Implementation: P1.3 Messaging Federation/Clustering (NATS JetStream)

Scope

Production-grade multi-node messaging for SEA cells: NATS JetStream clustering for high availability, optional inter-cell federation via NATS leafnodes and stream mirroring, plus cluster-aware workers and observability. This delivers self-healing, optimized, and seamless integration with sea-cell and existing outbox/inbox patterns.

Non-negotiable constraints (project-aligned)

• Align with ADR-032, PRD-022, SDS-047 messaging invariants.
• Preserve outbox/inbox semantics and Nats-Msg-Id deduplication.
• Per-context streams and subject versioning remain mandatory.
• Zero manual drift: infra and worker config must be deterministic and reproducible.
• Production readiness: no single-node assumptions, no manual recovery steps.

Current baseline

• Single-node NATS JetStream in infra/docker/docker-compose.dev.yml.
• sea-mq-worker connects to a single NATS_URL and creates streams/consumers at runtime.
• No clustering, no federation, no multi-node failover validation.

Target state (production-ready)

• 3-node JetStream cluster per sea-cell with metadata and stream replication.
• Cluster-aware sea-mq-worker that supports multiple server endpoints, durable consumer groups, and resilient reconnect behavior.
• Sea-cell deployment provides NATS StatefulSet with persistent volumes, health probes, and anti-affinity.
• Federation between sea-cells via NATS leafnodes with explicit subject export/import and optional stream mirroring for selective cross-cell replication.
• End-to-end observability and automated recovery verification (node loss, network partition, consumer failover).

Implementation Plan

Workstream A: NATS JetStream cluster configuration

Goal: Introduce a stable, replicated NATS cluster with deterministic configuration for both dev and prod.

Deliverables

• NATS config file supporting clustering and JetStream replication in infra/nats/.
• Multi-node local compose profile for development validation.
• K8s-ready config wiring for sea-cell deployments.

Plan

1. Add a canonical NATS cluster config file under infra/nats/ with:
   • jetstream { store_dir, max_file_store, max_mem_store }
   • cluster { name, port, routes }
   • server_name and advertise for stable peer discovery
   • http_port and healthz enabled for probes
2. Extend infra/docker/docker-compose.dev.yml with a 3-node NATS cluster profile:
   • nats-1, nats-2, nats-3 services
   • Dedicated volumes per node
   • Cluster routes and distinct client/monitor ports
3. Ensure stream defaults reflect HA:
   • Stream num_replicas=3 for SEA_EVENTS/VIBESPRO_EVENTS
   • Consumer ack_wait and max_ack_pending aligned with PRD-022

Validation

• Start cluster locally, verify jsz shows replication.
• Publish to SEA_EVENTS, confirm stream state persists across node restarts.

Workstream B: Sea-cell integration (Kubernetes)

Goal: First-class NATS cluster in sea-cell deployments, self-healing and storage-safe.

Deliverables

• Sea-cell NATS StatefulSet, headless service, PDB, and config wiring.
• Storage class usage and anti-affinity for HA.

Plan

1. Update deploy/pulumi/components/sea-cell.ts to add:
   • StatefulSet nats with replicas=3
   • Headless service for peer discovery
   • PersistentVolumeClaims per pod
   • Liveness/readiness probes via http://:8222/healthz
   • PodAntiAffinity to spread pods across nodes
   • PodDisruptionBudget to preserve quorum
2. Expose cluster endpoints to workloads:
   • Service nats for client connections
   • Service nats-headless for cluster routes
3. Integrate config and secrets:
   • ConfigMap mounting NATS cluster config
   • Optional TLS and NKey/JWT auth for prod (enabled via Pulumi config)

Validation

• Deploy sea-cell with 3 nodes and confirm JetStream meta/data replication.
• Kill one pod and verify stream availability and consumer recovery.

Workstream C: Cluster-aware sea-mq-worker

Goal: Worker is resilient across NATS cluster nodes and scales horizontally without duplicate processing.

Deliverables

• Multi-endpoint NATS connection support.
• Durable consumer group naming and stable stream settings.
• Enhanced reconnect and backoff behavior.

Plan

1. Extend worker configuration to support:
   • NATS_SERVERS (comma-separated list) with fallback to NATS_URL
   • NATS_CONNECT_TIMEOUT_MS, NATS_RECONNECT_MAX, NATS_RECONNECT_DELAY_MS
   • JETSTREAM_DOMAIN for federation-aware routing
   • STREAM_REPLICAS and CONSUMER_MAX_ACK_PENDING
   • CONSUMER_DURABLE and CONSUMER_GROUP to allow multiple workers to share a pull consumer
2. Use async_nats::ConnectOptions for:
   • retry_on_initial_connect
   • bounded reconnect attempts with exponential backoff
   • connection callbacks for observability
3. Ensure consumer creation is idempotent:
   • Durable name derived from CONSUMER_DURABLE
   • No per-instance uniqueness unless explicitly configured
4. Preserve backpressure and dedupe behavior:
   • Keep inbox table idempotency as source of truth
   • Align ack_wait and max_deliver with PRD-022

Validation

• Run 2+ workers against the same cluster and verify work distribution.
• Restart workers and confirm consumers recover without reconfiguration.

Workstream D: Federation between sea-cells

Goal: Allow controlled cross-cell messaging without coupling clusters into a single failure domain.

Deliverables

• Leafnode-based federation with subject scoping.
• Optional stream mirroring for selective replication.

Plan

1. Use NATS leafnodes for cross-cell federation:
   • Each sea-cell exposes a leafnode port
   • Explicit subject export/import rules (only *.event.> and *.dlq.> as required)
2. Apply account isolation:
   • Per-cell accounts to prevent unintentional subject bleed
   • Signed creds for leafnode connectivity
3. For selective replication, use JetStream stream sources:
   • Mirror specific streams into the local cluster
   • Avoid full-mesh subject flooding

Validation

• Publish in Cell A and consume in Cell B with subject allowlist.
• Simulate link loss; ensure local cluster continues and resyncs on reconnect.

Workstream E: Observability, runbooks, and resilience testing

Goal: Production-grade monitoring and automated recovery verification.

Deliverables

• Metrics, dashboards, and health probes for NATS and sea-mq-worker.
• Runbooks for clustering and federation incidents.
• Automated failover tests.

Plan

1. NATS monitoring:
   • Collect varz, jsz, and connz metrics
   • Alert on stream replica lag, consumer stalled, and quorum loss
2. Worker metrics:
   • Success/failure publish counts
   • Redelivery and DLQ rates
   • Handler latency histograms
3. Runbooks:
   • Node loss recovery
   • Stream lag remediation
   • Leafnode reconnect and stream mirror resync
4. Chaos and failover tests:
   • Kill one NATS node in cluster; verify continuity
   • Partition leafnode; verify no data loss and eventual consistency

Validation

• Automated test suite run as part of just ci-quick equivalent messaging checks.
• Manual validation checklist for production deploys.

Decisions and Recommendations

1. Cluster size
   • Recommendation: 3-node JetStream cluster per sea-cell.
   • Reasoning: Tolerates single-node loss, aligns with PRD-003 fault tolerance, and keeps quorum stable.
2. Federation topology
   • Recommendation: Leafnode federation between sea-cells with subject allowlists and optional stream mirroring.
   • Reasoning: Avoids a global supercluster blast radius and supports selective replication for governance or partner contexts.
3. Security model
   • Recommendation: NKey/JWT auth with TLS enabled in production; plaintext only in dev compose.
   • Reasoning: Required for cross-cell federation and prevents unauthorized publish/subscribe.
4. Stream replication factor
   • Recommendation: num_replicas=3 for primary event streams; num_replicas=2 acceptable only for non-critical streams.
   • Reasoning: Maintains durability across node loss without sacrificing throughput.
5. Worker scaling mode
   • Recommendation: Pull consumers with shared durable name and strict inbox idempotency.
   • Reasoning: Enables horizontal scaling without duplicate side effects; keeps the dedupe model centralized.

Acceptance Criteria (100% completion)

• NATS JetStream runs as a 3-node cluster in sea-cell with persistent storage, health probes, and anti-affinity.
• sea-mq-worker supports multi-endpoint NATS connectivity and shared durable consumers.
• Federation between sea-cells is operational via leafnodes with explicit subject allowlists.
• Stream replication and consumer recovery validated under node loss and network partition.
• Observability dashboards and runbooks cover cluster health, stream lag, and consumer behavior.

Parity Checklist (Docker → K3s → Mesh)

1) Single Source of Truth (NATS config)

• Add canonical NATS config under infra/nats/ with JetStream + cluster routes.
• Use the same config file in docker compose and K8s (ConfigMap mount).
• Keep ports/health endpoints consistent across modes.

2) Local HA Profile (Docker)

• Add a compose profile with nats-1/2/3, dedicated volumes, and clustered routes.
• Expose 4222 (client) and 8222 (monitoring) per node for local validation.
• Keep stream defaults aligned with production (replication factor, max_ack_pending).

3) K3s + Mesh HA (Kubernetes)

• Deploy NATS as StatefulSet with headless Service for stable peer DNS.
• Add PVs for JetStream storage and PodAntiAffinity for node spread.
• Add readiness/liveness probes on http://:8222/healthz.

4) Uniform Client Config

• Support NATS_SERVERS in all services and workers (comma-separated endpoints).
• Use the same JETSTREAM_DOMAIN and stream/consumer names in all modes.
• Ensure reconnect and backoff settings are identical across environments.

5) Observability Parity

• Always expose varz/jsz/connz on :8222.
• Dashboards alert on replica lag, quorum loss, consumer stalled.
• Runbooks reference the same endpoints and checks in all modes.

6) Failover Validation

• Local: kill nats-1 and verify publish/consume continues.
• K3s/Mesh: drain a node and verify stream availability and consumer recovery.
• Federation: break leafnode link and verify resync on reconnect.

Parity Validation (Commands + Expected Outcomes)

Docker HA profile

Start cluster

1
docker compose -f infra/docker/docker-compose.dev.yml --profile nats-ha up -d

Expected

• 3 NATS containers healthy.
• curl http://localhost:8222/healthz returns {"status":"ok"}.

Verify replication

1
curl -s http://localhost:8222/jsz | jq '.meta.cluster'

Expected

• leader present, replicas ≥ 2.

Failover check

1
docker stop nats-1

Expected

• Publish/consume continues; jsz shows new leader.

K3s/Mesh (Kubernetes)

Check pods and services

1
2
kubectl -n <namespace> get pods -l app=nats
kubectl -n <namespace> get svc nats nats-headless

Expected

• 3 pods Running.
• Headless service exists for peer DNS.

Health and replication

1
2
kubectl -n <namespace> port-forward svc/nats 8222:8222
curl -s http://localhost:8222/jsz | jq '.meta.cluster'

Expected

• Cluster metadata shows 3 nodes and a leader.

Failover check

1
kubectl -n <namespace> delete pod nats-0

Expected

• New leader elected; stream remains available.

Federation (Leafnode)

Connectivity check

1
curl -s http://localhost:8222/connz | jq '.connections[] | select(.name | test("leafnode"))'

Expected

• Leafnode connection visible.

Partition + resync

1
# Simulate link loss by blocking leafnode port or stopping the remote NATS

Expected

• Local cluster continues; on reconnect, streams resync without manual steps.

Recommended NATS HA Compose Layout

Recommendation

• Use a nats-ha compose profile with three services: nats-1, nats-2, nats-3.
• Each node mounts the same NATS config file and its own data volume.
• Expose standard client/monitoring ports for one node (or distinct ports per node if you need direct access).

Layout

• Config: infra/nats/nats.conf (shared across all nodes)
• Services:
  • nats-1: client 4222, monitor 8222, routes 6222
  • nats-2: client 4223, monitor 8223, routes 6223
  • nats-3: client 4224, monitor 8224, routes 6224
• Volumes:
  • sea_nats_data_1, sea_nats_data_2, sea_nats_data_3
• Network: single compose network for intra-cluster routes

Why this layout

• Keeps parity with K8s StatefulSet (stable node identity + per-node storage).
• Enables local failover validation without reconfiguring applications.
• Avoids port collisions while still letting you introspect each node.

Client endpoint strategy

• NATS_SERVERS=nats://localhost:4222,nats://localhost:4223,nats://localhost:4224
• In K8s/mesh, use the headless service DNS set for the same multi-endpoint pattern.

Compose profile snippet (docker)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
services:
  nats-1:
    image: nats:2.10-alpine
    container_name: sea-nats-1
    command: ["-c", "/etc/nats/nats.conf"]
    environment:
      NATS_SERVER_NAME: nats-1
    ports:
      - "4222:4222"
      - "8222:8222"
      - "6222:6222"
    volumes:
      - ./infra/nats/nats.conf:/etc/nats/nats.conf:ro
      - sea_nats_data_1:/data
    networks: [sea-net]
    profiles: ["nats-ha"]

  nats-2:
    image: nats:2.10-alpine
    container_name: sea-nats-2
    command: ["-c", "/etc/nats/nats.conf"]
    environment:
      NATS_SERVER_NAME: nats-2
    ports:
      - "4223:4222"
      - "8223:8222"
      - "6223:6222"
    volumes:
      - ./infra/nats/nats.conf:/etc/nats/nats.conf:ro
      - sea_nats_data_2:/data
    networks: [sea-net]
    profiles: ["nats-ha"]

  nats-3:
    image: nats:2.10-alpine
    container_name: sea-nats-3
    command: ["-c", "/etc/nats/nats.conf"]
    environment:
      NATS_SERVER_NAME: nats-3
    ports:
      - "4224:4222"
      - "8224:8222"
      - "6224:6222"
    volumes:
      - ./infra/nats/nats.conf:/etc/nats/nats.conf:ro
      - sea_nats_data_3:/data
    networks: [sea-net]
    profiles: ["nats-ha"]

networks:
  sea-net:
    name: sea-net

volumes:
  sea_nats_data_1:
  sea_nats_data_2:
  sea_nats_data_3:

NATS config (shared)

1
2
3
4
5
6
7
8
9
10
11
12
13
server_name: ${NATS_SERVER_NAME}
port: 4222
http: 8222
jetstream {
  store_dir: /data
}
cluster {
  name: sea-nats
  port: 6222
  routes: [
    ${NATS_CLUSTER_ROUTES}
  ]
}

Environment Variables for Routes:

• Docker Compose: nats://nats-1:6222,nats://nats-2:6222,nats://nats-3:6222
• Kubernetes: nats://nats-0.nats-headless:6222,nats://nats-1.nats-headless:6222,nats://nats-2.nats-headless:6222 ```

K3s/Mesh sketch (StatefulSet + Services)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
apiVersion: v1
kind: Service
metadata:
  name: nats
spec:
  selector:
    app: nats
  ports:
    - name: client
      port: 4222
      targetPort: 4222
    - name: monitor
      port: 8222
      targetPort: 8222
---
apiVersion: v1
kind: Service
metadata:
  name: nats-headless
spec:
  clusterIP: None
  selector:
    app: nats
  ports:
    - name: routes
      port: 6222
      targetPort: 6222
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: nats
spec:
  serviceName: nats-headless
  replicas: 3
  selector:
    matchLabels:
      app: nats
  template:
    metadata:
      labels:
        app: nats
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app
                    operator: In
                    values:
                      - nats
              topologyKey: "kubernetes.io/hostname"
      containers:
        - name: nats
          image: nats:2.10-alpine
          command: ["nats-server", "-c", "/etc/nats/nats.conf"]
          ports:
            - containerPort: 4222
              name: client
            - containerPort: 8222
              name: monitor
            - containerPort: 6222
              name: routes
          volumeMounts:
            - name: config
              mountPath: /etc/nats
            - name: data
              mountPath: /data
          readinessProbe:
            httpGet:
              path: /healthz
              port: 8222
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8222
      volumes:
        - name: config
          configMap:
            name: nats-config
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 10Gi
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nats-pdb
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nats

Implementation Notes (Secrets + Environments)

Dev (env vars)

• Use SEA_NATS_PROFILE=nats-ha for local HA validation.
• Set NATS_SERVERS for multi-endpoint clients:
  • nats://localhost:4222,nats://localhost:4223,nats://localhost:4224

Production (SOPS)

• Store NATS auth/TLS secrets in .secrets.env.sops.
• Pulumi decrypts and mounts secrets into /etc/nats/secrets and includes them in nats.conf.

Required keys

• NATS_AUTH_TOKEN
• NATS_TLS_CERT
• NATS_TLS_KEY
• NATS_TLS_CA (optional)