Pre-Deployment
Pre-Deployment
Everything that must be in place before deploying the DSX Event Bus. This covers infrastructure prerequisites, secrets provisioning, NKey generation, certificate management, and Gateway setup.
Estimated time: The production path (secrets pipeline + certificates) takes 4–6 hours for a first-time deployment across 1 CSC + 2 CPCs. The evaluation path (local/ Makefile) takes ~10 minutes. See Deployment — Evaluation Install for the quick-start option.
GitHub Repository
The DSX Exchange GitHub repository is available at https://github.com/NVIDIA/dsx-exchange.
Host Prerequisites
A multi-cluster deployment (CSC + CPCs) creates enough kubelets, containerd shims, gateway controllers, and fsnotify watchers to exhaust default Linux inotify limits. Symptoms include too many open files from kubectl logs -f, silent fsnotify watcher failures, and sporadic kubectl exec errors.
Verify these sysctl parameters on each node before creating clusters:
To persist across reboots, add to /etc/sysctl.d/ or equivalent for your OS. For Kind-based local evaluation, see local/README.md for additional macOS-specific setup (MetalLB networking).
Infrastructure Prerequisites
The following must be installed in each Kubernetes cluster before deploying the event bus. Components are version-pinned where there is a known API or compatibility break; unpinned components work with any recent release.
Keycloak or another OIDC provider is required if using OAuth2 authentication.
Auth-Callout Container Image
The auth-callout container image is not published to a public registry. Operators must build the image from source and push it to their own container registry before deploying the Helm chart.
Then set the image in your Helm values:
Required Secrets
All secrets must be provisioned before helm install. Secret names and keys are overridable in Helm values; these are the defaults.
NATS Server Auth
Auth-Callout Service
NACK Controller
Surveyor
Cross-Cluster Leaf Connections
Each CPC gets a nats-leaf-csc secret. The CSC gets the pubkey for each CPC.
mTLS Secrets
The generation script always produces mTLS keys (there is no flag to skip them). These secrets are only consumed when global.eventBus.mtls.enabled: true; they can be ignored for non-mTLS deployments.
Server:
The chart does not create a cert-manager Certificate CR for nats-mtls-server-tls. Operators must provision this secret before deploying. Use cert-manager with your PKI Issuer, or create the secret manually:
The server certificate SANs must include the hostname or IP that mTLS clients will connect to (see Deployment — mTLS Hostname Agreement).
Leaf connections:
When global.eventBus.mtls.enabled: false, none of the mTLS secrets are required and the mTLS NATS cluster is not deployed.
NKey Generation
NKeys are Ed25519 public-key pairs used for NATS authentication. The generation script requires nsc and nk on PATH.
Required Keys
Generation Script
A script generates all required secrets for a cluster. Without CPC IDs, only the CSC output is generated or left unchanged. With CPC IDs, CSC and the requested CPC outputs are generated or left unchanged. For example:
Each key is written as a subdirectory containing seed and pubkey files:
Secrets Pipeline
The event bus consumes Kubernetes Secrets — it does not interact with any secrets backend directly. Any pipeline that materializes the secrets listed in Required Secrets into the target namespace before helm install will work. The Helm chart does not assume Vault, sealed-secrets, external-secrets, or any other specific provider.
One common pattern is OpenBao or HashiCorp Vault with the Vault Secrets Operator (VSO) to materialize secrets and the Vault Agent Injector for auth-callout seed injection. For installation, K8s auth methods, policies, and PKI setup, see the respective documentation:
Certificate Management
cert-manager handles TLS certificate lifecycle. The Issuer can be backed by any supported provider (Vault/OpenBao PKI, self-signed, ACME, etc.).
Server TLS Certificate
All TLS-terminated Gateway listeners reference a cert-manager Certificate:
Gateway Setup
A Gateway API controller must be installed before deploying the event bus. The Gateway resource defines the external listeners that route traffic to the NATS pods.
Gateway Resource
The mqtt-mtls listener uses Passthrough mode because TLS termination happens at the NATS pod to verify the client certificate.
Because the mTLS route is a TLSRoute, the server certificate SANs, the TLSRoute hostnames, and the client broker URL must all agree on the same hostname (or IP). A mismatch causes a silent connection reset at the gateway layer. See Deployment — mTLS Hostname Agreement.
Listener-to-Route Mapping
Gateway listener names must match the sectionName in the Helm gateway.routes values. Route kind depends on the TLS mode: