Doc 404 - doc client connectivity issue with NodePort Access on OpenShift (#1584)

amandalindsay · Rob-Hazelcast · web-flow · commit 9fb3ba0f85a2 · 2025-03-12T17:51:49.000Z
Document the client connectivity issue (which is not restricted to NodePort Access on
OpenShift)

With this being an edge case, include it in the Troubleshooting &amp;
Limitations topic, and link to it from the K8s auto-discovery topic.

---------

Co-authored-by: Rob Swain &lt;rob.swain@hazelcast.com&gt;
diff --git a/docs/modules/kubernetes/pages/kubernetes-auto-discovery.adoc b/docs/modules/kubernetes/pages/kubernetes-auto-discovery.adoc
@@ -26,6 +26,8 @@ Limited to **Hazelcast cluster per service**
 
 |===
 
+NOTE: Clients attempting to connect to a Hazelcast cluster deployed using the Helm chart may encounter connectivity issues when accessing the cluster outside Kubernetes. For information about how to resolve this, see xref:kubernetes:troubleshooting-and-limitations.adoc#troubleshooting-kubernetes-auto-discovery[Troubleshooting and limitations].
+
 === Using Kubernetes in API Mode
 
 In **Kubernetes API** mode, each node makes a REST call to the Kubernetes master to discover the IP addresses of any Hazelcast members running in Pods.
diff --git a/docs/modules/kubernetes/pages/troubleshooting-and-limitations.adoc b/docs/modules/kubernetes/pages/troubleshooting-and-limitations.adoc
@@ -165,3 +165,28 @@ In that case, you also need to turn off JET engine via chart parameter(`jet.enab
 ----
 helm install my-release ... --set jet.enabled=false hazelcast/<chart>
 ----
+
+== Troubleshooting Kubernetes Auto Discovery
+
+=== Client connectivity issue
+
+Clients attempting to connect to a Hazelcast cluster deployed using the Helm chart may encounter connectivity issues when accessing the cluster outside Kubernetes. Specifically, clients operating in smart/ALL_MEMBERS mode fetch internal pod IPs, which are inaccessible externally, leading to connection failures after the initial handshake.
+ 
+This issue arises due to Hazelcast's default behavior of using Kubernetes DNS mode when Role-Based Access Control (RBAC) permissions are not configured.
+
+You can resolve this problem by enabling the required RBAC permissions in the Helm chart. This allows the Hazelcast Kubernetes discovery plugin to retrieve external node addresses:
+
+[source,shell]
+----
+rbac:
+  create: true
+  userClusterRole: true
+----
+
+Alternatively, apply the required ClusterRole and ClusterRoleBinding for the Hazelcast ServiceAccount and use this service account in the Helm chart:
+
+[source,shell]
+----
+serviceAccount:
+  name: hazelcast-service-account
+----
