{"id":26032170,"url":"https://github.com/apache/pulsar-helm-chart","last_synced_at":"2026-02-19T23:12:53.636Z","repository":{"id":37102004,"uuid":"255516325","full_name":"apache/pulsar-helm-chart","owner":"apache","description":"Official Apache Pulsar Helm Chart","archived":false,"fork":false,"pushed_at":"2026-02-05T09:48:25.000Z","size":1073,"stargazers_count":233,"open_issues_count":51,"forks_count":244,"subscribers_count":38,"default_branch":"master","last_synced_at":"2026-02-18T00:32:47.503Z","etag":null,"topics":["event-streaming","helm","helm-chart","kubernetes","messaging","pubsub","pulsar","queuing","streaming"],"latest_commit_sha":null,"homepage":"https://pulsar.apache.org/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apache.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-14T05:15:14.000Z","updated_at":"2026-02-15T17:05:46.000Z","dependencies_parsed_at":"2023-12-11T09:31:08.601Z","dependency_job_id":"ed1b1903-05a4-4dd2-904a-e36aa9a4e0c2","html_url":"https://github.com/apache/pulsar-helm-chart","commit_stats":null,"previous_names":[],"tags_count":67,"template":false,"template_full_name":null,"purl":"pkg:github/apache/pulsar-helm-chart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fpulsar-helm-chart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fpulsar-helm-chart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fpulsar-helm-chart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fpulsar-helm-chart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apache","download_url":"https://codeload.github.com/apache/pulsar-helm-chart/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fpulsar-helm-chart/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29636112,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T22:32:43.237Z","status":"ssl_error","status_checked_at":"2026-02-19T22:32:38.330Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["event-streaming","helm","helm-chart","kubernetes","messaging","pubsub","pulsar","queuing","streaming"],"created_at":"2025-03-06T21:22:28.092Z","updated_at":"2026-02-19T23:12:53.630Z","avatar_url":"https://github.com/apache.png","language":"Shell","funding_links":[],"categories":["Shell","Get Pulsar"],"sub_categories":["Self-managed"],"readme":"\u003c!--\n\n    Licensed to the Apache Software Foundation (ASF) under one\n    or more contributor license agreements.  See the NOTICE file\n    distributed with this work for additional information\n    regarding copyright ownership.  The ASF licenses this file\n    to you under the Apache License, Version 2.0 (the\n    \"License\"); you may not use this file except in compliance\n    with the License.  You may obtain a copy of the License at\n\n      http://www.apache.org/licenses/LICENSE-2.0\n\n    Unless required by applicable law or agreed to in writing,\n    software distributed under the License is distributed on an\n    \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n    KIND, either express or implied.  See the License for the\n    specific language governing permissions and limitations\n    under the License.\n\n--\u003e\n\n# Apache Pulsar Helm Chart\n\nThis project provides Helm Charts for installing Apache Pulsar on Kubernetes.\n\nRead [Deploying Pulsar on Kubernetes](http://pulsar.apache.org/docs/deploy-kubernetes/) for more details.\n\n\u003e :warning: This helm chart is updated outside of the regular Pulsar release cycle and might lag behind a bit. It only supports basic Kubernetes features now. Currently, it can be used as no more than a template and starting point for a Kubernetes deployment. In many cases, it would require some customizations.\n\n## Important Security Advisory for Helm Chart Usage\n\n### Notice of Default Configuration\n\nThis Helm chart's default configuration DOES NOT meet production security requirements.\nUsers MUST review and customize security settings for their specific environment.\n\nIMPORTANT: This Helm chart provides a starting point for Pulsar deployments but requires\nsignificant security customization before use in production environments. We strongly\nrecommend implementing:\n\n1. Authentication and authorization for all components\n2. TLS encryption for all communication channels\n3. Proper network isolation and access controls\n4. Regular security updates and vulnerability assessments\n\nAs an open source project, we welcome contributions to improve security features.\nPlease consider submitting pull requests to address security gaps or enhance\nexisting security implementations.\n\n### Pulsar Proxy Security Considerations\n\nAs per the [Pulsar Proxy documentation](https://pulsar.apache.org/docs/3.1.x/administration-proxy/), it is explicitly stated that the Pulsar proxy is not designed for exposure to the public internet. The design assumes that deployments will be protected by network perimeter security measures. It is crucial to understand that relying solely on the default configuration can expose your deployment to significant security vulnerabilities.\n\n### External Access Recommendations\n\nIf you need to expose the Pulsar Proxy outside the cluster:\n\n1. **USE INTERNAL LOAD BALANCERS ONLY**\n   - Set type to LoadBalancer only in secured environments with proper network controls\n   - Add cloud provider-specific annotations for internal load balancers:\n     - Kubernetes documentation about internal load balancers:\n        - [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer)\n     - See cloud provider documentation:\n       - AWS / EKS: [AWS Load Balancer Controller / Service Annotations](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/)\n       - Azure / AKS: [Use an internal load balancer with Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/internal-lb)\n       - GCP / GKE: [LoadBalancer service parameters](https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer-parameters)\n     - Examples (verify correctness for your environment):\n       - AWS / EKS:  `service.beta.kubernetes.io/aws-load-balancer-internal: \"true\"`\n       - Azure / AKS: `service.beta.kubernetes.io/azure-load-balancer-internal: \"true\"`\n       - GCP / GKE:   `networking.gke.io/load-balancer-type: \"Internal\"`\n\n2. **IMPLEMENT AUTHENTICATION AND AUTHORIZATION**\n   - Configure all clients to authenticate properly\n   - Set up appropriate authorization policies\n\n3. **USE TLS FOR ALL CONNECTIONS**\n   - Enable TLS for client-to-proxy connections\n   - Enable TLS for proxy-to-broker connections\n   - Enable TLS for all internal cluster communications\n   - Note: TLS alone is NOT sufficient as a security solution. Even with TLS enabled, clusters exposed to untrusted networks remain vulnerable to denial-of-service attacks, authentication bypass attempts, and protocol-level exploits.\n\n4. **NETWORK SECURITY**\n   - Use private networks (VPCs)\n   - Configure firewalls, security groups, and IP restrictions\n\n5. **CLIENT IP ADDRESS BASED ACCESS RESTRICTIONS**\n\n   - When using a LoadBalancer service type, restrict access to specific IP ranges by configuring `proxy.service.loadBalancerSourceRanges` in your values.yaml:\n     ```yaml\n     proxy:\n       service:\n         loadBalancerSourceRanges:\n           - 10.0.0.0/8     # Private network range\n           - 172.16.0.0/12  # Private network range\n           - 192.168.0.0/16 # Private network range\n     ```\n   - This feature:\n     - Provides an additional defense layer by filtering traffic at the load balancer level\n     - Only allows connections from specified CIDR blocks\n     - Works only with LoadBalancer service type and when your cloud provider supports the `loadBalancerSourceRanges` parameter\n   - Important: This should be implemented alongside other security measures (internal load balancer, authentication, TLS, network policies) as part of a defense-in-depth strategy,\n     not as a standalone security solution\n\n### Alternative for External Access\n\nAs an alternative method for external access, Pulsar has support for [SNI proxy routing](https://pulsar.apache.org/docs/next/concepts-proxy-sni-routing/). SNI Proxy routing is supported with proxy servers such as Apache Traffic Server, HAProxy and Nginx.\n\nNote: This option isn't currently implemented in the Apache Pulsar Helm chart.\n\n**IMPORTANT**: Pulsar binary protocol cannot be exposed outside of the Kubernetes cluster using Kubernetes Ingress. Kubernetes Ingress works for the Admin REST API and topic lookups, but clients would be connecting to the advertised listener addresses returned by the brokers and it would only work when clients can connect directly to brokers. This is not a supported secure option for exposing Pulsar to untrusted networks.\n\n### General Recommendations\n\n- **Network Perimeter Security:** It is imperative to implement robust network perimeter security to safeguard your deployment. The absence of such security measures can lead to unauthorized access and potential data breaches.\n- **Restricted Access:** For environments where security is less critical, such as certain development or testing scenarios, the use of `loadBalancerSourceRanges` may be employed to restrict access to specified IP addresses or ranges. This, however, should not be considered a substitute for comprehensive security measures in production environments.\n\n### User Responsibility\n\nThe user assumes full responsibility for the security and integrity of their deployment. This includes, but is not limited to, the proper configuration of security features and adherence to best practices for securing network access. The providers of this Helm chart disclaim all warranties, whether express or implied, including any warranties of merchantability, fitness for a particular purpose, and non-infringement of third-party rights.\n\n### No Security Guarantees\n\nThe providers of this Helm chart make no guarantees regarding the security of the chart under any circumstances. It is the user's responsibility to ensure that their deployment is secure and complies with all relevant security standards and regulations.\n\nBy using this Helm chart, the user acknowledges the risks associated with its default configuration and the necessity for proper security customization. The user further agrees that the providers of the Helm chart shall not be liable for any security breaches or incidents resulting from the use of the chart.\n\n## Features\n\nThis Helm Chart includes all the components of Apache Pulsar for a complete experience.\n\n- [x] Pulsar core components:\n    - [x] ZooKeeper\n    - [x] Bookies\n    - [x] Brokers\n    - [x] Functions\n    - [x] Proxies\n- [x] Management \u0026 monitoring components:\n    - [x] Dekaf UI\n    - [x] Pulsar Manager\n    - [x] Optional PodMonitors for each component (enabled by default)\n    - [x] [victoria-metrics-k8s-stack](hhttps://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-metrics-k8s-stack) (as of 4.0.0)\n\nIt includes support for:\n\n- [x] Security\n    - [x] Automatically provisioned TLS certs, using [Jetstack](https://www.jetstack.io/)'s [cert-manager](https://cert-manager.io/docs/)\n        - [x] self-signed\n        - [x] [Let's Encrypt](https://letsencrypt.org/)\n    - [x] TLS Encryption\n        - [x] Proxy\n        - [x] Broker\n        - [x] Toolset\n        - [x] Bookie\n        - [x] ZooKeeper (requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the cert-manager deployment when using cert-manager versions below 1.15.0)\n    - [x] Authentication\n        - [x] JWT\n        - [x] OpenID\n        - [ ] Mutal TLS\n        - [ ] Kerberos\n    - [x] Authorization\n    - [x] Non-root broker, bookkeeper, proxy, and zookeeper containers (version 2.10.0 and above)\n- [x] Storage\n    - [x] Non-persistence storage\n    - [x] Persistence Volume\n    - [x] Local Persistent Volumes\n    - [x] Tiered Storage\n- [x] Functions\n    - [x] Kubernetes Runtime\n    - [x] Process Runtime\n    - [x] Thread Runtime\n- [x] Operations\n    - [x] Independent Image Versions for all components, enabling controlled upgrades\n\n## Requirements\n\nIn order to use this chart to deploy Apache Pulsar on Kubernetes, the followings are required.\n\n1. kubectl 1.25 or higher, compatible with your cluster ([+/- 1 minor release from your cluster](https://kubernetes.io/docs/tasks/tools/install-kubectl/#before-you-begin))\n2. Helm v3 (3.12.0 or higher)\n3. A Kubernetes cluster, version 1.25 or higher.\n\n## Environment setup\n\nBefore proceeding to deploying Pulsar, you need to prepare your environment.\n\n### Tools\n\n`helm` and `kubectl` need to be [installed on your computer](https://pulsar.apache.org/docs/helm-tools/).\n\n## Add to local Helm repository\n\nTo add this chart to your local Helm repository:\n\n```bash\nhelm repo add apachepulsar https://pulsar.apache.org/charts\nhelm repo update\n```\n\n## Kubernetes cluster preparation\n\nYou need a Kubernetes cluster whose version is 1.25 or higher in order to use this chart, due to the usage of certain Kubernetes features.\n\nWe provide some instructions to guide you through the preparation: http://pulsar.apache.org/docs/helm-prepare/\n\n## Deploy Pulsar to Kubernetes\n\n1. Configure your values file. The best way to know which values are available is to read the [values.yaml](./charts/pulsar/values.yaml).\n   A best practice is to start with an empty values file and only set the keys that differ from the default configuration.\n\n   Anti-affinity rules for Zookeeper and Bookie components require at least one node per replica. For Kubernetes clusters with less than 3 nodes,\n   you must disable this feature by adding this to your initial values.yaml file:\n\n    ```yaml\n    affinity:\n      anti_affinity: false\n    ```\n\n2. Install the chart:\n\n    ```bash\n    helm install -n \u003cnamespace\u003e --create-namespace \u003crelease-name\u003e -f your-values.yaml apachepulsar/pulsar\n    ```\n\n3. Observe the deployment progress\n\n    Watching events to view progress of deployment:\n\n    ```shell\n    kubectl get -n \u003cnamespace\u003e events -o wide --watch\n    ```\n\n    Watching state of deployed Kubernetes objects, updated every 2 seconds:\n\n    ```shell\n    watch kubectl get -n \u003cnamespace\u003e all\n    ```\n\n    Waiting until Pulsar Proxy is available:\n\n    ```shell\n    kubectl wait --timeout=600s --for=condition=ready pod -n \u003cnamespace\u003e -l component=proxy\n    ```\n\n    Watching state with k9s (https://k9scli.io/topics/install/):\n\n    ```shell\n    k9s -n \u003cnamespace\u003e\n    ```\n\n4. Access the Pulsar cluster\n\n    The default values will create a `ClusterIP` for the proxy you can use to interact with the cluster. To find the IP address of proxy use:\n\n    ```bash\n    kubectl get service -n \u003ck8s-namespace\u003e\n    ```\n\nFor more information, please follow our detailed\n[quick start guide](https://pulsar.apache.org/docs/getting-started-helm/).\n\n## Customize the deployment\n\nWe provide a [detailed guideline](https://pulsar.apache.org/docs/helm-deploy/) for you to customize\nthe Helm Chart for a production-ready deployment.\n\nYou can also checkout out the example values file for different deployments.\n\n- [Deploy ZooKeeper only](examples/values-cs.yaml)\n- [Deploy a Pulsar cluster with an external configuration store](examples/values-cs.yaml)\n- [Deploy a Pulsar cluster with local persistent volume](examples/values-local-pv.yaml)\n- [Deploy a Pulsar cluster to Minikube](examples/values-minikube.yaml)\n- [Deploy a Pulsar cluster with no persistence](examples/values-no-persistence.yaml)\n- [Deploy a Pulsar cluster with TLS encryption](examples/values-tls.yaml)\n- [Deploy a Pulsar cluster with JWT authentication using symmetric key](examples/values-jwt-symmetric.yaml)\n- [Deploy a Pulsar cluster with JWT authentication using asymmetric key](examples/values-jwt-asymmetric.yaml)\n\n## Disabling victoria-metrics-k8s-stack components\n\nIn order to disable the victoria-metrics-k8s-stack, you can add the following to your `values.yaml`.\nVictoria Metrics components can also be disabled and enabled individually if you only need specific monitoring features.\n\n```yaml\n# disable VictoriaMetrics and related components\nvictoria-metrics-k8s-stack:\n  enabled: false\n  victoria-metrics-operator:\n    enabled: false\n  vmsingle:\n    enabled: false\n  vmagent:\n    enabled: false\n  kube-state-metrics:\n    enabled: false\n  prometheus-node-exporter:\n    enabled: false\n  grafana:\n    enabled: false\n\nAdditionally, you'll need to set each component's `podMonitor` property to `false`. \n\n```yaml\n# disable pod monitors\nautorecovery:\n  podMonitor:\n    enabled: false\nbookkeeper:\n  podMonitor:\n    enabled: false\noxia:\n  server:\n    podMonitor:\n      enabled: false\n  coordinator:\n    podMonitor:\n      enabled: false\nbroker:\n  podMonitor:\n    enabled: false\nproxy:\n  podMonitor:\n    enabled: false\nzookeeper:\n  podMonitor:\n    enabled: false\n```\n\nThis is shown in some [examples/values-disable-monitoring.yaml](examples/values-disable-monitoring.yaml).\n\n## Dekaf UI\n\n[Dekaf](https://github.com/visortelle/dekaf) is a new open-source UI for Apache Pulsar.\n\n\u003e :warning: At this moment Dekaf doesn't have built-in authentication. In order to prevent unwanted access, it relies on authentication on the Pulsar broker side.\n\u003e If your Pulsar instance stores sensitive data, make sure that:\n\u003e - You have configured authentication on the Pulsar side\n\u003e - Dekaf isn't accessible from the Internet\n\u003e - Only authorized persons have access to you Kubernetes namespace\n\u003e\n\u003e Improvements in this area are planned to be implemented later.\n\nTo enable the Dekaf component:\n\n- Set the `components.dekaf` property to `true` in the Helm release `values.yaml` file.\n- Run the following command to make Dekaf service accessible on your local machine.\n\n```\nkubectl port-forward svc/$(kubectl get svc -l component=dekaf -o jsonpath='{.items[0].metadata.name}') 8090:8090\n```\n\n- Open \u003chttp://localhost:8090\u003e in browser.\n\n## Pulsar Manager\n\n\u003e :warning: Pulsar Manager has been poorly maintained for a long time. Consider the Dekaf UI instead.\n\nThe Pulsar Manager can be deployed alongside the pulsar cluster instance.\nDepending on the given settings it uses an existing Secret within the given namespace or creates a new one, with random\npasswords for both, the UI and the internal database.\n\nTo forward the UI use (assumes you did not change the namespace):\n\n```\nkubectl port-forward $(kubectl get pods -l component=pulsar-manager -o jsonpath='{.items[0].metadata.name}') 9527:9527\n```\n\nAnd then opening the browser to http://localhost:9527\n\nThe default user is `pulsar` and you can find out the password with this command\n\n```\nkubectl get secret -l component=pulsar-manager -o=jsonpath=\"{.items[0].data.UI_PASSWORD}\" | base64 --decode\n```\n\n## Grafana Dashboards\n\nThe Apache Pulsar Helm Chart uses the `victoria-metrics-k8s-stack` Helm Chart to deploy Grafana.\n\nThere are several ways to configure Grafana dashboards. The default [`values.yaml`](charts/pulsar/values.yaml) comes with examples of Pulsar dashboards which get downloaded from the Apache-2.0 licensed [lhotari/pulsar-grafana-dashboards OSS project](https://github.com/lhotari/pulsar-grafana-dashboards) by URL.\n\nDashboards can be configured in [`values.yaml`](charts/pulsar/values.yaml) or by adding `ConfigMap` items with the label `grafana_dashboard: \"1\"`.\nIn [`values.yaml`](charts/pulsar/values.yaml), it's possible to include dashboards by URL or by grafana.com dashboard id (`gnetId` and `revision`).\nPlease see the [Grafana Helm chart documentation for importing dashboards](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#import-dashboards).\n\nYou can connect to Grafana by forwarding port 3000\n```\nkubectl port-forward $(kubectl get pods -l app.kubernetes.io/name=grafana -o jsonpath='{.items[0].metadata.name}') 3000:3000\n```\nAnd then opening the browser to http://localhost:3000 . The default user is `admin`.\n\nYou can find out the password with this command\n```\nkubectl get secret -l app.kubernetes.io/name=grafana -o=jsonpath=\"{.items[0].data.admin-password}\" | base64 --decode\n```\n\n### Pulsar Grafana Dashboards\n\n* The `apache/pulsar` GitHub repo contains some Grafana dashboards [here](https://github.com/apache/pulsar/tree/master/grafana).\n* StreamNative provides Grafana Dashboards for Apache Pulsar in this [GitHub repository](https://github.com/streamnative/apache-pulsar-grafana-dashboard).\n* DataStax provides Grafana Dashboards for Apache Pulsar in this [GitHub repository](https://github.com/datastax/pulsar-helm-chart/tree/master/helm-chart-sources/pulsar/grafana-dashboards).\n\nNote: if you have third party dashboards that you would like included in this list, please open a pull request.\n\n## Upgrading\n\nOnce your Pulsar Chart is installed, configuration changes and chart\nupdates should be done using `helm upgrade`.\n\n```bash\nhelm repo add apachepulsar https://pulsar.apache.org/charts\nhelm repo update\n# If you are using the provided victoria-metrics-k8s-stack for monitoring, this installs or upgrades the required CRDs\n./scripts/victoria-metrics-k8s-stack/upgrade_vm_operator_crds.sh\n# get the existing values.yaml used for the most recent deployment\nhelm get values -n \u003cnamespace\u003e \u003cpulsar-release-name\u003e \u003e values.yaml\n# upgrade the deployment\nhelm upgrade -n \u003cnamespace\u003e -f values.yaml \u003cpulsar-release-name\u003e apachepulsar/pulsar\n```\n\nFor more detailed information, see our [Upgrading](http://pulsar.apache.org/docs/helm-upgrade/) guide.\n\n## Upgrading to Helm chart version 4.2.0\n\n### TLS configuration for ZooKeeper has changed\n\nThe TLS configuration for ZooKeeper has been changed to fix certificate and private key expiration issues.\nThis change impacts configurations that have `tls.enabled` and `tls.zookeeper.enabled` set in `values.yaml`.\nThe revised solution requires the `AdditionalCertificateOutputFormats=true` feature gate to be enabled in the `cert-manager` deployment when using cert-manager versions below 1.15.0.\nIf you installed `cert-manager` using `./scripts/cert-manager/install-cert-manager.sh`, you can re-run the updated script to set the feature gate. The script currently installs or upgrades cert-manager LTS version 1.12.17, where the feature gate must be explicitly enabled.\n\n\n## Upgrading to Helm chart version 4.1.0\n\nThis version introduces `OpenID` authentication. Setting `auth.authentication.provider` is no longer supported, you need to enable the provider with `auth.authentication.\u003cprovider\u003e.enabled`.\n\nIn the case of using JWT authentication, you need to set `auth.authentication.jwt.enabled` to `true` in your `values.yaml`.\n\n```yaml\nauth:\n  authentication:\n    enabled: true\n    jwt:\n      # Enable JWT authentication\n      enabled: true\n```\n\n## Upgrading from Helm Chart versions before 4.0.0 to 4.0.0 version and above\n\n### Pulsar Proxy service's default type has been changed from `LoadBalancer` to `ClusterIP`\n\nPlease check the section \"External Access Recommendations\" for guidance and also check the security advisory section.\nYou will need to configure keys under `proxy.service` in your `values.yaml` to preserve existing functionality since the default has been changed.\n\n### kube-prometheus-stack replaced with victoria-metrics-k8s-stack\n\nThe `kube-prometheus-stack` was replaced with `victoria-metrics-k8s-stack` in Pulsar Helm chart version 4.0.0. The trigger for the change was incompatibilities discovered in testing with most recent `kube-prometheus-stack` and Prometheus 3.2.1 which failed to scrape Pulsar metrics in certain cases without providing proper error messages or debug information at debug level logging.\n\n[Victoria Metrics](https://docs.victoriametrics.com/) is Apache 2.0 Licensed OSS and it's a fully compatible drop-in replacement for Prometheus which is fast and efficient.\n\nBefore upgrading to Pulsar Helm Chart version 4.0.0, it is recommended to disable kube-prometheus-stack in the original Helm chart version that\nis used:\n\n```shell\n# get the existing values.yaml used for the most recent deployment\nhelm get values -n \u003cnamespace\u003e \u003cpulsar-release-name\u003e \u003e values.yaml\n# disable kube-prometheus-stack in the currently used version before upgrading to Pulsar Helm chart 4.0.0\nhelm upgrade -n \u003cnamespace\u003e -f values.yaml --version \u003cyour-current-chart-version\u003e --set kube-prometheus-stack.enabled=false  \u003cpulsar-release-name\u003e apachepulsar/pulsar\n```\n\nAfter, this you can proceed with `helm upgrade`.\n\n## Upgrading to Apache Pulsar 2.10.0 and above (or Helm Chart version 3.0.0 and above)\n\nThe 2.10.0+ Apache Pulsar docker image is a non-root container, by default. That complicates an upgrade to 2.10.0\nbecause the existing files are owned by the root user but are not writable by the root group. In order to leverage this\nnew security feature, the Bookkeeper and Zookeeper StatefulSet [securityContexts](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)\nare configurable in the [`values.yaml`](charts/pulsar/values.yaml). They default to:\n\n```yaml\n  securityContext:\n    fsGroup: 0\n    fsGroupChangePolicy: \"OnRootMismatch\"\n```\n\nThis configuration is ideal for regular Kubernetes clusters where the UID is stable across restarts. If the process\nUID is subject to change (like it is in OpenShift), you'll need to set `fsGroupChangePolicy: \"Always\"`.\n\nThe official docker image assumes that it is run as a member of the root group.\n\nIf you upgrade to the latest version of the helm chart before upgrading to Pulsar 2.10.0, then when you perform your\nfirst upgrade to version \u003e= 2.10.0, you will need to set `fsGroupChangePolicy: \"Always\"` on the first upgrade and then\nset it back to `fsGroupChangePolicy: \"OnRootMismatch\"` on subsequent upgrades. This is because the root file won't\nmismatch permissions, but the RocksDB lock file will. If you have direct access to the persistent volumes, you can\nalternatively run `chgrp -R g+w /pulsar/data` before upgrading.\n\nHere is a sample error you can expect if the RocksDB lock file is not correctly owned by the root group:\n\n```text\n2022-05-14T03:45:06,903+0000  ERROR org.apache.bookkeeper.server.Main - Failed to build bookie server\njava.io.IOException: Error open RocksDB database\n    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.\u003cinit\u003e(KeyValueStorageRocksDB.java:199) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.\u003cinit\u003e(KeyValueStorageRocksDB.java:88) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.lambda$static$0(KeyValueStorageRocksDB.java:62) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.LedgerMetadataIndex.\u003cinit\u003e(LedgerMetadataIndex.java:68) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.SingleDirectoryDbLedgerStorage.\u003cinit\u003e(SingleDirectoryDbLedgerStorage.java:169) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.DbLedgerStorage.newSingleDirectoryDbLedgerStorage(DbLedgerStorage.java:150) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.storage.ldb.DbLedgerStorage.initialize(DbLedgerStorage.java:129) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.bookie.Bookie.\u003cinit\u003e(Bookie.java:818) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.proto.BookieServer.newBookie(BookieServer.java:152) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.proto.BookieServer.\u003cinit\u003e(BookieServer.java:120) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.server.service.BookieService.\u003cinit\u003e(BookieService.java:52) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.server.Main.doMain(Main.java:226) [org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    at org.apache.bookkeeper.server.Main.main(Main.java:208) [org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\nCaused by: org.rocksdb.RocksDBException: while open a file for lock: /pulsar/data/bookkeeper/ledgers/current/ledgers/LOCK: Permission denied\n    at org.rocksdb.RocksDB.open(Native Method) ~[org.rocksdb-rocksdbjni-6.10.2.jar:?]\n    at org.rocksdb.RocksDB.open(RocksDB.java:239) ~[org.rocksdb-rocksdbjni-6.10.2.jar:?]\n    at org.apache.bookkeeper.bookie.storage.ldb.KeyValueStorageRocksDB.\u003cinit\u003e(KeyValueStorageRocksDB.java:196) ~[org.apache.bookkeeper-bookkeeper-server-4.14.4.jar:4.14.4]\n    ... 13 more\n```\n\n### Recovering from `helm upgrade` error \"unable to build kubernetes objects from current release manifest\"\n\nExample of the error message:\n\n```bash\nError: UPGRADE FAILED: unable to build kubernetes objects from current release manifest:\n[resource mapping not found for name: \"pulsar-bookie\" namespace: \"pulsar\" from \"\":\nno matches for kind \"PodDisruptionBudget\" in version \"policy/v1beta1\" ensure CRDs are installed first,\nresource mapping not found for name: \"pulsar-broker\" namespace: \"pulsar\" from \"\":\nno matches for kind \"PodDisruptionBudget\" in version \"policy/v1beta1\" ensure CRDs are installed first,\nresource mapping not found for name: \"pulsar-zookeeper\" namespace: \"pulsar\" from \"\":\nno matches for kind \"PodDisruptionBudget\" in version \"policy/v1beta1\" ensure CRDs are installed first]\n```\n\nHelm documentation [explains issues with managing releases deployed using outdated APIs](https://helm.sh/docs/topics/kubernetes_apis/#helm-users) when the Kubernetes cluster has been upgraded\nto a version where these APIs are removed. This happens regardless of whether the chart in the upgrade includes supported API versions.\nIn this case, you can use the following workaround:\n\n1. Install the [Helm mapkubeapis plugin](https://github.com/helm/helm-mapkubeapis):\n\n    ```bash\n    helm plugin install https://github.com/helm/helm-mapkubeapis\n    ```\n\n2. Run the `helm mapkubeapis` command with the appropriate namespace and release name. In this example, we use the namespace \"pulsar\" and release name \"pulsar\":\n\n    ```bash\n    helm mapkubeapis --namespace pulsar pulsar\n    ```\n\nThis workaround addresses the issue by updating in-place Helm release metadata that contains deprecated or removed Kubernetes APIs to a new instance with supported Kubernetes APIs and should allow for a successful Helm upgrade.\n\n## Uninstall\n\nTo uninstall the Pulsar Chart, run the following command:\n\n```bash\nhelm uninstall \u003cpulsar-release-name\u003e\n```\n\nFor the purposes of continuity, these charts have some Kubernetes objects that are not removed when performing `helm uninstall`.\nThese items we require you to *conciously* remove them, as they affect re-deployment should you choose to.\n\n* PVCs for stateful data, which you must *consciously* remove\n    - ZooKeeper: This is your metadata.\n    - BookKeeper: This is your data.\n    - Prometheus: This is your metrics data, which can be safely removed.\n* Secrets, if generated by our [prepare release script](https://github.com/apache/pulsar-helm-chart/blob/master/scripts/pulsar/prepare_helm_release.sh). They contain secret keys, tokens, etc. You can use [cleanup release script](https://github.com/apache/pulsar-helm-chart/blob/master/scripts/pulsar/cleanup_helm_release.sh) to remove these secrets and tokens as needed.\n\n## Troubleshooting\n\nWe've done our best to make these charts as seamless as possible,\noccasionally troubles do surface outside of our control. We've collected\ntips and tricks for troubleshooting common issues. Please examine these first before raising an [issue](https://github.com/apache/pulsar-helm-chart/issues/new/choose), and feel free to add to them by raising a [Pull Request](https://github.com/apache/pulsar-helm-chart/compare)!\n\n### VictoriaMetrics Troubleshooting\n\nIn example commands, k8s is namespace `pulsar` replace with your deployment namespace.\n\n#### VictoriaMetrics Web UI\n\nConnecting to `vmsingle` pod for web UI.\n\n```shell\nkubectl port-forward -n pulsar $(kubectl get pods -n pulsar -l app.kubernetes.io/name=vmsingle -o jsonpath='{.items[0].metadata.name}') 8429:8429\n```\n\nNow you can access the UI at http://localhost:8429 and http://localhost:8429/vmui (for similar UI as in Prometheus)\n\n#### VictoriaMetrics Scraping debugging UI - Active Targets\n\nConnection to `vmagent` pod for debugging targets.\n\n```shell\nkubectl port-forward -n pulsar $(kubectl get pods -n pulsar -l app.kubernetes.io/name=vmagent -o jsonpath='{.items[0].metadata.name}') 8429:8429\n```\n\nNow you can access the UI at http://localhost:8429\n\nActive Targets UI\n- http://localhost:8429/targets\n\nScraping Configuration\n- http://localhost:8429/config\n\n## Release Process\n\nSee [RELEASE.md](RELEASE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fpulsar-helm-chart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapache%2Fpulsar-helm-chart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fpulsar-helm-chart/lists"}