• Deploy Multiple Clusters (Beta) >
• Access Resources in Multi-Cluster Deployments >
• Connect to Multi-Cluster Resource from Outside Kubernetes

Connect to Multi-Cluster Resource from Outside Kubernetes

The following procedure describes how to connect to a MongoDBMulti resource deployed in Kubernetes from outside of the Kubernetes cluster.

Prerequisite

Compatible MongoDB Versions

For your databases to be accessed outside of Kubernetes, they must run MongoDB 4.2.3 or later.

Procedure

To connect to your Kubernetes Operator-deployed MongoDBMulti replica set resource from outside of the Kubernetes cluster:

1

Deploy a Multi-Cluster Replica Set.

2

Secure the Multi-Cluster with TLS.

Provide values for:

• The TLS secret in spec.security.certsSecretPrefix.
• The custom CA certificate in spec.security.tls.ca.

3

Add Subject Alternate Names to your TLS certificates.

Add each external DNS name to the certificate SAN.

4

Create a NodePort service for each of the Pods in different clusters.

When you create a NodePort service with kubectl, it assigns a random port in the range from 30000 to 32767, inclusive.

1. Create a NodePort service.

   • To create a NodePort service that uses a randomly assigned port, run the following command on each Pod in each cluster:

     copy

     kubectl expose pod/<my-replica-set>-0 --type="NodePort" --port 27017
     

   • To create a NodePort service that uses a deterministic port, on each Pod in each cluster, create a Nodeport service definition YAML file similar to the following example. Specify the port you want to use in the spec.ports.NodePort setting. This example configures a NodePort service on port 30007.

     copy

     apiVersion: v1
     kind: Service
     metadata:
       name: <my-replica-set>-0
       labels:
         controller: mongodb-enterprise-operator
     spec:
       type: NodePort
       selector:
         controller: mongodb-enterprise-operator
       ports:
         port: 27017
         targetPort: 27017
         nodePort: 30007
     

     Apply the YAML with kubectl apply -f <nodeport-conf>.yaml.

5

Verify the NodePort services.

In each cluster, run this command to verify the NodePort services that you created:

copy

$ kubectl get svc <node_port_service_name>

The command returns results similar to the following example:

copy

NAME                       TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
<node_port_service_name>   NodePort    10.102.27.116   <none>        27017:30007/TCP   8m30s

6

Update your replica set resource YAML file.

Set the hostnames and ports in spec.connectivity.replicaSetHorizons to the NodePort values that you created in the previous step.

Confirm that you specified the correct external hostnames. External hostnames should match the DNS names of Kubernetes worker nodes. These can be any nodes in the Kubernetes cluster. If the Pod runs on another node, Kubernetes nodes use internal routing.

copy

apiVersion: mongodb.com/v1
 kind: MongoDBMulti
 metadata:
  name: multi-cluster-replica-set
  namespace: mongodb
 spec:
  clusterSpecList:
   clusterSpecs:
   - clusterName: e2e.cluster1.mongokubernetes.com
     members: 1
   - clusterName: e2e.cluster2.mongokubernetes.com
     members: 1
   - clusterName: e2e.cluster3.mongokubernetes.com
     members: 1
  connectivity:
   replicaSetHorizons:
   - sample-horizon: web1.example.com:30907
   - sample-horizon: web2.example.com:30907
   - sample-horizon: web3.example.com:30907
  credentials: my-credentials
  duplicateServiceObjects: false
  opsManager:
   configMapRef:
    name: my-project
  persistent: true
  security:
   certsSecretPrefix: clustercert
   tls:
     ca: issuer-ca
  type: ReplicaSet
  version: 4.4.0-ent"

7

Apply the updated replica set file.

In each cluster, run this command to apply the updated replica set file:

copy

$ Kubectl apply -f <file_name.yaml>

8

Test the connection to the replica set.

In the development environment, for each host in a replica set, run the following command:

copy

mongosh --host <my-replica-set>/web1.example.com \
      --port 30907
      --ssl \
      --sslAllowInvalidCertificates

Note

Don’t use the --sslAllowInvalidCertificates flag in production.

In production, for each host in a replica set, specify the TLS certificate and the CA to securely connect to client tools or applications:

copy

mongosh --host <my-replica-set>/web1.example.com \
  --port 30907 \
  --tls \
  --tlsCertificateKeyFile server.pem \
  --tlsCAFile ca-pem

If the connection succeeds, you should see:

copy

Enterprise <my-replica-set> [primary]

←   Access Resources in Multi-Cluster Deployments Modify Ops Manager or MongoDB Kubernetes Resource Containers  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.