Planning Your Kubernetes Deployment

Deploying PubSub+ Cloud can require planning and coordination across different teams. It's important to think about how your deployment is going to work to ensure the long-term success of your system. To help you gather all the information you need, we've compiled a list of questions to uncover the configuration information we need to properly create your event broker services. By researching and planning your decisions around these questions in advance, you can help make your deployment go quickly and smoothly.

Configuration
Question
How Solace
Uses This Information
Related
Documentation

What implementation of Kubernetes do you use?

PubSub+ Cloud supports the following implementations of Kubernetes:

  • On premises:
    • OpenShift
    • Rancher
    • VMWare Tanzu
  • In the cloud:
    • Amazon Elastic Kubernetes Service (EKS)
    • Azure Kubernetes Service (AKS)
    • Azure Red Hat OpenShift (ARO)
    • Google Kubernetes Engine (GKE)
    • Alibaba Cloud Container Service for Kubernetes (ACK)
    • Huawei Cloud Container Engine (CCE)

The Kubernetes implementation and version you are using help Solace to determine how to configure the Mission Control Agent.

If you use a different implementation of Kubernetes, contact Solace to find out how we can support your deployment.

Deploying PubSub+ Cloud with Kubernetes

Mission Control Agent

In what Region do you want to install PubSub+ Cloud event broker services?

To correctly install and configure your deployment, Solace needs to know which cloud provider Region (if applicable) to use.

Creating an Event Broker Service

Does your cluster support Availability Zones (AZs)?

How many AZs does it have?

What label indicates which AZ each node is in?

The Mission Control Agent can deploy each of the Primary, Backup, and Monitoring pods in a separate Availability Zone.

To configure the Mission Control Agent for this type of deployment, Solace needs to know the labels for these Availability Zones.

Availability Zones

What storage classes do you have available in your cluster?

Are there separate storage classes for each Availability Zone?

If your cluster does not use the default storage class, Solace needs to know what storage class(es) to use, and whether each AZ has its own storage class.

Kubernetes Storage Classes

Does your Kubernetes worker node OS support XFS?

The event broker service has been optimized for and performs best on XFS, therefore we recommend that your storage classes specify an XFS filesystem.

Kubernetes Storage Classes

Do you have encryption enabled for your storage classes?

If you require data-at-rest encryption, you must use a storage class that provides encrypted volumes. Solace recommends using encrypted volumes.

Kubernetes Storage Classes

Encrypting Secret Data at Rest

What storage backend are you using?

The storage backend must provide PubSub+ Cloud with volumes dynamically created with Persistent Volume Claims.

PubSub+ Cloud supports the following storage providers:

  • Portworx
  • Ceph
  • Cinder (Openstack)
  • vSphere storage for Kubernetes

If you use a different storage provider, contact Solace to find out how we can support your deployment.

Storage classes must be backed by SSD storage devices. Also note that you cannot use Network File System (NFS) protocol as part of your storage solution with PubSub+ Cloud.

Resource Requirements for Kubernetes

Kubernetes Persistent Volumes

Will clients be connecting to PubSub+ Cloud only from private IPs within your private network?

Will you have clients connecting to PubSub+ Cloud from the Internet?

If so, how will you provide the public external connectivity?

PubSub+ Cloud uses three kinds of Kubernetes services (specified by the ServiceType) to expose its TCP services externally:

  • LoadBalancer: A load balancer outside the Kubernetes cluster is automatically created by Kubernetes and configured to send traffic inside Kubernetes. This requires a compatible load balancer solution.
  • NodePort: Each worker node listens on the same port and routes traffic from that port to the Pod providing service.
  • ClusterIP: A virtual IP is defined inside the Kubernetes cluster that routes traffic to the Pod providing service. This virtual IP exists inside Kubernetes and is therefore useful only to other Pods.

The answers to these questions help to determine the Kubernetes ServiceType that is best suited for your use case (LoadBalancer, NodePort, or ClusterIP).

Deploying PubSub+ Cloud with Kubernetes

Kubernetes Publishing Services (ServiceTypes)

If you are using an integrated load balancer solution (service type LoadBalancer), are there any annotations required to configure the service to use the load balancer provider?

When you use an integrated load balancer solution with your Kubernetes cluster (that is, when you use service of type LoadBalancer), Solace needs to know whether your load balancer requires any attributes to be specified on Kubernetes objects using annotations. For example, some load balancers need annotations to specify that an L4 Load Balancer must be created, that a floating public IP must be allocated from a pool and attached to the load balancer, and so on.

Kubernetes Annotations

Do you need to whitelist IP addresses for external connectivity?

Do you require Solace to use a Proxy server for outgoing HTTPS traffic?

If so, what it the proxy server URL?

Do you have outbound connections will need to be initiated by an event broker service to external hosts?

If your network blocks external traffic, you may choose to whitelist the Solace Home Cloud's IP address. In this case, you must also provide details (URL, username, and password) of the HTTP/HTTPS proxy server to the Mission Control Agent when deploying it.

For outbound connections initiated by an event broker service to external hosts [e.g., REST Destination Points (RDP)], Solace recommends that connections from a virtual private network go through a NAT that's configured with a static IP address.

Kubernetes Connectivity Model

Are you able to provide Solace with full access to a single namespace?

Solace requires administrative access scoped to a single namespace. This namespace contains the Mission Control Agent and the PubSub+ Cloud services.

Kubernetes Deployment Architecture

Will you be using Pod Security Policies (PSP)?

PubSub+ Cloud supports the standard restricted PSP. If you are using a non-standard PSP, Solace needs to review it to ensure that it is compatible with PubSub+ Cloud.

Kubernetes Pod Security Policies

Does your cluster have enough available worker nodes with the necessary compute resources available on them to run the event broker services?

The Kubernetes cluster must be appropriately sized to accommodate the number of services that you want to run.

Resource Requirements for Kubernetes

Does your Kubernetes cluster use nodeSelector, taints, or tolerations?

Although it's not required to deploy PubSub+ Cloud, you can use nodeSelector, taints, or tolerations to control how Kubernetes distributes the workloads in your cluster. Solace will work with you to ensure that the correct parameters are specified in the Helm chart that the Mission Control Agent uses to deploy event broker services.

Support for nodeSelector, Labels, Taints, and Tolerations