Skip to main content
Version: 23.1

Configure External Access through a NodePort Service

Learn how to expose your Redpanda cluster to clients outside of your Kubernetes cluster by using a NodePort Service. Here's what you'll need to do:

  1. Set the external.type field to NodePort to create a NodePort Service that exposes the brokers' listeners.
  2. Advertise your brokers to the outside world using either a custom domain or the IP addresses of their worker nodes.
important

Advertising IP addresses of worker nodes is not supported for clusters with TLS enabled. Instead, use custom domains.

How external access works with a NodePort Service

By default, Redpanda clusters are exposed through a NodePort Service. When the external.type field is set to NodePort, the Helm chart creates a NodePort Service that routes external traffic to the listener ports on the Redpanda brokers.

A client connects to a Pod through the NodePort Service

Prerequisites

  • Install rpk on your local machine so that you can test connections to your Redpanda cluster from outside Kubernetes.

  • Review the best practices.

  • Understand Kubernetes networking for Redpanda.

  • Make sure that your Kubernetes cluster is accessible through your desired node port range. You may need to edit your inbound firewall rules.

To configure your Redpanda brokers to advertise a custom domain, you must give each broker a subdomain and configure your DNS records to point those subdomains at the addresses of the brokers' corresonding worker nodes.

Your brokers can advertise one of the following:

You can use a DNS provider to create A/AAAA records that route traffic from the default Redpanda subdomains to the addresses of the corresponding worker nodes. The default subdomains are redpanda-<ordinal-number>, where redpanda is the name of the chart and the <ordinal-number> placeholder is generated by the StatefulSet.

  1. Get a domain from a domain registrar.

  2. Specify your domain name in the external.domain configuration.

    Replace <custom-domain> with your domain.

    custom-domain.yaml
    external:
      enabled: true
      domain: <custom-domain>
      type: NodePort
    helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
      --values custom-domain.yaml --reuse-values --wait
    note

    For default values and documentation for configuration options, see the values.yaml file.

  3. Find out on which worker nodes your Redpanda brokers are running.

    kubectl get pod -n redpanda  \
    -o=custom-columns=NODE:.spec.nodeName,NAME:.metadata.name -l \
    app.kubernetes.io/component=redpanda-statefulset

  4. Find the IP address of each worker node.

    kubectl get node -o wide

  5. Update the A/AAAA records for your domain so that each subdomain (hostname) points to the correct worker node's IP address.

    HostnameIP address
    redpanda-0<worker-node-ip-1>
    redpanda-1<worker-node-ip-2>
    redpanda-2<worker-node-ip-3>
    warning

    IP addresses can change. If the IP addresses of your worker nodes change, you must reconfigure your DNS records with the new IP addresses.

  6. Wait for your DNS changes to be propagated.

  7. Use your custom domain to communicate with the Redpanda cluster from outside the Kubernetes cluster:

    1. Save the root certificate authority (CA) to your local file system outside Kubernetes:

      kubectl -n redpanda get secret redpanda-default-root-certificate -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt

    2. Get information about the cluster:

      rpk cluster info \
        --tls-enabled \
        --tls-truststore=ca.crt \
        --brokers redpanda-0.<custom-domain>:31092

You can give each Redpanda broker a custom subdomain to advertise instead of the default subdomains. Then, you can use a DNS provider to create A/AAAA records that route traffic from the custom subdomains to the addresses of the corresponding worker nodes.

  1. Get a domain from a domain registrar.

  2. Choose an option to configure the subdomains:

    • To use fully custom subdomains, do the following.

      Replace <custom-domain> with your domain, and replace the placeholders in the external.addresses configuration with your own subdomains in the order that you want them to be applied to the Redpanda brokers. The subdomains must be given to each Redpanda broker in order of the StatefulSet replicas. For example, the Redpanda broker running inside the redpanda-0 Pod advertises <subdomain-for-broker-0>.<custom-domain>.

      custom-subdomain.yaml
      external:
        enabled: true
        type: NodePort
        domain: <custom-domain>
        addresses:
        - <subdomain-for-broker-0>
        - <subdomain-for-broker-1>
        - <subdomain-for-broker-2>
      helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
        --values custom-subdomain.yaml --reuse-values --wait
      note

      For default values and documentation for configuration options, see the values.yaml file.

    • Or, to use custom subdomains that are suffixed with the index of the StatefulSet replica, do the following.

      Replace <custom-domain> with your domain, and replace <custom-subdomain> with your subdomain.

      This configuration renames your Pods to <subdomain>-<ordinal-number>. Your Redpanda brokers will advertise the <subdomain>-<ordinal-number>.<custom-domain> address.

      custom-subdomain-ordinal.yaml
      fullnameOverride: <custom-subdomain>
      external:
        enabled: true
        type: NodePort
        domain: <custom-domain>
      helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
        --values custom-subdomain-ordinal.yaml --reuse-values --wait
      note

      For default values and documentation for configuration options, see the values.yaml file.

  3. Find out on which worker nodes your Redpanda brokers are running.

    kubectl get pod -n redpanda  \
    -o=custom-columns=NODE:.spec.nodeName,NAME:.metadata.name -l \
    app.kubernetes.io/component=redpanda-statefulset

  4. Find the IP address of each worker node.

    kubectl get node -o wide

  5. Update the A/AAAA records for your domain so that each hostname points to the correct worker node's IP address.

    HostnameIP address
    <subdomain-for-broker-0><worker-node-ip-1>
    <subdomain-for-broker-1><worker-node-ip-2>
    <subdomain-for-broker-2><worker-node-ip-3>
    warning

    IP addresses can change. If the IP addresses of your worker nodes change, you must reconfigure your DNS records with the new IP addresses.

  6. Wait for your DNS changes to be propagated.

  7. Use your custom domain to communicate with the Redpanda cluster from outside the Kubernetes cluster:

    1. Save the root certificate authority (CA) to your local file system outside Kubernetes:

      kubectl -n redpanda get secret redpanda-default-root-certificate -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt

    2. Get information about the cluster:

      rpk cluster info \
        --tls-enabled \
        --tls-truststore=ca.crt \
        --brokers <subdomain-for-broker-0>.<custom-domain>:31092

Use IP addresses

You can configure each Redpanda broker to advertise the IP address of the worker node on which it's running.

important

If your cluster has TLS enabled (default), you must advertise custom domains because the Helm chart adds custom domains to the SAN list of TLS certificates and not IP addresses. Therefore, IP addresses assigned to worker nodes must be made resolvable by DNS names to ensure secure TLS access.

While adding entries to the /etc/hosts file may work for development purposes, it's not a suitable approach for production environments. In production, you'll need to update your organization's DNS service to make the IP addresses resolvable by DNS names. Updating your organization's DNS service ensures that users can access your services securely without encountering any SSL/TLS warnings or errors.

  1. Deploy Redpanda with TLS disabled and enable the NodePort Service type:

    loadbalancer-tls-disabled.yaml
    external:
      enabled: true
      type: NodePort
    tls:
      enabled: false
    helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
      --values loadbalancer-tls-disabled.yaml --reuse-values --wait
    note

    For default values and documentation for configuration options, see the values.yaml file.

  2. Find out on which worker nodes your Redpanda brokers are running.

    kubectl get pod -n redpanda  \
    -o=custom-columns=NODE:.spec.nodeName,NAME:.metadata.name -l \
    app.kubernetes.io/component=redpanda-statefulset

  3. Find the IP address of each worker node.

    kubectl get node -o wide

  4. Add the IP addresses of each worker node to the external.addresses field in order. For example, the first IP address in the list is assigned to redpanda-0, the second is assigned to redpanda-1, and so on.

    external-access-ip-addresses.yaml
    external:
      addresses:
      - <worker-node-ip-1>
      - <worker-node-ip-2>
      - <worker-node-ip-3>
    helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
      --values external-access-ip-addresses.yaml --reuse-values --wait
    note

    For default values and documentation for configuration options, see the values.yaml file.

    warning

    IP addresses can change. If the IP addresses of your worker nodes change, you must reconfigure the Redpanda brokers and all your external clients with the new IP addresses.

  5. Use the IP addresses to communicate with the Redpanda cluster from outside the Kubernetes cluster:

    rpk cluster info --brokers <worker-node-ip>:31092

Next steps

What do you like about this doc?




Optional: Share your email address if we can contact you about your feedback.

Let us know what we do well:
Ask in the community
Make a contribution