Multiple Zones for High Availability
Fusion relies on ZooKeeper to keep quorum. As a result, you need at least three ZooKeeper pods in an ensemble. ZooKeeper deploys as a StatefulSet in the Fusion Helm chart. With GKE, you can launch a regional cluster that distributes nodes across three availability zones. With a multi-zone setup, your cluster can withstand the loss of one zone without experiencing downtime. However, you may experience degraded performance from losing one third of your total compute capacity, assuming your pods are evenly distributed. The multi-zone cluster also ensures higher availability for the Kubernetes control plane services.
Lucidworks provides affinity rules to ensure multiple pods per service get distributed across multiple zones. See Configure Pod Affinity for details on configuring.
When running in a multi-zone cluster, each Solr node has a
Configure Pod Affinity
Configure Pod Affinity
Affinity rules govern how Kubernetes schedules pods for Fusion components across the cluster. All components have the same affinity setup, which follows this logic:
If you used the
- When scheduling, prefer to put a pod on a node in an availability zone that doesn’t have a running instance of this component.
- Require that pods are deployed on a host that doesn’t have a running instance of the component that is being scheduled.
kubernetes.io/hostname policies:| Before | requiredDuringSchedulingIgnoredDuringExecution: |
| After | preferredDuringSchedulingIgnoredDuringExecution: |
--with-affinity-rules option when running the ./customize_fusion_values.sh script, the pod affinity rules are configured for your cluster. Alternatively, copy affinity.yaml, and rename it using the following naming convention: <provider>_<cluster>_<release>_fusion_affinity.yaml.To implement the file, append the following to your upgrade script:solr_zone system property set to the zone it is running in, such as -Dsolr_zone=us-west1-a. This guide covers how to use the solr_zone property to distribute replicas across zones in the Deploy Fusion at Scale section. Setting the solr_zone property for Solr pods requires the Solr service account to have a ClusterRoleBinding that allows it to get node metadata from the Kubernetes API service.
Deploy Fusion at Scale
Deploy Fusion at Scale
Before you begin, see Fusion Server Deployment to understand the architecture and requirements.This article explains how to plan and execute a Fusion deployment at the scale required for staging or production.While the
② Every Fusion service has an implicit enabled flag that defaults to true, set to false to remove this service from your cluster
③ Node selector identifies the label find nodes to schedule pods on
④ Used to pass JVM options to the service
⑤ Pod annotations to allow Prometheus to scrape metrics from the serviceOnce we go through all of the configuration topics in this topic, you’ll have a well-configured custom values YAML file for your Fusion 5 installation. You’ll then use this file during the Helm v3 installation at the end of this topic.
Default
Use Then, pass To be clear, you can tune GC settings and number of replicas after the cluster is built. But changing the size of the persistent volumes is more complicated so you should try to pick a good size initially.and then provision into your cluster by calling:to then have Solr use the storage class by adding the following to the custom values YAML:① The empty string
② Overrides the settings for the analytics Solr pods.
③ Assigns the analytics Solr pods to the node pool and attaches the label
④ Overrides the settings for the search Solr pods.
⑤ Assigns the search Solr pods to the node pool and attaches the label
⑥ Sets the default settings for all Solr pods, if not specifically overridden in theIn the example above, the analytics partition 
setup_f5_*.sh scripts are handy for getting started and proof-of-concept purposes, this article covers the planning process for building a production-ready environment.LucidAcademyLucidworks offers free training to help you get started.The Course for Preparing for Fusion Implementation focuses on the key elements for a successful implementation, defining your business requirements, preparing clean data, and involving the right personnel:
Prerequisites
You must meet the following prerequisites before you can customize your Fusion cluster:- A local copy of the fusion-cloud-native repository. This must be up-to-date with the latest master branch.
- Any cloud provider-specific command line tools, such as
gcloudoraws, andkubectl. See the platform-specific instructions linked above, or check with your cloud provider. - Helm v3
- To install on a Mac:
- For other operating systems, download from Helm Releases.
- Verify your installation:
- Kubernetes namespace
- Collect the following information about your Kubernetes environment:
- CLUSTER: Cluster name (passed to our setup scripts using the
-carg) - NAMESPACE: Kubernetes namespace where to install Fusion; a namespace should only contain lowercase letters (a-z), digits (0-9), or dash. No periods or underscores allowed.
- CLUSTER: Cluster name (passed to our setup scripts using the
- Collect the following information about your Kubernetes environment:
- (optional) Clarify your organization’s DockerHub policy. The Fusion Helm chart points to public Docker images on DockerHub. Your organization may not allow Kubernetes to pull images directly from DockerHub or may require extra security scanning before loading images into production clusters.
Consult your Kubernetes and Docker admin team to find how to get the Fusion images loaded into a registry that’s accessible to your cluster. You can update the image for each service using the custom values YAML file.
Kubernetes namespace tips
- Fusion 5 service discovery requires all services for the same release be deployed in the same namespace. Moreover, you should only run one instance of Fusion in a namespace. If you need multiple instances of Fusion running in the same Kubernetes cluster, then you need to deploy them in separate namespaces.
- If your organization requires CPU / Memory quotas for namespaces, you can start with a minimum of 12 CPU and 45GB of RAM (such as 3 x n1-standard-4 on GKE), but you will need to increase the quotas once you start load testing Fusion with production workloads and real datasets.
- Fusion requires at least 3 ZooKeeper nodes and 2 Solr nodes to achieve high availability.
Custom values YAML file
-
Clone the
fusion-cloud-nativerepository:git clone https://github.com/lucidworks/fusion-cloud-native -
Run the
customize_fusion_values.shscript.The script creates the following files:Pass the--helpparameter to see script usage details.
For an explanation of these placeholder values, see Configuration Values below.File Description <provider>_<cluster>_<namespace>_fusion_values.yamlMain custom values YAML used to override Helm chart defaults for Fusion microservices. <provider>_<cluster>_<namespace>_monitoring_values.yamlCustom values yaml used to configure Prometheus and Grafana. <provider>_<cluster>_<namespace>_fusion_resources.yamlResource requests and limits for all Microservices. <provider>_<cluster>_<namespace>_fusion_affinity.yamlPod affinity rules to ensure mulitple replicas for a single service are evenly distributed across zones and nodes. <provider>_<cluster>_<namespace>_upgrade_fusion.shScript used to install and/or upgrade Fusion using the aforementioned custom values YAML files. -
Add the new files to version control. You will make changes to it over time as you fine-tune your Fusion installation. You will also need it to perform upgrades. If you try to upgrade your Fusion installation and don’t provide the custom values YAML, your deployment will revert to chart defaults.
Review the<provider>_<cluster>_<release>_fusion_values.yamlfile to familiarize yourself with its structure and contents. Notice it contains a separate section for each of the Fusion microservices. The example configuration of thequery-pipelineservice below illustrates some important concepts about the custom values YAML file.
② Every Fusion service has an implicit enabled flag that defaults to true, set to false to remove this service from your cluster
③ Node selector identifies the label find nodes to schedule pods on
④ Used to pass JVM options to the service
⑤ Pod annotations to allow Prometheus to scrape metrics from the serviceOnce we go through all of the configuration topics in this topic, you’ll have a well-configured custom values YAML file for your Fusion 5 installation. You’ll then use this file during the Helm v3 installation at the end of this topic.
Deployment-specific values
The script creates a custom values YAML file using the naming convention:<provider>_<cluster>_<namespace>_fusion_values.yaml. For example, gke_search_f5_fusion_values.yaml.| Parameter | Description |
|---|---|
<provider> | The K8s platform you’re running on, such as gke. |
<cluster> | The name of your cluster. |
<namespace> | The K8s namespace where you want to install Fusion. |
<node_selector> | Specifies a nodeSelector label to find nodes to schedule Fusion pods on. |
Providing the correct
--node-pool <node_selector> label is very important. Using the wrong value will cause your pods to be stuck in the pending state. If you’re not sure about the correct value for your cluster, pass ’’` to let Kubernetes decide which nodes to schedule Fusion pods on.nodeSelector labels are provider-specific. The fusion-cloud-native scripts use the following defaults for GKE and EKS:| Provider | Default node selector |
|---|---|
| GKE | cloud.google.com/gke-nodepool: default-pool |
| EKS | alpha.eksctl.io/nodegroup-name: standard-workers |
If you are deploying Fusion 5.9.12, add the following to your
values.yaml file to avoid a known issue that prevents the kuberay-operator pod from launching successfully: yaml kuberay-operator: crd: create: true Flags
The script provides flags for additional configuration:| Flag | Description |
|---|---|
--node-pool | Add a Fusion specific label to your nodes. |
--with-resource-limits | Configure resource requests/limits. |
--with-replicas | Configure replica counts. |
--with-affinity-rules | Configure pod affinity rules for Fusion services. |
--node-pool to add a Fusion specific label to your nodes by doing:--node-pool 'fusion_node_type: <NODE_LABEL>'.Configure Solr sizing
When you’re ready to build a production-ready setup for Fusion 5, you need to customize the Fusion Helm chart to ensure Fusion is well-configured for production workloads.You’ll be able to scale the number of nodes for Solr up and down after building the cluster, but you need to establish the initial size of the nodes (memory and CPU) and the size and type of disks you need.See the example config below to learn which parameters to change in the custom values YAML file.Configure storage class for Solr pods (optional)
If you wish to run with a storage class other than the default you can create a storage class for your Solr pods before you install. For example, to create regional disks in GCP you can create a file calledstorageClass.yaml with the following contents:We’re not advocating that you must use regional disks for Solr storage, as that would be redundant with Solr replication. We’re just using this as an example of how to configure a custom storage class for Solr disks if you see the need. For instance, you could use regional disks without Solr replication for write-heavy type collections.
Configure multiple node pools
Lucidworks recommends isolating search workloads from analytics workloads using multiple node pools. The included scripts do not do this for you; this is a manual process.See the example script for GKE, see create_gke_cluster_node_pools.sh.In the custom values YAML file, you can add additional Solr StatefulSets by adding their names to the list under thenodePools property. If any property for that statefulset needs to be changed from the default set of values, then it can be set directly on the object representing the node pool, any properties that are omitted are defaulted to the base value. See the following example (additional whitespace added for display purposes only):"" is the suffix for the default partition.② Overrides the settings for the analytics Solr pods.
③ Assigns the analytics Solr pods to the node pool and attaches the label
fusion_node_type=analytics. You can use the fusion_node_type property in Solr auto-scaling policies to govern replica placement during collection creation.④ Overrides the settings for the search Solr pods.
⑤ Assigns the search Solr pods to the node pool and attaches the label
fusion_node_type=search.⑥ Sets the default settings for all Solr pods, if not specifically overridden in the
nodePools section above.Do not edit the
nodePools value "".replicaCount, or number of Solr pods, is six. The search partition replicaCount is twelve.Each nodePool is automatically be assigned the -Dfusion_node_type property of <search>, <system>, or <analytics>. This value matches the name of the nodePool. For example, -Dfusion_node_type=<search>.The Solr pods have a fusion_node_type system property, as shown below:Solr auto-scaling policy
Use replica placement plugins to control how replicas are placed in Solr.Pod network policy
A Kubernetes network policy governs how groups of pods communicate with each other and other network endpoints. With Fusion, all incoming traffic flows through the API Gateway service. All Fusion services in the same namespace expect an internal JWT, which is supplied by the Gateway, as part of the request. As a result, Fusion services enforce a basic level of API security and don’t need an additional network policy to protect them from other pods in the cluster.To install the network policy for Fusion services, pass--set global.networkPolicyEnabled=true when installing the Fusion Helm chart.On-premises private Docker registries
For on-premises Kubernetes deployments, your organization may not allow Kubernetes to pull Fusion’s Docker images from DockerHub. See the instructions below for details on using a private Docker registry with Fusion. These are general instructions that may need to be adapted to work within your organization’s security policies:- Transfer the public images from DockerHub to your private Docker registry.
- Establish a workstation that has access to DockerHub. This workstation must connect to your internal Docker registry, most likely via VPN connection. In this example, the workstation is referred to as
envoy. - Install Docker on
envoy. You need at least 100GB of free disk for Docker. - Pull all of the images from DockerHub to
envoy’s local registry. For example, to pull the query pipeline image, rundocker pull lucidworks/query-pipeline:5.9.0. Seedocker pull --helpfor more information about pulling Docker images. - Establish a connection from
envoyto the private Docker registry, most likely via a VPN connection. In this example, the private Docker registry is referred to as<internal-private-registry>. - Push the images from
envoy’s Docker registry to the private registry. This will take a long time.- You’ll need to re-tag all images for the internal registry. For example, to tag the query-pipeline image, run:
- Push each image to the internal repo:
- Install the Docker registry secret in Kubernetes. Create the Docker registry secret in the Kubernetes namespace where you want to install Fusion:
For details, see the Kubernetes article Pull an Image from a Private Registry.
- Update the custom values YAML for your cluster to point to your private registry and secret to allow Kubernetes to pull images. For example:
Repeat the process for all Fusion services.
Customize Helm Chart
Every Fusion service allows you to override theimagePullSecrets setting using custom values YAML. However, other 3rd party services—including Zookeeper, Pulsar, Prometheus, and Grafana—don’t allow you to supply the pull secret using the custom values YAML.To patch the default service account for your namespace and add the pull secret, run the following:\) or reverse the order of single and double quotes:Replace
<internal-private-secret> with the name of the secret you created in the steps above.Add additional trusted certificate(s) to Fusion’s indexing and querying services (optional)
You can add custom trusted certificates to support Fusion’s indexing and querying services. You may want to use custom trusted certificates if, for example, you have specific security requirements for data handling or need to support an existing infrastructure and its security needs. This method involves updating your Helm chart.If you want to add custom trusted certificates for both the indexing and querying services, follow these instructions twice: once for the indexing service, and once for the querying service. To add different certificates to the indexing and querying services, create one YAML file with the indexing service certificates and one YAML file for the querying service certificates before following these instructions.You may use the same YAML file if you want to use the same certificates for both services.
-
Create a new YAML file for your custom trusted certificates. The
customcerts.yamlfile is the example file in these instructions. -
Add the custom certificate(s) in the YAML file created in the previous step. For example:
-
Update the indexing or querying service by running the following Helm command. Replace
EXAMPLE-VALUES-FILE.yamlwith your previous values file. -
Verify the indexing or querying pod has a new
init-containerwith the nameimport-certs.
Add additional trusted certificate(s) for connectors to allow crawling of web resources with SSL/TLS enabled (optional)
To crawl a datasource which for some reason is using a self-signed certificate, add arbitrary certificates to connectors. For example:Generating the certificate on linux command line
Use the following command to generate a.crt file in $fusion_home/apps/jetty/connectors/etc/yourcertname.crt:Generating the certificate using Firefox web browser
- Navigate to the Sharepoint host.
- Click the
in the address bar, then click the 
icon. - Next, navigate to More Information > View Certificate > Export.
Save the file to the following folder:$fusion_home/apps/jetty/connectors/etc/yourcertname.crt
Generating the certificate using Chrome web browser
- Navigate to Chrome menu > More Tools > Developer Tools > Security Tab. This will display the Security overview.
- Click the View certificate button.
- Save the file to the following folder:
$fusion_home/apps/jetty/connectors/etc/yourcertname.crtGenerating the certificate using powershell
Use the following script to generate a.crt`` file in $fusion_home\apps\jetty\connectors\etc\yourcertname.crt“:Install Fusion 5 on Kubernetes
At this point, you’re ready to install Fusion 5 using the custom values YAML files and upgrade script. If you used thecustomize_fusion_values.sh script, run it using BASH:Monitoring Fusion with Prometheus and Grafana
Lucidworks recommends using Prometheus and Grafana for monitoring the performance and health of your Fusion cluster. Your operations team may already have these services installed. If not, install them into the Fusion namespace.The Custom values YAML file shown above activates the Solr metrics exporter service and adds pod annotations so Prometheus can scrape metrics from Fusion services.
- Run the
customize_fusion_values.shscript with the--prometheus trueoption. This creates an extra custom values YAML file for installing Prometheus and Grafana,<provider>_<cluster>_<namespace>_monitoring_values.yaml. For example:gke_search_f5_monitoring_values.yaml. - Commit the YAML file to version control.
- Review its contents to ensure that the settings suit your needs. For example, decide how long you want to keep metrics. The default is 36 hours.
See the Prometheus documentation and Grafana documentation for details. - Run the
install_prom.shscript to install Prometheus & Grafana in your namespace. Include the provider, cluster name, namespace, and helm release as in the example below:The Grafana dashboards from monitoring/grafana are installed automatically by thePass the--helpparameter to see script usage details.install_prom.shscript.