managed-db-services
Configure DigitalOcean Managed MySQL, MongoDB, Valkey, Kafka, and OpenSearch for App Platform. Use when setting up non-PostgreSQL databases, configuring trusted sources, or troubleshooting database connectivity.
Best use case
managed-db-services is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure DigitalOcean Managed MySQL, MongoDB, Valkey, Kafka, and OpenSearch for App Platform. Use when setting up non-PostgreSQL databases, configuring trusted sources, or troubleshooting database connectivity.
Teams using managed-db-services should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/managed-db-services/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How managed-db-services Compares
| Feature / Agent | managed-db-services | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure DigitalOcean Managed MySQL, MongoDB, Valkey, Kafka, and OpenSearch for App Platform. Use when setting up non-PostgreSQL databases, configuring trusted sources, or troubleshooting database connectivity.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Managed Database Services Skill
Configure DigitalOcean Managed MySQL, MongoDB, Valkey (Redis), Kafka, and OpenSearch for App Platform applications.
## Quick Decision
```
Which database engine?
├── PostgreSQL → Use the postgres skill instead
├── MySQL → See reference/mysql.md
├── MongoDB → See reference/mongodb.md
├── Valkey/Redis → See reference/valkey.md
├── Kafka → See reference/kafka.md (⚠️ trusted sources limitations)
└── OpenSearch → See reference/opensearch.md
```
> **Tip**: For complex multi-step deployments, use the **planner** skill. For an overview of all skills, see [root SKILL.md](../../SKILL.md).
---
## Critical Constraints
| Constraint | Impact |
|------------|--------|
| Dev databases | PostgreSQL only — MySQL/MongoDB/Kafka/OpenSearch require `production: true` |
| Build-time DB access | ❌ Trusted sources block build phase — use PRE_DEPLOY job for migrations |
| Kafka trusted sources | IP-based only (`ip_addr:`); app-based (`app:`) NOT supported |
| OpenSearch logging | ❌ NOT supported with trusted sources enabled |
| MongoDB db_name | Cannot contain capital letters in app spec |
---
## Trusted Sources Quick Reference
| Network Mode | Rule Type | Supported Engines |
|--------------|-----------|-------------------|
| Public | `app:$APP_ID` | MySQL, MongoDB, Valkey, OpenSearch |
| Public | `app:$APP_ID` | ❌ Kafka (not supported) |
| VPC | `ip_addr:<vpc-cidr>` | All engines |
| VPC | `app:$APP_ID` | ❌ None (app rules whitelist public IP only) |
> **VPC deployments**: Use VPC CIDR (`ip_addr:10.126.0.0/20`) — simpler than per-app IPs.
>
> See [networking skill - Trusted Sources](../networking/SKILL.md#trusted-sources-the-big-picture) for complete configuration.
---
## Bindable Variables (All Engines)
```yaml
databases:
- name: db # Component name (used in ${db.VAR_NAME})
engine: <ENGINE> # MYSQL, MONGODB, REDIS, KAFKA, OPENSEARCH
production: true # REQUIRED for bindable variables
cluster_name: my-cluster # Must match existing cluster name
db_name: myappdb # Database within cluster (where applicable)
db_user: myappuser # User created via doctl
```
| Variable | Description |
|----------|-------------|
| `${db.DATABASE_URL}` | Full connection string (PUBLIC hostname only!) |
| `${db.HOSTNAME}` | Database host (PUBLIC hostname only!) |
| `${db.PORT}` | Database port |
| `${db.USERNAME}` | Database user |
| `${db.PASSWORD}` | Database password (auto-populated) |
| `${db.DATABASE}` | Database name |
| `${db.CA_CERT}` | CA certificate for TLS |
> **VPC Note**: Bindable variables return PUBLIC hostnames even with VPC enabled. For private endpoints, add separate `*_PRIVATE_*` environment variables with hardcoded private hostnames.
---
## Engine Quick Reference
| Engine | App Spec | Port | Protocol | Key Notes |
|--------|----------|------|----------|-----------|
| MySQL | `MYSQL` | 25060 | `mysql://...?ssl-mode=REQUIRED` | [Full guide](reference/mysql.md) |
| MongoDB | `MONGODB` | 27017 | `mongodb+srv://...?tls=true&authSource=admin` | [Full guide](reference/mongodb.md) |
| Valkey | `REDIS` | 25061 | `rediss://` (with SSL) | [Full guide](reference/valkey.md) |
| Kafka | `KAFKA` | 9093 | SASL/SCRAM-SHA-256 | [Full guide](reference/kafka.md) |
| OpenSearch | `OPENSEARCH` | 25060 | `https://` with basic auth | [Full guide](reference/opensearch.md) |
---
## Quick Start: MySQL
```bash
# 1. Create cluster + user
doctl databases create my-mysql --engine mysql --region nyc3 --size db-s-1vcpu-2gb --version 8
CLUSTER_ID=$(doctl databases list --format ID,Name --no-header | grep my-mysql | awk '{print $1}')
doctl databases db create $CLUSTER_ID myappdb
doctl databases user create $CLUSTER_ID myappuser
# 2. Add to trusted sources
APP_ID=$(doctl apps list --format ID,Spec.Name --no-header | grep my-app | awk '{print $1}')
doctl databases firewalls append $CLUSTER_ID --rule app:$APP_ID
# 3. Reference in app spec
```
```yaml
databases:
- name: db
engine: MYSQL
production: true
cluster_name: my-mysql
db_name: myappdb
db_user: myappuser
services:
- name: api
envs:
- key: DATABASE_URL
scope: RUN_TIME
value: ${db.DATABASE_URL}
```
**Full guide**: See [mysql.md](reference/mysql.md)
---
## Quick Start: MongoDB
```bash
doctl databases create my-mongo --engine mongodb --region nyc3 --size db-s-1vcpu-2gb --version 7
CLUSTER_ID=$(doctl databases list --format ID,Name --no-header | grep my-mongo | awk '{print $1}')
doctl databases user create $CLUSTER_ID myappuser
doctl databases firewalls append $CLUSTER_ID --rule app:$APP_ID
```
```yaml
databases:
- name: db
engine: MONGODB
production: true
cluster_name: my-mongo
db_user: myappuser
services:
- name: api
envs:
- key: MONGODB_URI
scope: RUN_TIME
value: ${db.DATABASE_URL}
```
**Full guide**: See [mongodb.md](reference/mongodb.md)
---
## Quick Start: Valkey
```bash
doctl databases create my-valkey --engine redis --region nyc3 --size db-s-1vcpu-2gb --version 7
CLUSTER_ID=$(doctl databases list --format ID,Name --no-header | grep my-valkey | awk '{print $1}')
doctl databases firewalls append $CLUSTER_ID --rule app:$APP_ID
```
```yaml
databases:
- name: cache
engine: REDIS
production: true
cluster_name: my-valkey
services:
- name: api
envs:
- key: REDIS_URL
scope: RUN_TIME
value: ${cache.DATABASE_URL}
```
**Full guide**: See [valkey.md](reference/valkey.md)
---
## Quick Start: Kafka
> **Warning**: Kafka does NOT support `app:$APP_ID` trusted source rules. Use VPC + IP-based rules or disable trusted sources.
```bash
doctl databases create my-kafka --engine kafka --region nyc3 --size db-s-2vcpu-4gb --version 3.7
CLUSTER_ID=$(doctl databases list --format ID,Name --no-header | grep my-kafka | awk '{print $1}')
doctl databases topics create $CLUSTER_ID my-topic --partition-count 3 --replication-factor 2
```
```yaml
databases:
- name: kafka
engine: KAFKA
production: true
cluster_name: my-kafka
services:
- name: api
envs:
- key: KAFKA_BROKER
scope: RUN_TIME
value: ${kafka.HOSTNAME}:${kafka.PORT}
- key: KAFKA_USERNAME
scope: RUN_TIME
value: ${kafka.USERNAME}
- key: KAFKA_PASSWORD
scope: RUN_TIME
value: ${kafka.PASSWORD}
- key: KAFKA_CA_CERT
scope: RUN_TIME
value: ${kafka.CA_CERT}
```
**Full guide**: See [kafka.md](reference/kafka.md)
---
## Quick Start: OpenSearch
> **Warning**: Logging to OpenSearch requires trusted sources to be disabled.
```bash
doctl databases create my-opensearch --engine opensearch --region nyc3 --size db-s-2vcpu-4gb --version 2
CLUSTER_ID=$(doctl databases list --format ID,Name --no-header | grep my-opensearch | awk '{print $1}')
doctl databases user create $CLUSTER_ID myappuser
doctl databases firewalls append $CLUSTER_ID --rule app:$APP_ID
```
```yaml
databases:
- name: search
engine: OPENSEARCH
production: true
cluster_name: my-opensearch
db_user: myappuser
services:
- name: api
envs:
- key: OPENSEARCH_URL
scope: RUN_TIME
value: https://${search.USERNAME}:${search.PASSWORD}@${search.HOSTNAME}:${search.PORT}
```
**Full guide**: See [opensearch.md](reference/opensearch.md)
---
## Common doctl Commands
```bash
# List all database clusters
doctl databases list
# Get cluster details
doctl databases get <cluster-id>
# Create user (DO manages password)
doctl databases user create <cluster-id> <username>
# List users
doctl databases user list <cluster-id>
# Create database within cluster
doctl databases db create <cluster-id> <db-name>
# Get connection details
doctl databases connection <cluster-id>
# Trusted sources (firewall)
doctl databases firewalls append <cluster-id> --rule app:<app-id>
doctl databases firewalls list <cluster-id>
```
---
## Quick Troubleshooting
| Error | Cause | Fix |
|-------|-------|-----|
| "Connection refused" | App not in trusted sources | `doctl databases firewalls append <cluster-id> --rule app:<app-id>` |
| "Access denied" | User permissions not set | Grant permissions via SQL or recreate user |
| Bindable vars empty | Missing `production: true` | Add `production: true` to database block |
| SSL required | Connection string missing SSL | Add `?ssl-mode=REQUIRED` (MySQL), `?tls=true` (MongoDB), use `rediss://` (Valkey) |
| Kafka connection fails | Using `app:` rule | Kafka only supports `ip_addr:` rules — use VPC or disable TS |
---
## Reference Files
- **[mysql.md](reference/mysql.md)** — Connection pools, user privileges, password encryption
- **[mongodb.md](reference/mongodb.md)** — User roles, authSource configuration
- **[valkey.md](reference/valkey.md)** — Eviction policies, SSL protocol
- **[kafka.md](reference/kafka.md)** — SASL auth, SSL cert handling, Schema Registry
- **[opensearch.md](reference/opensearch.md)** — ACLs, logging limitations
---
## When to Use Postgres Skill Instead
Use the **postgres skill** for:
- Schema isolation (multi-tenant)
- Complex permission management
- Multiple apps sharing one cluster
- Connection pool configuration
This skill is for straightforward single-database setups with MySQL, MongoDB, Valkey, Kafka, or OpenSearch.
---
## Integration with Other Skills
| Skill | Integration |
|-------|-------------|
| **designer** | Generates `databases:` block in app spec |
| **deployment** | No additional secrets needed — bindable vars handle credentials |
| **networking** | VPC + trusted sources configuration |
| **troubleshooting** | Debug container for connectivity testing |
---
## Documentation Links
- [Managed Databases Overview](https://docs.digitalocean.com/products/databases/)
- [MySQL](https://docs.digitalocean.com/products/databases/mysql/)
- [MongoDB](https://docs.digitalocean.com/products/databases/mongodb/)
- [Redis/Valkey](https://docs.digitalocean.com/products/databases/redis/)
- [Kafka](https://docs.digitalocean.com/products/databases/kafka/)
- [OpenSearch](https://docs.digitalocean.com/products/databases/opensearch/)
- [doctl databases reference](https://docs.digitalocean.com/reference/doctl/reference/databases/)Related Skills
microservices-orchestrator
Expert skill for designing, decomposing, and managing microservices architectures. Activates when users need help with microservices design, service decomposition, bounded contexts, API contracts, or transitioning from monolithic to microservices architectures.
flox-services
Running services and background processes in Flox environments. Use for service configuration, network services, logging, database setup, and service debugging.
effect-layers-services
Define services, provide layers, compose dependencies, and switch live/test. Use for DI boundaries and app composition.
developing-backend-services
Backend service development best practices. Use when designing, building, or reviewing backend services, REST APIs, gRPC services, microservices, webhooks, message queues, or server-side applications regardless of language or framework.
design-microservices
マイクロサービス設計エージェント - ターゲットアーキテクチャ、変換計画、運用計画の策定。/design-microservices [対象パス] で呼び出し。
u01954-handoff-contracting-for-accessibility-services
Operate the "Handoff Contracting for accessibility services" capability in production for accessibility services workflows. Use when mission execution explicitly requires this capability and outcomes must be reproducible, policy-gated, and handoff-ready.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing micros...
microservices-architecture
Microservices architecture patterns and best practices. Use when designing distributed systems, breaking down monoliths, or implementing service communication.
u09955-decision-journal-maintenance-for-accessibility-services
Operate the "Decision Journal Maintenance for accessibility services" capability in production for accessibility services workflows. Use when mission execution explicitly requires this capability and outcomes must be reproducible, policy-gated, and handoff-ready.
u08983-ethical-dilemma-navigation-for-multilingual-translation-services
Operate the "Ethical Dilemma Navigation for multilingual translation services" capability in production for multilingual translation services workflows. Use when mission execution explicitly requires this capability and outcomes must be reproducible, policy-gated, and handoff-ready.
Microservices Communication
Thiết kế kiến trúc giao tiếp Microservices (gRPC, message queues, event-driven pattern).
arch-microservices
Microservices: decomposition, API gateway Kong/Traefik, service mesh Istio, circuit breakers, saga/outbox