This guide covers deploying the DSX Event Bus into a DSX AI Factory. Each Kubernetes cluster (one CSC, one or more CPCs) runs its own event bus instance. CPC instances federate to the CSC via NATS leaf node connections through a Kubernetes Gateway API controller.
Before starting, ensure all infrastructure prerequisites, secrets, and certificates are provisioned. See Pre-Deployment for the full checklist. For day-2 operations, monitoring, and configuration tuning, see Operations.
To evaluate DSX Exchange locally without Vault, VSO, or production certificate infrastructure, use the local/ evaluation framework. This creates Kind clusters and deploys a fully functional event bus:
See local/README.md for the full set of evaluation targets including functional tests, performance benchmarks, and MQTT client tooling.
If you already have access to a running broker and need to build or test an MQTT integration application, use the Integrator Quickstart instead of this operator deployment flow.
The rest of this page covers the production deployment path.
Version-pinned where there is a known compatibility break; see Pre-Deployment for details.
v1alpha2 APIsIPAddressPool)All NKey secrets must be provisioned before deploying the event bus. Any secrets pipeline that materializes Kubernetes Secrets works (see Pre-Deployment — Secrets Pipeline). Generate keys locally with the provided script:
See Authentication for details on the auth model and required keys.
CSC values configure the cluster type, list of CPC IDs that will connect, and auth permissions:
If using OAuth2, configure the JWKS endpoint and issuer so the auth-callout can validate tokens. This must be set on every cluster (CSC and each CPC), not just the CSC — without it, that cluster’s auth-callout cannot validate JWTs and will silently reject all OAuth2 connections:
The CSC also needs CPC leaf user public keys to authorize incoming leaf connections. The chart generates auth-callout env refs from global.eventBus.cpcIds; create matching nats-leaf-cpc-{id} secrets with a pubkey key.
CPC values set the cluster type, cluster ID, CSC endpoint, and cross-layer routing:
If using OAuth2, each CPC also needs the auth-callout.serviceConfig.jwks block — see the CSC section above. Without it, OAuth2 connections to this CPC are silently rejected.
Cross-layer settings control which topics are copied between the CPC local topic space and the CSC unified topic space:
The three lists must not overlap. A subject pattern that appears in more than one list creates cyclic NATS imports that crash the NATS pod (CrashLoopBackOff) with no user-facing error at install time.
Configure Gateway API listeners and TCPRoute/TLSRoute resources for external access:
The mqttMtls route uses a TLSRoute (Passthrough mode). Three values must agree or clients get a silent connection reset:
mqttMtls.hostnames — the SNI values the TLSRoute acceptsIf a client connects to ssl://<LB-IP>:8883, it sends SNI=<LB-IP>. If the TLSRoute hostname is a DNS name, Envoy drops the connection before the TLS handshake reaches the NATS pod. Either add the LB IP to both the cert SANs and the TLSRoute hostnames, or assign a DNS name to the LB IP and have clients use that name.
NATS Surveyor exports Prometheus metrics from the NATS cluster. The mTLS cluster’s SYS account is federated to the main cluster via leaf node, enabling centralized monitoring of both instances.
Key NATS metric families:
nats_core_* — server metrics (connections, messages, bytes)nats_account_* — per-account metricsnats_jetstream_* — stream and consumer metrics