Change to cert authentication for the zitadel client about zitadel-charts HOT 11 CLOSED

@eliobischof is this really a bug? it looks more like a change to me

from zitadel-charts.

I have tested if the password was necessary, for me it wasn't. See my test below:

Download a secure-client yaml from here: https://github.com/cockroachdb/helm-charts/blob/master/examples/client-secure.yaml.

Edit the yaml and change the following fields:

• metadata.namespace to zitadel
• spec.serviceAccountName to crdb
• spec.volumes[0].project.sources[0].secret.name to cockroachdb-root

apiVersion: v1
kind: Pod
metadata:
  name: cockroachdb-client-secure
  namespace: zitadel
spec:
  serviceAccountName: crdb
  containers:
  - name: cockroachdb-client-secure
    image: cockroachdb/cockroach:v21.1.11
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: client-certs
      mountPath: /cockroach/cockroach-certs/
    command:
    - sleep
    - "2147483648" # 2^31
  terminationGracePeriodSeconds: 0
  volumes:
  - name: client-certs
    projected:
        sources:
          - secret:
              name: cockroachdb-root
              items:
                - key: ca.crt
                  path: ca.crt
                - key: tls.crt
                  path: client.root.crt
                - key: tls.key
                  path: client.root.key
        defaultMode: 256

Deploy the secure client.

kubectl create -f client-secure.yaml

Connect into the container.

kubectl -n zitadel run cockroachdb --rm -it --image=cockroachdb/cockroach --restart=Never -- /bin/bash

Adjust the cert permissions.

cp -r ./cockroach-certs/ /client-certs
cd /client-certs
chmod 700 client.root.crt
chmod 700 client.root.key

Connect to the database.

cockroach sql --certs-dir=/client-certs --host=crdb-public

List and connect to the zitadel db.

> \l
> use zitadel;
> \dt
> select * from projections.login_names;

from zitadel-charts.

@DoGab it is only required if you deploy cockroach from this chart with cockroach.enabled=true. At the moment, the chart uses password authentication.

I can modify the chart to use cert authentication for the zitadel client, but then, I would modify the validation so that no password should be set. Is that something that would help?

Edit: Of course, we can make the authentication method configurable if there is a use case for that.

from zitadel-charts.

@DoGab it is only required if you deploy cockroach from this chart with cockroach.enabled=true. At the moment, the chart uses password authentication.

@eliobischof are you sure the password is needed when cockroach.enabled=true is set? I don't think so because I don't see where the password is passed to the cockroachdb chart as value. I also don't see any option in the Cockroachdb Helm chart to tell cockroach to use passwords.

from zitadel-charts.

If the zitadel user you configure for the zitadel binary (see defaults.yaml) doesn't exists already, the zitadel binary creates it. If you don't set a password there, you have to pass client certs, which are not created automatically.

from zitadel-charts.

If the zitadel user you configure for the zitadel binary (see defaults.yaml) doesn't exists already, the zitadel binary creates it. If you don't set a password there, you have to pass client certs, which are not created automatically.

What does Zitadel do if you deploy CockroachDB separately (not from the Zitadel helm chart) using TLS? Does it also create a User and Password for the Zitadel database?

But if you deploy CockroachDB from this helm chart and you actually have TLS enabled (because you override the cockroachdb values that are passed), then you wouldn't need the password, correct? Don't you actually need a password if TLS is disabled because then you don't have certificates to connect to the database?

from zitadel-charts.

What does Zitadel do if you deploy CockroachDB separately (not from the Zitadel helm chart) using TLS? Does it also create a User and Password for the Zitadel database?

Yes it does. You are free to choose if you want ZITADEL to set a password for the new user or if you want to generate and provide client certificates.

But if you deploy CockroachDB from this helm chart and you actually have TLS enabled (because you override the cockroachdb values that are passed), then you wouldn't need the password, correct? Don't you actually need a password if TLS is disabled because then you don't have certificates to connect to the database?

You eighter need pw authentication or cert authentication for TLS enabled cockroach clusters. As nothing creates the client certs right now, the chart expects you to provide a password for the new user. We could probably change that, so the chart creates the user certs for better UX. Thats what I meant above #25 (comment)

If I understand you correctly, you'd prefer to use cert authentication over pw authentication anyway, right? Maybe, it also makes sense to use cert authentication by default from a security perspective, as then you need to have the cert, not just know the pw.

from zitadel-charts.

Yes it does. You are free to choose if you want ZITADEL to set a password for the new user or if you want to generate and provide client certificates.

Alright. If you don't set a password for the database and it is created automatically, where can you retrieve it? Is this even possible?

You eighter need pw authentication or cert authentication for TLS enabled cockroach clusters. As nothing creates the client certs right now, the chart expects you to provide a password for the new user. We could probably change that, so the chart creates the user certs for better UX. Thats what I meant above #25 (comment)

Alright, yeah that makes sense.

If I understand you correctly, you'd prefer to use cert authentication over pw authentication anyway, right? Maybe, it also makes sense to use cert authentication by default from a security perspective, as then you need to have the cert, not just know the pw.

I guess cert authentication is the recommended way by CockroachDB and we also use it. It may would make sense to switch to this by default. But this is definitely not urgent.

from zitadel-charts.

If you don't set a password for the database and it is created automatically, where can you retrieve it? Is this even possible?

Currently its not possible because of the validation I linked above 🙂

I'll rename the issue👍

from zitadel-charts.

Currently its not possible because of the validation I linked above 🙂

I'll rename the issue👍

Alright! Perfect thanks :)

from zitadel-charts.

Thats obsolete as we removed the crdb subchart

from zitadel-charts.