From 4e1dcc06929a97c44225ec3df9b1bad40f1d1f53 Mon Sep 17 00:00:00 2001 From: Dominik from Unique Date: Wed, 2 Aug 2023 14:35:13 +0200 Subject: [PATCH] docs: describe database user credentials handling (#6283) * feat: Add full example for helmfile + PostgreSQL - Adds full helmfile + PostgreSQL example - Extends production checklist for bullet about insecure credentials - Extends database documentation to ensure secure user rotation Refs: https://discord.com/channels/927474939156643850/927866013545025566/1133692721710772294 * chore: revert example and move to zitadel-charts --------- Co-authored-by: Elio Bischof Co-authored-by: Fabi --- docs/docs/self-hosting/manage/database/_postgres.mdx | 4 ++-- docs/docs/self-hosting/manage/database/database.mdx | 11 ++++++++++- docs/docs/self-hosting/manage/productionchecklist.md | 1 + 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/docs/self-hosting/manage/database/_postgres.mdx b/docs/docs/self-hosting/manage/database/_postgres.mdx index 2a50d337ed..543c895991 100644 --- a/docs/docs/self-hosting/manage/database/_postgres.mdx +++ b/docs/docs/self-hosting/manage/database/_postgres.mdx @@ -51,7 +51,7 @@ CREATE DATABASE zitadel; GRANT CONNECT, CREATE ON DATABASE zitadel TO zitadel; ``` -Don't forget to adjust pg_hba.conf and set a password for the zitadel user. +Don't forget to adjust `pg_hba.conf` and set a password for the zitadel user. With the setup done, follow the [phases guide](/docs/self-hosting/manage/updating_scaling#separating-init-and-setup-from-the-runtime) -to run the init and then setup phase to get all necessary tables and data set up. +to run the init and then setup phase to get all necessary tables and data set up. \ No newline at end of file diff --git a/docs/docs/self-hosting/manage/database/database.mdx b/docs/docs/self-hosting/manage/database/database.mdx index 688159fd7f..7000cb00d0 100644 --- a/docs/docs/self-hosting/manage/database/database.mdx +++ b/docs/docs/self-hosting/manage/database/database.mdx @@ -25,4 +25,13 @@ import Postgres from './_postgres.mdx' - \ No newline at end of file + + +## Zitadel credentials +The [init phase](/docs/self-hosting/manage/updating_scaling#separating-init-and-setup-from-the-runtime) of Zitadel creates a the zitadel user (`Database.*.User.Username` & `Database.*.User.Password`) with their password if it does not exist (and Admin credentials are passed). It is though to note that it does **neither** update **nor** deprecate them. In case you provisioned a Zitadel setup with insecure or _easy-to-guess_ values you should first of all rotate them but also manually ensure, that the old role/user gets deprecated. + +If you rotate the credentials you either must opt for a new username or deprecate the old user first (might lead to interruptions) since the init phase will fail if the user already exists but only the password changes. To deprecate the old user you need admin access to your database server and remove the user with commands matching your database provider. + +:::caution +Recreating a database will not necessarily remove the user, make sure to check for the user and remove it if necessary. +::: \ No newline at end of file diff --git a/docs/docs/self-hosting/manage/productionchecklist.md b/docs/docs/self-hosting/manage/productionchecklist.md index 2f02361b77..4dd93328bd 100644 --- a/docs/docs/self-hosting/manage/productionchecklist.md +++ b/docs/docs/self-hosting/manage/productionchecklist.md @@ -45,6 +45,7 @@ To apply best practices to your production setup we created a step by step check ### Security +- [ ] Ensure that your ZITADEL does not use [the default, example or _easy-to-guess_ credentials](/docs/self-hosting/manage/database#zitadel-credentials) - [ ] Use a FQDN and a trusted valid certificate for external [TLS](/docs/self-hosting/manage/tls_modes#http2) connections - [ ] Create service accounts for applications that interact with ZITADEL's APIs - [ ] Make use of a CDN service to decrease the load for static assets served by ZITADEL