LogoLogo
Ockam.ioOpen Source CodeContact usSign up
  • Intro to Ockam
  • Ockam's core concepts
  • Get started demo
  • Quickstarts
    • Add secure connectivity to your SaaS product
    • Snowflake federated queries to Postgres
    • Postgres to Snowflake
    • Snowflake to Postgres
    • Kafka to Snowflake
    • Snowflake to Kafka
    • Snowflake stage as SFTP server
    • Snowflake stage as WebDAV file share
    • Snowflake hosted private APIs
    • Federated queries from Snowflake
  • ENCRYPTED PORTALS TO ...
    • Databases
      • PostgreSQL
        • Docker
        • Kubernetes
        • Amazon RDS
        • Amazon Aurora
      • MongoDB
        • Docker
        • Kubernetes
        • Amazon EC2
      • InfluxDB
        • Amazon Timestream
    • APIs
      • Nodejs
      • Python
    • AI
      • Amazon Bedrock
      • Amazon EC2
      • Azure OpenAI
    • Code Repos
      • Gitlab Enterprise
    • Kafka
      • Apache Kafka
        • Docker
      • Redpanda
        • Self Hosted
      • Confluent
        • Cloud
      • Warpstream
        • Cloud
      • Instaclustr
        • Cloud
      • Aiven
        • Cloud
  • Reference
    • Command
      • Nodes and Workers
      • Routing and Transports
      • Relays and Portals
      • Identities and Vaults
      • Secure Channels
      • Verifiable Credentials
      • Guides
        • AWS Marketplace
          • Ockam Node
          • Ockam Node for Amazon MSK
          • Ockam Node for Amazon RDS Postgres
          • Ockam Node for Amazon Timestream InfluxDB
          • Ockam Node for Amazon Redshift
          • Ockam Node for Amazon Bedrock
      • Manual
    • Programming Libraries
      • Rust
        • Nodes and Workers
        • Routing and Transports
        • Identities and Vaults
        • Secure Channels
        • Credentials and Authorities
        • Implementation and Internals
          • Nodes and Workers
        • docs.rs/ockam
    • Protocols
      • Nodes and Workers
      • Routing and Transports
      • Keys and Vaults
      • Identities and Credentials
      • Secure Channels
      • Access Controls and Policies
Powered by GitBook
On this page
  • Run
  • Walkthrough
  • Administrator
  • Bank Corp
  • Analysis Corp
  • Recap
  • Cleanup

Was this helpful?

Edit on GitHub
Export as PDF
  1. ENCRYPTED PORTALS TO ...
  2. Databases
  3. MongoDB

Docker

PreviousMongoDBNextKubernetes

Last updated 11 months ago

Was this helpful?

Let's connect a nodejs app in one virtual private network with a MongoDB database in another virtual private network. The example uses docker and docker compose to create these virtual networks.

Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”

Run

This example requires Bash, Git, Curl, Docker, and Docker Compose. Please set up these tools for your operating system, then run the following commands:

# Clone the Ockam repo from Github.
git clone --depth 1 https://github.com/build-trust/ockam && cd ockam

# Navigate to this example’s directory.
cd examples/command/portals/databases/mongodb/docker

# Run the example, use Ctrl-C to exit at any point.
./run.sh

If everything runs as expected, you'll see the message: The example run was successful 🥳

Walkthrough

Administrator

Bank Corp

# Create a dedicated and isolated virtual network for bank_corp.
networks:
  bank_corp:
    driver: bridge

Analysis Corp

# Create a dedicated and isolated virtual network for analysis_corp.
networks:
  analysis_corp:
    driver: bridge

Recap

We connected a nodejs app in one virtual private network with a MongoDB database in another virtual private network over an end-to-end encrypted portal.

Analysis Corp. does not get unfettered access to Bank Corp.’s network. It gets access only to run queries on the MongoDB server. Bank Corp. does not get unfettered access to Analysis Corp.’s network. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.

Cleanup

To delete all containers and images:

./run.sh cleanup

The , that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.

The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .

The run function then . The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in Bank Corp.’s network. The is meant for the Ockam node that will run in Analysis Corp.’s network.

In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project. It uses to and provision Ockam nodes in Bank Corp.’s and Analysis Corp.’s network.

The run function takes the enrollment tickets, sets them as the value of an , and to create Bank Corp.’s and Analysis Corp.’s networks.

Bank Corp.’s is used when run.sh invokes docker-compose. It creates an for Bank Corp.

In this network, docker compose starts a . This container becomes available at mongodb:27017 in the Bank Corp network.

Once the mongodb container , docker compose starts an as a companion to the mongodb container. The Ockam node container is created using and this . The enrollment ticket from run.sh is .

When the Ockam node container starts in the Bank Corp network, it runs . The entrypoint script creates a new identity and uses the enrollment ticket to and get a project membership credential that attests to the attribute mongodb-outlet=true. The run function to the enrollment ticket.

The entrypoint script then this identity and membership credential to authenticate and create a in the project, back to the node, at relay address: mongodb. The run function to use this relay address.

Next, the entrypoint sets an that only allows project members that possesses a credential with attribute mongodb-inlet="true" to connect to tcp portal outlets on this node. It then creates tcp portal outlet to mongodb at .

Analysis Corp.’s is used when run.sh invokes docker-compose. It creates an for Analysis Corp. In this network, docker compose starts an and an .

The is created using and this . The enrollment ticket from run.sh is .

When the Ockam node container starts in the Analysis Corp network, it runs . The entrypoint script creates a new identity and uses the enrollment ticket to and get a project membership credential that attests to the attribute mongodb-inlet=true. The run function to the enrollment ticket.

The entrypoint script then this identity and membership credential. It then sets an that only allows project members that possesses a credential with attribute mongodb-outlet="true" to connect to tcp portal inlets on this node.

Next, the entrypoint inlet that makes the available on all localhost IPs at . This makes mongodb available at ockam:17017 within Analysis Corp’s virtual private network.

Once the Ockam node container , docker compose starts . The app container is created using which runs this file on startup.

The app.js file is a nodejs app, it on ockam:17017, then , back, and .

Sensitive business data in the MongoDB database is only accessible to Bank Corp. and Analysis Corp. All data is with strong forward secrecy as it moves through the Internet. The communication channel is and . Keys and credentials are automatically rotated. Access to connect with MongoDB can be easily revoked.

All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Bank Corp. or Analysis Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.

run.sh script
accompanying files
environment variables to give tickets
environment variable
invokes docker-compose
docker-compose configuration
isolated virtual network
container with a MongoDB database
is ready
Ockam node in a container
this dockerfile
entrypoint script
passed to the container
its entrypoint
enroll with your project
assigned this attribute
access control policy
mongodb:27017
docker-compose configuration
isolated virtual network
Ockam node container
app container
Ockam node container
this dockerfile
entrypoint script
passed to the container
its entrypoint
enroll with your project
assigned this attribute
creates a node that uses
access control policy
creates tcp portal
remote mongodb
0.0.0.0:17017
is ready
an app container
this dockerfile
app.js
connects with mongodb
inserts some data
queries it
prints it
encrypted
mutually authenticated
authorized
access controls
creates a node that uses
gave the enrollment ticket permission
relay
How does Ockam work?
run.sh script
run function
enroll command
generates two new enrollment tickets
first ticket
second ticket
credential
attributes