- Deploy and Configure MongoDB Database Resources >
- Access Database Resources >
- Connect to a MongoDB Database Resource from Outside Kubernetes
Connect to a MongoDB Database Resource from Outside Kubernetes¶
On this page
The following procedure describes how to connect to a MongoDB resource deployed in Kubernetes from outside of the Kubernetes cluster.
Prerequisite¶
Compatible MongoDB Versions¶
For your databases to be accessed outside of Kubernetes, they must run MongoDB 4.2.3 or later.
Procedure¶
How you connect to a MongoDB resource that the Kubernetes Operator deployed from outside of the Kubernetes cluster depends on the resource.
- Standalone
- Replica Set
- Sharded Cluster
This procedure uses the following example:
To connect to your Kubernetes Operator-deployed MongoDB standalone resource from outside of the Kubernetes cluster:
Open your standalone resource YAML file.¶
Copy the sample standalone resource.¶
Change the settings of this YAML file to match your desired standalone configuration.
Paste the copied example section into your existing standalone resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.exposedExternally |
Boolean | Optional | Set this value to true to allow external services to connect
to the MongoDB deployment. This results in Kubernetes creating a
NodePort service. |
true |
Save your standalone config file.¶
Update and restart your standalone deployment.¶
In any directory, invoke the following Kubernetes command to update and restart your {k8sResource}}:
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePort:
The list output should contain an entry similar to the following:
- Kubernetes exposes
mongod
on port27017
within the Kubernetes container. - The NodePort service exposes the
mongod
via port30994
. NodePorts range from 30000 to 32767, inclusive.
Test the connection to the standalone.¶
To connect to your deployment from outside of the Kubernetes cluster, run
the mongod
command with the external FQDN of a node as the
--host
flag.
Example
If a node in the Kubernetes cluster has an external FQDN of
ec2-54-212-23-143.us-west-2.compute.amazonaws.com
, you can
connect to this standalone instance from outside of the Kubernetes
cluster using the following command:
Tip
To obtain the external DNS of your Kubernetes cluster, you can run the following command:
This command displays the external DNS in the
Addresses.ExternalDNS
section of the output.
Alternatively, you can output the external DNS directly by running:
- Kubernetes
- OpenShift
Important
This procedure explains the least complicated way to enable external connectivity. Other utilities can be used in production.
To connect to your Kubernetes Operator-deployed MongoDB replica set resource from outside of the Kubernetes cluster:
Deploy a replica set with the Kubernetes Operator.¶
If you haven’t deployed a replica set, follow the instructions to deploy one.
You must enable TLS for the replica set by providing a value for
the spec.security.certsSecretPrefix
setting. The replica
set must use a custom CA certificate stored with
spec.security.tls.ca
.
Add Subject Alternate Names to your TLS certificates.¶
Add each external DNS name to the certificate SAN.
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePorts:
NodePorts range from 30000 to 32767, inclusive.
Open your replica set resource YAML file.¶
Copy the sample replica set resource.¶
Change the settings of this YAML file to match your desired replica set configuration.
Paste the copied example section into your existing replica set resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.connectivity |
collection | Conditional | Add this parameter and values if you need your database to be accessed outside of Kubernetes. This setting allows you to provide different DNS settings within the Kubernetes cluster and to the Kubernetes cluster. The Kubernetes Operator uses split horizon DNS for replica set members. This feature allows communication both within the Kubernetes cluster and from outside Kubernetes. You may add multiple external mappings per host. Split Horizon Requirements
|
See Setting |
spec.security .tls.certsSecretPrefix |
string | Required | Add the <prefix> of the secret
name that contains your MongoDB deployment’s TLS certificates. |
devDb |
Confirm the external hostnames and NodePort values in your replica set resource.¶
Confirm that the external hostnames in the
spec.connectivity.replicaSetHorizons
setting are correct.
External hostnames should match the DNS names of Kubernetes worker nodes. These can be any nodes in the Kubernetes cluster. Kubernetes nodes use internal routing if the pod runs on another node.
Set the ports in spec.connectivity.replicaSetHorizons
to
the NodePort values that you discovered.
Example
Save your replica set config file.¶
Update and restart your replica set deployment.¶
In any directory, invoke the following Kubernetes command to update and restart your {k8sResource}}:
Test the connection to the replica set.¶
In the development environment, for each host in a replica set, run the following command:
Note
Don’t use the --sslAllowInvalidCertificates
flag in production.
In production, for each host in a replica set, specify the TLS certificate and the CA to securely connect to client tools or applications:
If the connection succeeds, you should see:
To connect to your Kubernetes Operator-deployed MongoDB replica set resource from outside of the Kubernetes cluster with OpenShift:
Deploy a replica set with the Kubernetes Operator.¶
If you haven’t deployed a replica set, follow the instructions to deploy one.
You must enable TLS for the replica set by providing a value for
the spec.security.certsSecretPrefix
setting. The replica
set must use a custom CA certificate stored with
spec.security.tls.ca
.
Configure services to ensure connectivity.¶
Paste the following example services into a text editor:
Note
If the spec.selector has entries that target headless services or applications, OpenShift may create a software firewall rule explicitly dropping connectivity. Review the selectors carefully and consider targeting the stateful set pod members directly as seen in the example. Routes in OpenShift offer port 80 or port 443. This example service uses port 443.
Change the settings to your preferred values.
Save this file with a
.yaml
file extension.To create the services, invoke the following
kubectl
command on the services file you created:
Configure routes to ensure TLS terminination passthrough.¶
Paste the following example routes into a text editor:
Change the settings to your preferred values.
Save this file with a
.yaml
file extension.To create the routes, invoke the following
kubectl
command on the routes file you created:
Add Subject Alternate Names to your TLS certificates.¶
Add each external DNS name to the certificate SAN.
Open your replica set resource YAML file.¶
Configure your replica set resource YAML file.¶
Use the following example to edit your replica set resource YAML file:
Note
OpenShift clusters require localhost horizons if you intend to use the Kubernetes Operator to create each CSR. If you manually create your TLS certificates, ensure you include localhost in the SAN list.
Change the settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.connectivity |
collection | Conditional | Add this parameter and values if you need your database to be accessed outside of Kubernetes. This setting allows you to provide different DNS settings within the Kubernetes cluster and to the Kubernetes cluster. The Kubernetes Operator uses split horizon DNS for replica set members. This feature allows communication both within the Kubernetes cluster and from outside Kubernetes. You may add multiple external mappings per host. Split Horizon Requirements
|
See Setting |
spec.security .tls.certsSecretPrefix |
string | Required | Add the <prefix> of the secret
name that contains your MongoDB deployment’s TLS certificates. |
devDb |
Save your replica set config file.¶
Create the necessary TLS certificates and Kubernetes secrets.¶
Configure TLS for your replica set. Create one secret for the MongoDB replica set and one for the certificate authority. The Kubernetes Operator uses these secrets to place the TLS files in the pods for MongoDB to use.
Update and restart your replica set deployment.¶
In any directory, invoke the following Kubernetes command to update and restart your {k8sResource}}:
Test the connection to the replica set.¶
The Kubernetes Operator should deploy the MongoDB replica set, configured with the horizon routes created for ingress. After the Kubernetes Operator completes the deployment, you may connect with the horizon using TLS connectivity. If the certificate authority is not present on your workstation, you can view and copy it from a MongoDB pod using the following command:
To test the connections, run the following command:
Note
In the following example, for each member of the replica set, use
your replica set names and replace {redacted}
with the domain
that you manage.
Warning
Don’t use the --tlsAllowInvalidCertificates
flag in production.
In production, for each host in a replica set, specify the TLS certificate and the CA to securely connect to client tools or applications:
If the connection succeeds, you should see:
For this procedure, you must deploy a TLS-enabled sharded MongoDB cluster in the Kubernetes Operator. Provide the external DNS names (SANs) for each member of the MongoDB sharded cluster.
The SAN for each MongoDB hosts corresponds to:
Each TLS certificate requires the FQDN (SAN) that corresponds to the FQDN that this host has outside the sharded cluster deployed with the Kubernetes Operator.
To connect to your Kubernetes Operator-deployed MongoDB sharded cluster resource from outside of the Kubernetes cluster:
Open your sharded cluster resource YAML file.¶
Copy the sample sharded cluster resource.¶
Change the settings of this YAML file to match your desired sharded cluster configuration.
Paste the copied example section into your existing sharded cluster resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.exposedExternally |
Boolean | Optional | Set this value to true to allow external services to connect
to the MongoDB deployment. This results in Kubernetes creating a
NodePort service. |
true |
spec.security.tls |
collection | Optional | List of every domain that should be added to TLS certificates
to each pod in this deployment. When you set this parameter,
every CSR that the Kubernetes Operator transforms into a TLS
certificate includes a SAN in the form <pod
name>.<additional cert domain> . |
true |
spec.security |
string | Required | Add the <prefix> of the secret
name that contains your MongoDB deployment’s TLS certificates. |
devDb |
Save your sharded cluster config file.¶
Update and restart your sharded cluster deployment.¶
In any directory, invoke the following Kubernetes command to update and restart your {k8sResource}}:
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePort:
The list output should contain an entry similar to the following:
- Kubernetes exposes
mongod
on port27017
within the Kubernetes container. - The NodePort service exposes the
mongod
via port30078
. NodePorts range from 30000 to 32767, inclusive.
Test the connection to the sharded cluster.¶
To connect to your deployment from outside of the Kubernetes cluster, run
the mongod
command with the external FQDN of a node as the
--host
flag.
Example
If a node in the Kubernetes cluster has an external FQDN of
ec2-54-212-23-143.us-west-2.compute.amazonaws.com
, you can
connect to this sharded cluster instance from outside of the Kubernetes
cluster using the following command:
Tip
To obtain the external DNS of your Kubernetes cluster, you can run the following command:
This command displays the external DNS in the
Addresses.ExternalDNS
section of the output.
Alternatively, you can output the external DNS directly by running: