 GiB RAM

Enterprise 5K,
Enterprise 10K

m2i.4

4 vCPU / 32 GiB RAM

Enterprise 50K,
Enterprise 100K

m2i.8

8 vCPU / 64 GiB RAM

Availability Zones

The Solace Terraform distributes the node pools across availability zones automatically to provide high availability. For more information, see High Availability in Solace Cloud and Topologies in the SKE documentation.

The Terraform creates the following node pools in the listed availability zones:

  • System pool: This pool hosts the Mission Control Agent and is deployed to the eu01-m zone (metro zone).

  • Broker pools: Pools hosting event broker services spread across STACKIT discrete availability zones (eu01-1, eu01-2, eu01-3) enabling pod anti-affinity across zones for HA event broker services.

Cluster Autoscaling

The SKE Cluster Autoscaler dynamically adjusts node pool sizes based on resource demands. SKE sets the following autoscaling limits:

  • Maximum 1,000 nodes per cluster

  • Combined minimum values across all pools cannot exceed 1,000

Storage Configuration

Due to SKE offering storage classes by performance, the Solace Terraform uses specific storage classes based on the event broker service disk type for all event broker service classes:

Disk Type

Storage Class

Data Disk

premium-perf2-stackit

Storage Disk

premium-perf6-stackit

If you require different storage classes, contact Solace.

For more information about STACKIT storage in SKE, see Storage and Storage Classes in the SKE documentation.

The Terraform configures your SKE cluster storage with the following characteristics: 

  • Provisioner: cinder.csi.openstack.org (OpenStack Cinder CSI driver)

  • Reclaim Policy: Delete (volumes are removed when PVC is deleted)

  • Volume Binding Mode: WaitForFirstConsumer (ensures volumes are provisioned in the same AZ as requesting pods)

  • Volume Expansion: Enabled for all storage classes

Load Balancer Configuration

Solace event broker services do not support TCP PROXY protocol. While the lb.stackit.cloud/tcp-proxy-protocol annotation is available in SKE, it cannot be used with Solace event broker services. As a result, client source IP addresses are not visible to the event broker. Use alternative authentication and authorization methods instead of IP-based access control lists (ACLs).

The Solace Terraform configures your SKE cluster to use the P10 service plan load balancer. If you require a different SKE service plan load balancer, contact Solace.

For more information about STACKIT load balancers, see Load balancing in the SKE documentation.

SKE Cluster Access

The Solace Terraform configures a private API server accessible from within the STACKIT network. Access the cluster using the kubeconfig file as described below.

The downloaded kubeconfig does not contain secrets. It uses the STACKIT CLI to request short-lived credentials on demand.

To access your SKE cluster, you must download kubeconfig from SKE. You have the following choices for downloading kubeconfig from SKE:

  • Using STACKIT Portal:

    1. Navigate to Runtime > Kubernetes Engine
    2. Open the cluster context menu
    3. Select Download kubeconfig
  • Using STACKIT CLI:

    stackit ske kubeconfig create

Deploying the Mission Control Agent

After configuring access to your SKE cluster, download the Helm chart from the Private Regions tab and use it to deploy the Mission Control Agent.