1 of 10

Neo4j-Helm Chart

Structure

& Reference Architecture

August 2020

Chart version 4.1.1-1

2 of 10

Core StatefulSet

Read Replica StatefulSet

common-configmap.yaml

core-configmap.yaml

readreplicas-configmap.yaml

How Pod Configuration Works

pod-init-script.yaml

3 of 10

How Networking Works

Core StatefulSet

0

1

2

lb-0

lb-1

lb-2

Service: discovery-lb.yaml

Service: core-dns.yaml

Used for cluster member discovery, and metrics exposure (i.e. prometheus)

If configured

Used only for bolt, HTTP, HTTPS

Client software

4 of 10

Deployment Architecture Considerations

5 of 10

Distribution of Neo4j Pods in Kubernetes Cluster

  • Never more than one Neo4j pod per Kubernetes worker node
  • Spread-out pods (anti-affinity rules)
  • Guarantees best HA characteristics
  • A bigger replica on a single worker node is better than two smaller replicas on a single worker node
  • High availability characteristics are constrained by failure of the worker nodes

Kubernetes

Worker Node

Worker Node

Worker Node

Neo4j Pod

Neo4j Pod

Neo4j Pod

Kubernetes

Worker Node

Worker Node

Worker Node

Kubernetes affinity: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

6 of 10

Exposing Neo4j Outside of Kubernetes

7 of 10

Problem: bolt+routing doesn’t work outside of k8s

7

a

b

c

Kubernetes boundary

member

role

address

a

leader

a.cluster.internal

b

follower

b.cluster.internal

c

follower

c.cluster.internal

Routing table

For similar reasons, external clients can fetch browser HTML/JS, but at the very least, default connection details are not workable.

Public ip

ingress

app2

app1

8 of 10

Why do you want to do this?

  • Network isolation is a feature: don’t expose your neo4j on the internet
  • But some orgs have private clouds, want to host the DB in k8s, other components elsewhere
    • Apps (including legacy) running on VMs, talking to databases in kubernetes
  • Other reasons:
    • Users want to use it and browser from their desktop
    • Desktop is outside of kubernetes
    • “Expose the database” and “Expose browser” are kind of the same problem since the browser uses bolt.

8

9 of 10

Load Balancers

  • Single LB per pod, to "port spread" bolt to 7687, 7688, 7689 across one single IP address
  • Better solution than NodePort, which creates SPOF on a Kubernetes cluster node
  • Requires pre-allocated static IP address for the LBs

9

lb1

a

b

c

lb2

lb3

svc1

svc1

svc1

Traffic

10 of 10

Requires Pre-Allocated Static IP Address

  • For neo4j:// to work, the pods have to know their externally routable address before starting. This requires a pre-allocated static IP (optionally mapped to a DNS entry)
  • This static IP address gets used in the advertised settings of the pods
  • By wiring the static IP address to the LBs & using port spreading, we can make the internal pod reality match the external routable reality for clients

10