sn-platform
chart: 1.6.2 or higherpulsar-operator
chart: 0.12.3 or highersn-platform
chart versions prior to 1.6.2, it is not supported to expose HTTP requests through Pulsar Proxy when Istio is enabled. Therefore, it is recommended to disable Pulsar Proxy when you want to enable Istio.
Istio 1.13.1
for the x86_64
architecture, execute the following command:istio-1.13.1
:
ingressgateway.yaml
), which configures gateways on different ports for KoP, MoP, AoP, HTTPS, TLS, and HTTP services.
EXTERNAL-IP
value is set, your environment has an external load balancer that you can use for the Istio Ingress Gateway. If the EXTERNAL-IP
value is <none>
(or perpetually <pending>
), your environment does not provide an external load balancer for the Istio Ingress Gateway. In this case, you can access the Istio Ingress Gateway using the service’s node port.9093
, port 8883
, port 5671
, and port 6651
for KoP, MoP, AoP, and the Pulsar Broker respectively on the load balancer.9093
for KoP, the node port 8883
for MoP, the node port 5671
for AoP, and the node port 6651
for the Pulsar Broker. By default, Kubernetes does not permit port 9093
, port 8883
, or port 6651
. Therefore, you need to add the --service-node-port-range=6000-40000
field at the /etc/kubernetes/manifests/kube-apiserver.yaml
Kubernetes API server configuration file and then use the systemctl restart kubelet
command to restart the Kubernetes API server to reload new configurations.openssl
certs.istio_internal_issuer.enabled
to true
in the values.yaml
YAML file and then use the helm upgrade
command to update the resource. The certificates generated by the internal issuer are self-signed certificates.enabled
: use an internal issuer.
type
: specify the type of the internal issuer.
selfsigning
: the selfsigning
issuer generates a Certificate Authority (CA) based on an automatically-generated secret. You can use the private key of the certificate to sign the certificate itself.
secret
: the secret
issuer represents a CA whose certificate and private key are stored inside the cluster as a Kubernetes Secret. Then, you can use the Kubernetes Secret to sign a certificate.
custom
: you can specify an internal issuer through this option. For example, you can specify using Vault to sign certificates for your PKI, as shown below.
issuers
and its sub fields: the configuration of the internal issuer.
selfsigning
: the selfsigning
issuer has no dependency on any other resource. Therefore, you do not need to configure any item for this issuer.secret
: secretName
is the name of the Secret resource that is automatically created and managed by the CA. It is populated with a private key and certificate, signed by the issuer.custom
: you can configure items for custom certificate issuers. For more detailed configurations, see the cert-manager documentation.certSecretName
(the name of the Kubernetes secret that was created in the previous step), and defines the URLs for the Pulsar broker and StreamNative Console.
values.yaml
YAML file as follows:
namespace
: the default namespace for the Istio gateway. By default, it is set to istio-system
.
mode
: the TLS mode for the Istio gateway. Available options are SIMPLE
and PASSTHROUGH
. By default, it is set to SIMPLE
.
SIMPLE
: terminate TLS traffic at the Istio gateway. In this case, the gateway certificate is used.
PASSTHROUGH
: do not terminate TLS traffic at the Istio gateway. Instead, terminate TLS traffic at the component. In this case, the certificate that is mount to the component is used. Therefore, you need to configure the gateway TLS of the Pulsar broker in the values.yaml
YAML file, as shown below.
PASSTHROUGH
TLS mode is not available for the StreamNative Console. You still need to configure the certSecretName
option for the StreamNative Console.certSecretName
: the name of the Kubernetes Secret. It can also either be a certificate issued by the internal or the external issuer. If neither the internal nor the external issuer is configured, there should be a Secret named certSecretName
that contains certificates under the Istio Gateway namespace.
external_domain
: Pulsar Broker generates the Pod domain names based on the advertisedDomain
field (the domain of the Pulsar Broker). Therefore, you must include the suffix of the external domains for Pulsar Broker and control center in the domain.suffix
. As shown below, if the external domains for Pulsar Broker and control center are set to broker.example.com
and control_center.example.com
respectively, thedomain.suffix
should be set to example.com
.
certSecretName
(the name of the Kubernetes secret that was created in the previous step), and defines the URLs for the Pulsar Proxy and StreamNative Console.
values.yaml
YAML file as follows:
namespace
: the default namespace for the Istio gateway. By default, it is set to istio-system
.certSecretName
: the name of the Kubernetes Secret. It can also either be a certificate issued by the internal or the external issuer. If neither the internal nor the external issuer is configured, there should be a Secret named certSecretName
that contains certificates under the Istio Gateway namespace.type
: the method of exposing the Pulsar Proxy service. It should be set to IstioGateway
when Istio is enabled.external_domain
: if the external domains for the Pulsar Proxy and the control center are set to proxy.example.com
and control_center.example.com
respectively, thedomain.suffix
should be set to example.com
.client.properties
).
/etc/hosts
.
mqtt-cert
) using the CA certificate that is generated in configure TLS Ingress Gateway.pod.yaml
).
/etc/hosts
.
vhost1
and set the retention size and retention time to 100M and 2 days, respectively.
connectionFactory.setVirtualHost
: represent the Pulsar namespace for AoP.connectionFactory.setHost
: represent the endpoint for Pulsar service.connectionFactory.setPort
: represent the port ID for AoP. It is set to port 5671
.conf/client.conf
).
pulsar-client
CLI tool.