Apache Pulsar KOP with Istio SNI routing

Yuwei Sung
2 min readMay 29


Photo by Nik on Unsplash

In this tutorial, I demo how to setup Apache Pulsar KOP in K8S with Istio SNI routing using sn-platform helm chart.
The followings are executed in my home lab k8s setup by kubeadm. I use calico cni, rook-ceph csi, and metallb as layer2 load balancer. Also I setup ca cluster issuer (private signer) with cert-manager.

First, setup minimal istio with istioctl. You can follow the istio doc to install minimal (istio-operator only). We need to customize the ingress gateway ports to export some pulsar protocol ports.

The customized ingress gateway looks like this. Once you have istio installed in k8s cluster, you can use “istioctl install -f ingress-gateway.yaml -y” to deploy the ingress gateway.

Check the status of ingress-gateway svc using kubectl.

I also add a TLS certificate to the gateway in istio-system namespace.

Now we are ready to deploy pulsar-operators and sn-platform with kop and istio sni routing. Refer to my previous pulsar blogs for details. In this blog, I use OLM to deploy pulsar operators.

Once those four operators are running, we can use sn-platform helm chart to set up kop and istio in one shot. Use the following sn-platform helm chart overrides to deploy the pulsar cluster. Some changes I made in this overrides, pulsar version to and jvm heap size using ram percentage.

Review the overrides and deploy it using the helm install command line:

After a while, you can check the status of “gateway”, “virtual service”, and “listener”.

If you scale out broker (changing the broker replicaCount), you will see that the SNI routing is auto configured. Very nice.
Now let’s test KOP through the gateway. First, you need to setup kafak truststore because I use private ca in this example.

Once you have the client.properties, you can use kafka-console-producer.sh to send message to pulsar broker.

Then you can use either kafka-console-consumer.sh or pulsar-console-consumer.sh to receive the message.

Next blog, I will show OIDC/OAuth2 integration with sn-platform and kop.



Yuwei Sung

A data nerd started from data center field engineer to cloud database reliability engineer.