- Deploy and Configure MongoDB Database Resources >
- Access Database Resources >
- Connect to a MongoDB Database Resource from Outside Kubernetes
Connect to a MongoDB Database Resource from Outside Kubernetes¶
On this page
The following procedure describes how to connect to a MongoDB resource deployed by Kubernetes from outside of the Kubernetes cluster.
Prerequisite¶
For your databases to be accessed outside of Kubernetes, they must run one of the following versions of MongoDB:
- 3.6.17 or later
- 4.0.15 or later
- 4.2.3 or later
Procedure¶
How you connect to a MongoDB resource that the Kubernetes Operator deployed from outside of the Kubernetes cluster depends on the resource.
- Standalone
- Replica Set
- Sharded Cluster
This procedure uses the following example:
To connect to your Kubernetes Operator-deployed MongoDB standalone resource from outside of the Kubernetes cluster:
Open your standalone resource YAML file.¶
Copy the highlighted section of this standalone resource.¶
Change the highlighted settings of this YAML file to match your desired standalone configuration.
Paste the copied example section into your existing standalone resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.exposedExternally |
Boolean | Optional | Set this value to true to allow external services to connect
to the MongoDB deployment. This results in Kubernetes creating a
NodePort service. |
true |
Save your standalone config file.¶
Update and restart your standalone deployment.¶
Invoke the following Kubernetes command to update and restart your standalone:
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePort:
The list output should contain an entry similar to the following:
- Kubernetes exposes
mongod
on port27017
within the Kubernetes container. - The NodePort service exposes the
mongod
via port30994
. NodePorts range from 30000 to 32767, inclusive.
Test the connection to the standalone.¶
To connect to your deployment from outside of the Kubernetes cluster, run
the mongod
command with the external FQDN of a node as the
--host
flag.
Example
If a node in the Kubernetes cluster has an external FQDN of
ec2-54-212-23-143.us-west-2.compute.amazonaws.com
, you can
connect to this standalone instance from outside of the Kubernetes
cluster using the following command:
Tip
To obtain the external DNS of your Kubernetes cluster, you can run the following command:
This command displays the external DNS in the
Addresses.ExternalDNS
section of the output.
Alternatively, you can output the external DNS directly by running:
Important
This procedure explains the least complicated way to enable external connectivity. Other utilities can be used in production.
To connect to your Kubernetes Operator-deployed MongoDB replica set resource from outside of the Kubernetes cluster:
If you haven’t done so already, deploy a replica with the Kubernetes Operator.¶
Follow the instructions to :ref:` deploy a replica set
<deploy-replica-set>`. To simplify the configuration, don’t enable
TLS with the spec.security.tls.enabled
setting.
Optional: If you already deployed a replica set with the Kubernetes Operator with TLS enabled, remove the CSRs for each host in your deployment.¶
Invoke the following command to retrieve the CSRs for each host:
The command’s output resembles the following:
Repeat the following command for each host in your deployment to remove the CSRs:
Important
Remove only the TLS CSRs. Don’t remove X.509 or any other CSRs.
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePorts:
NodePorts range from 30000 to 32767, inclusive.
Open your replica set resource YAML file.¶
Copy the highlighted section of this replica set resource.¶
Change the highlighted settings of this YAML file to match your desired replica set configuration.
Paste the copied example section into your existing replica set resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.security.tls |
boolean | Optional | Set this value to By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections. Note To connect to a replica set from outside Kubernetes, set this
value to |
true |
spec.connectivity |
collection | Conditional | Add this parameter and values if you need your database to be accessed outside of Kubernetes. This setting allows you to provide different DNS settings within the Kubernetes cluster and to the Kubernetes cluster. The Kubernetes Operator uses split horizon DNS for replica set members. This feature allows communication both within the Kubernetes cluster and from outside Kubernetes. You may add multiple external mappings per host. Split Horizon Requirements
|
See Setting |
Confirm the external hostnames and NodePort values in your replica set resource.¶
Confirm that the external hostnames in the
spec.connectivity.replicaSetHorizons
setting are correct.
External hostnames should match the DNS names of Kubernetes worker nodes. These can be any nodes in the Kubernetes cluster. nodes do internal routing if the pod is run on another node.
Set the ports in spec.connectivity.replicaSetHorizons
to
the NodePort values that you discovered.
Example
Save your replica set config file.¶
Update and restart your replica set deployment.¶
Invoke the following Kubernetes command to update and restart your replica set:
Check the status of your deployment.¶
The Kubernetes Operator creates the MongoDB resources and requests the Kubernetes CA to approve the database host’s certificates. Run the following command to verify that the certificates are pending approval:
The status
field of the output should resemble the following:
If you do not see the status.message
above, see
Troubleshooting the Kubernetes Operator to help diagnose the issue.
Retrieve the CSRs for each host and agent in your deployment.¶
Invoke the following command to retrieve the CSRs for each host:
The command’s output resembles the following:
Approve the CSR for each host in your deployment.¶
Using the values returned in the NAME
column, approve each
certificate from the previous command’s output using the following
command:
Example
The following commands approve the CSRs for the replica set example:
kubectl
prints a message to the console when a certificate is
approved.
Test the connection to the replica set.¶
Warning
Don’t use the –sslAllowInvalidCertificates flag in production. In production, share the Kubernetes CA files with client tools or applications.
If the connection succeeds, you should see:
This procedure uses the following example:
- Without TLS
- With TLS
To connect to your Kubernetes Operator-deployed MongoDB sharded cluster resource from outside of the Kubernetes cluster:
Open your sharded cluster resource YAML file.¶
Copy the highlighted section of this sharded cluster resource.¶
Change the highlighted settings of this YAML file to match your desired sharded cluster configuration.
- Without TLS
- With TLS
Paste the copied example section into your existing sharded cluster resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Change the highlighted settings to your preferred values.¶
- Without TLS
- With TLS
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.exposedExternally |
Boolean | Optional | Set this value to true to allow external services to connect
to the MongoDB deployment. This results in Kubernetes creating a
NodePort service. |
true |
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.exposedExternally |
Boolean | Optional | Set this value to true to allow external services to connect
to the MongoDB deployment. This results in Kubernetes creating a
NodePort service. |
true |
spec.security |
boolean | Optional | If this value is By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections. |
true |
spec.security.tls |
collection | Optional | List of every domain that should be added to TLS certificates
to each pod in this deployment. When you set this parameter,
every CSR that the Kubernetes Operator transforms into a TLS
certificate includes a SAN in the form <pod
name>.<additional cert domain> . |
true |
Save your sharded cluster config file.¶
Update and restart your sharded cluster deployment.¶
Invoke the following Kubernetes command to update and restart your sharded cluster:
Discover the dynamically assigned NodePorts.¶
Discover the dynamically assigned NodePort:
The list output should contain an entry similar to the following:
- Kubernetes exposes
mongod
on port27017
within the Kubernetes container. - The NodePort service exposes the
mongod
via port30078
. NodePorts range from 30000 to 32767, inclusive.
Test the connection to the sharded cluster.¶
To connect to your deployment from outside of the Kubernetes cluster, run
the mongod
command with the external FQDN of a node as the
--host
flag.
Example
If a node in the Kubernetes cluster has an external FQDN of
ec2-54-212-23-143.us-west-2.compute.amazonaws.com
, you can
connect to this sharded cluster instance from outside of the Kubernetes
cluster using the following command:
Tip
To obtain the external DNS of your Kubernetes cluster, you can run the following command:
This command displays the external DNS in the
Addresses.ExternalDNS
section of the output.
Alternatively, you can output the external DNS directly by running: