Home Explore Help
Sign In
cecf
/
deploy
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e4538f3d9b
Branches Tags
deploy
/
neo4j-helm
/
doc
/
docs
/
modules
/
ROOT
/
pages
/
networking.adoc

networking.adoc 2.8 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344 
  1. = Networking & Security
    2. 

  2. 

  3. [abstract]
    4. 

  4. How to work with Neo4j networking & security concepts
    5. 

  5. 

  6. 

  7. == Exposed Services
    8. 

  8. 

  9. For security reasons, we have not enabled access to the database cluster from outside of Kubernetes by default, instead choosing to leave this to users to configure appropriate network access policies for their usage. If this is desired, please look at the external exposure instructions found in this repository.
    10. 

  10. 

  11. By default, each node will expose:
    12. 

  12. 

  13. * HTTP on port 7474
    14. 

  14. * HTTPS on port 7473
    15. 

  15. * Bolt on port 7687
    16. 

  16. 

  17. Exposed services and port mappings can be configured by referencing neo4j’s docker documentation. See the advanced configuration section in this document for how to change the way the docker containers in each pod are configured.
    18. 

  18. 

  19. Refer to the Neo4j operations manual for information on the ports that Neo4j needs to function. Default port numbers in the helm chart exactly follow default ports in other installations.
    20. 

  20. 

  21. == Service Address
    22. 

  22. 

  23. Additionally, a service address inside of the cluster will be available as follows - to determine your service address, simply substitute `$APP_INSTANCE_NAME` with the name you deployed neo4j under, and `$NAMESPACE` with the kubernetes namespace where neo4j resides.
    24. 

  24. 

  25. `$NAME-neo4j.$NAMESPACE.svc.cluster.local`
    26. 

  26. 

  27. Any client may connect to this address, as it is a DNS record with multiple entries pointing to the nodes which back the cluster. For example, bolt+routing clients can use this address to bootstrap their connection into the cluster, subject to the items in the limitations section.
    28. 

  28. 

  29. == Cluster Formation
    30. 

  30. 

  31. Immediately after deploying Neo4j, as the pods are created the cluster begins to form. This may take up to 5 minutes, depending on a number of factors including how long it takes pods to get scheduled, and how many resources are associated with the pods. While the cluster is forming, the Neo4j REST API and Bolt endpoints may not be available. After a few minutes, bolt endpoints become available inside of the kubernetes cluster.
    32. 

  32. 

  33. == Password
    34. 

  34. 

  35. After installing, your cluster will start with the password you supplied as the neo4jPassword setting. This is stored in a kubernetes secret that is attached to your deployment. Given a deployment named “my-graph”, you can find the password as the “neo4j-password” key under the mygraph-neo4j-secrets configuration item in Kubernetes. The password is base64 encoded, and can be recovered as plaintext by authorized users with this command:
    36. 

  36. 

  37. ```shell
    38. 

  38. export NEO4J_PASSWORD=$(kubectl get secrets {{ template "neo4j.secrets.fullname" . }} -o jsonpath='{.data.neo4j-password}' | base64 -d)
    39. 

  39. ```
    40. 

  40. 

  41. Alternatively: if you set `existingPasswordSecret` that secret name should be used instead. If `existingPasswordSecretKey` is set make sure that your `jsonpath` also matches this key.
    42. 

  42. 

  43. This password applies for the base administrative user named “neo4j”.
    44. 

  44.