Comments (11)
@eliobischof is this really a bug? it looks more like a change to me
from zitadel-charts.
I have tested if the password was necessary, for me it wasn't. See my test below:
Download a secure-client yaml from here: https://github.com/cockroachdb/helm-charts/blob/master/examples/client-secure.yaml.
Edit the yaml and change the following fields:
metadata.namespace
tozitadel
spec.serviceAccountName
tocrdb
spec.volumes[0].project.sources[0].secret.name
tocockroachdb-root
apiVersion: v1
kind: Pod
metadata:
name: cockroachdb-client-secure
namespace: zitadel
spec:
serviceAccountName: crdb
containers:
- name: cockroachdb-client-secure
image: cockroachdb/cockroach:v21.1.11
imagePullPolicy: IfNotPresent
volumeMounts:
- name: client-certs
mountPath: /cockroach/cockroach-certs/
command:
- sleep
- "2147483648" # 2^31
terminationGracePeriodSeconds: 0
volumes:
- name: client-certs
projected:
sources:
- secret:
name: cockroachdb-root
items:
- key: ca.crt
path: ca.crt
- key: tls.crt
path: client.root.crt
- key: tls.key
path: client.root.key
defaultMode: 256
Deploy the secure client.
kubectl create -f client-secure.yaml
Connect into the container.
kubectl -n zitadel run cockroachdb --rm -it --image=cockroachdb/cockroach --restart=Never -- /bin/bash
Adjust the cert permissions.
cp -r ./cockroach-certs/ /client-certs
cd /client-certs
chmod 700 client.root.crt
chmod 700 client.root.key
Connect to the database.
cockroach sql --certs-dir=/client-certs --host=crdb-public
List and connect to the zitadel db.
> \l
> use zitadel;
> \dt
> select * from projections.login_names;
from zitadel-charts.
@DoGab it is only required if you deploy cockroach from this chart with cockroach.enabled=true. At the moment, the chart uses password authentication.
I can modify the chart to use cert authentication for the zitadel client, but then, I would modify the validation so that no password should be set. Is that something that would help?
Edit: Of course, we can make the authentication method configurable if there is a use case for that.
from zitadel-charts.
@DoGab it is only required if you deploy cockroach from this chart with cockroach.enabled=true. At the moment, the chart uses password authentication.
@eliobischof are you sure the password is needed when cockroach.enabled=true
is set? I don't think so because I don't see where the password is passed to the cockroachdb chart as value. I also don't see any option in the Cockroachdb Helm chart to tell cockroach to use passwords.
from zitadel-charts.
If the zitadel user you configure for the zitadel binary (see defaults.yaml) doesn't exists already, the zitadel binary creates it. If you don't set a password there, you have to pass client certs, which are not created automatically.
from zitadel-charts.
If the zitadel user you configure for the zitadel binary (see defaults.yaml) doesn't exists already, the zitadel binary creates it. If you don't set a password there, you have to pass client certs, which are not created automatically.
What does Zitadel do if you deploy CockroachDB separately (not from the Zitadel helm chart) using TLS? Does it also create a User and Password for the Zitadel database?
But if you deploy CockroachDB from this helm chart and you actually have TLS enabled (because you override the cockroachdb values that are passed), then you wouldn't need the password, correct? Don't you actually need a password if TLS is disabled because then you don't have certificates to connect to the database?
from zitadel-charts.
What does Zitadel do if you deploy CockroachDB separately (not from the Zitadel helm chart) using TLS? Does it also create a User and Password for the Zitadel database?
Yes it does. You are free to choose if you want ZITADEL to set a password for the new user or if you want to generate and provide client certificates.
But if you deploy CockroachDB from this helm chart and you actually have TLS enabled (because you override the cockroachdb values that are passed), then you wouldn't need the password, correct? Don't you actually need a password if TLS is disabled because then you don't have certificates to connect to the database?
You eighter need pw authentication or cert authentication for TLS enabled cockroach clusters. As nothing creates the client certs right now, the chart expects you to provide a password for the new user. We could probably change that, so the chart creates the user certs for better UX. Thats what I meant above #25 (comment)
If I understand you correctly, you'd prefer to use cert authentication over pw authentication anyway, right? Maybe, it also makes sense to use cert authentication by default from a security perspective, as then you need to have the cert, not just know the pw.
from zitadel-charts.
Yes it does. You are free to choose if you want ZITADEL to set a password for the new user or if you want to generate and provide client certificates.
Alright. If you don't set a password for the database and it is created automatically, where can you retrieve it? Is this even possible?
You eighter need pw authentication or cert authentication for TLS enabled cockroach clusters. As nothing creates the client certs right now, the chart expects you to provide a password for the new user. We could probably change that, so the chart creates the user certs for better UX. Thats what I meant above #25 (comment)
Alright, yeah that makes sense.
If I understand you correctly, you'd prefer to use cert authentication over pw authentication anyway, right? Maybe, it also makes sense to use cert authentication by default from a security perspective, as then you need to have the cert, not just know the pw.
I guess cert authentication is the recommended way by CockroachDB and we also use it. It may would make sense to switch to this by default. But this is definitely not urgent.
from zitadel-charts.
If you don't set a password for the database and it is created automatically, where can you retrieve it? Is this even possible?
Currently its not possible because of the validation I linked above π
I'll rename the issueπ
from zitadel-charts.
Currently its not possible because of the validation I linked above π
I'll rename the issueπ
Alright! Perfect thanks :)
from zitadel-charts.
Thats obsolete as we removed the crdb subchart
from zitadel-charts.
Related Issues (20)
- [Feature] Add the possibility to add CA certificates as volumes/config HOT 7
- Values from dependency chart not being propagated to zitadel HOT 4
- feat: Add support for topologySpreadConstraints
- selectorLabel "app.kubernetes.io/version" disregards .Values.image.tag override
- is there anyway to use zitadel without giving database admin access? HOT 11
- Deployment probes fail when using TLS Enabled
- `Errors.Org.PolicyNotExisting` after upgrading from chart 7.1.0 to 7.3.0 HOT 3
- Provision "root" jwt_token on installation HOT 7
- User could not be found when used DefaultInstance in the chart HOT 3
- feat: Add annotations to deployment / configMap resources HOT 2
- Allow default annotations to be overriden in a clean way HOT 2
- [Bug]: Helm upgrade fails because the databases already exists (zitadel-setup) HOT 1
- [Bug]: masterkey or masterkeySecretName values not recognized when used in an umbrella Chart HOT 17
- Add `--init-projections=true` to setup job HOT 2
- [Bug]: when config.yaml is stored in a kubernetes secret certain values are ignored HOT 3
- Add option to add custom labels to the k8s pod
- chown init-container should run as non-root HOT 4
- chown init-container should not render without secret HOT 5
- No imagePullPolicy for self signed SSL certificate container HOT 1
- Add Gateway API support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zitadel-charts.