try compose with secure crdb

2025-11-02 08:39:03 +00:00 · 2022-06-13 18:58:56 +02:00
parent e7624710b5
commit 4ec0ff200d
10 changed files with 71 additions and 36 deletions
--- a/docs/docs/guides/installation/configure/compose.mdx
+++ b/docs/docs/guides/installation/configure/compose.mdx
@@ -1,21 +1,21 @@
 ```bash
 # Download the docker compose example configuration. For example:
-wget https://docs.zitadel.com/docs/guides/configure/docker-compose.yaml
+wget -Ohttps://docs.zitadel.com/docs/guides/configure/docker-compose.yaml

-# Download and adjust the example configuration file containing standard configuration. For example:
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-config.yaml
+# Download and adjust the example configuration file containing standard configuration
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-config.yaml /tmp/

-# Download and adjust the example configuration file containing secret configuration. For example:
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-secrets.yaml
+# Download and adjust the example configuration file containing secret configuration
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-secrets.yaml /tmp/

-# Download and adjust the example configuration file containing database initialization configuration. For example:
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-init-steps.yaml
+# Download and adjust the example configuration file containing database initialization configuration
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-init-steps.yaml /tmp/

 # A single ZITADEL instance always needs the same 32 characters long masterkey
 # If you haven't done so already, you can generate a new one
 # The key must be passed as argument
 # For example:
-ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"
+export ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"

 # Run the database and application containers
 docker compose up --detach
--- a/docs/docs/guides/installation/configure/configure.mdx
+++ b/docs/docs/guides/installation/configure/configure.mdx
@@ -68,7 +68,6 @@ For example, if you want to configure the default ZITADEL IAM admin username and
 ## What's next
 - If you want to run ZITADEL in production, you most certainly need to [customize your own domain](./custom-domain).
 - We strongly recommend you [run cockroachdb in secure mode](./secure-cockroachdb).
- Also, you should configure an own [username and password for the IAM admin user](iam-admin-user) created by ZITADEL.

 :::caution

--- a/docs/docs/guides/installation/configure/docker-compose.yaml
+++ b/docs/docs/guides/installation/configure/docker-compose.yaml
@@ -1,12 +1,13 @@
 version: '3.8'

 services:
+
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.24-amd64'
-    command: 'admin start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}"'
+    command: 'admin start-from-init --config /tmp/example-zitadel-config.yaml --config /tmp/example-zitadel-secrets.yaml --steps /tmp/example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}"'
    healthcheck:
      test: ["CMD", "zitadel", "admin", "status", "health"]
      interval: '10s'
@@ -14,14 +15,33 @@ services:
      retries: 5
      start_period: '40s'
    depends_on:
-      my-cockroach-db:
-        condition: 'service_healthy'
+      chown:
+        condition: 'service_completed_successfully'
    ports:
      - '8080:8080'
    volumes:
-      - './example-zitadel-config.yaml:/'
-      - './example-zitadel-secrets.yaml:/'
-      - './example-zitadel-init-steps.yaml:/'
+      - './example-zitadel-config.yaml:/tmp/example-zitadel-config.yaml:ro'
+      - './example-zitadel-secrets.yaml:/tmp/example-zitadel-secrets.yaml:ro'
+      - './example-zitadel-init-steps.yaml:/tmp/example-zitadel-init-steps.yaml:ro'
+      - 'chowned-certs:/crdb-certs/'
+
+  debug:
+    image: 'bash:5.1.16-alpine3.15'
+    command: 'sleep 99999'
+    volumes:
+      - 'certs:/certs/:ro'
+      - 'chowned-certs:/chowned-certs/:rw'
+
+  chown:
+    image: 'bash:5.1.16-alpine3.15'
+    command: '[ -n "$$(ls -A /certs)" ] && cp /certs/* /chowned-certs/ && chown 1000:1000 /chowned-certs/* && chmod 400 /chowned-certs/*'
+    restart: 'always'
+    volumes:
+      - 'certs:/certs/:ro'
+      - 'chowned-certs:/chowned-certs/:rw'
+    depends_on:
+      my-cockroach-db:
+        condition: 'service_healthy'

  my-cockroach-db:
    restart: 'always'
@@ -38,6 +58,14 @@ services:
    ports:
      - '9090:8080'
      - '26257:26257'
+    volumes:
+      - 'certs:/cockroach/certs/:rw'
+      - 'data:/cockroach/cockroach-data/:rw'

 networks:
  zitadel:
+
+volumes:
+  certs:
+  chowned-certs:
+  data:
--- a/docs/docs/guides/installation/configure/example-zitadel-config.yaml
+++ b/docs/docs/guides/installation/configure/example-zitadel-config.yaml
@@ -1,3 +1,21 @@
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
+Log:
+  Level: 'info'
+
 Database:
  Host: 'my-cockroach-db'
+  User:
+    SSL:
+      Mode: 'verify-full'
+      RootCert: "/crdb-certs/ca.crt"
+      Cert: "/crdb-certs/client.root.crt"
+      Key: "/crdb-certs/client.root.key"
+
+AdminUser:
+  Username: 'root'
+  Password: ''
+  SSL:
+    Mode: 'verify-full'
+    RootCert: "/crdb-certs/ca.crt"
+    Cert: "/crdb-certs/client.root.crt"
+    Key: "/crdb-certs/client.root.key"
--- a/docs/docs/guides/installation/configure/linuxunix.mdx
+++ b/docs/docs/guides/installation/configure/linuxunix.mdx
@@ -2,13 +2,13 @@

 ```bash
 # Download and adjust the example configuration file containing standard configuration
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-config.yaml
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-config.yaml /tmp/

 # Download and adjust the example configuration file containing secret configuration
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-secrets.yaml
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-secrets.yaml /tmp/

 # Download and adjust the example configuration file containing database initialization configuration
-wget https://docs.zitadel.com/docs/guides/configure/example-zitadel-init-steps.yaml
+wget -O https://docs.zitadel.com/docs/guides/configure/example-zitadel-init-steps.yaml /tmp/

 # A single ZITADEL instance always needs the same 32 characters long masterkey
 # If you haven't done so already, you can generate a new one
@@ -17,9 +17,9 @@ ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"

 # Pass zitadel configuration by configuration files
 zitadel admin start-from-init \
-    --config ./example-zitadel-config.yaml \
-    --config ./example-zitadel-secrets.yaml \
-    --steps ./example-zitadel-init-steps.yaml \
+    --config /tmp/example-zitadel-config.yaml \
+    --config /tmp/example-zitadel-secrets.yaml \
+    --steps /tmp/example-zitadel-init-steps.yaml \
    --masterkey "${ZITADEL_MASTERKEY}"
 ```

@@ -36,7 +36,7 @@ export ZITADEL_S3DEFAULTINSTANCE_ORG_HUMAN_PASSWORD="RootPassword1!"
 # A single ZITADEL instance always needs the same 32 characters long masterkey
 # If you haven't done so already, you can generate a new one
 # The key must be passed as argument
-ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"
+export ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"

 # Let the zitadel binary read configuration from environment variables
 zitadel admin start-from-init --masterkey "${ZITADEL_MASTERKEY}"
--- a/docs/docs/guides/installation/custom-domain.md
+++ b/docs/docs/guides/installation/custom-domain.md
@@ -6,11 +6,9 @@ title: Custom Domain

 This guide assumes you are already familiar with [configuring ZITADEL](./configure).

-## What to configure
-
 You most probably need to configure these fields for making ZITADEL work on your custom domain.

-### Standard Config
+## Standard Config

 For security reasons, ZITADEL only serves requests sent to the expected protocol, host and port

@@ -20,7 +18,7 @@ ExternalDomain: 'zitadel.my.domain'
 ExternalPort: 443
 ```

-### Database Initialization Steps Config
+## Database Initialization Steps Config

 ZITADEL creates random subdomains for each instance created.
 However, for the default instance, this is most probably not the desired behavior.
--- a/docs/docs/guides/installation/iam-admin-user.md
+++ b/docs/docs/guides/installation/iam-admin-user.md
@@ -1,8 +0,0 @@
---
-title: IAM Admin User
---
-
-# Improve Security With a Non-Standard Init User
-
-This guide assumes you are already familiar with [configuring ZITADEL](./configure).
-
--- a/docs/docs/guides/installation/secure-cockroachdb/secure-cockroachdb.md
+++ b/docs/docs/guides/installation/secure-cockroachdb/secure-cockroachdb.md
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -44,8 +44,7 @@ module.exports = {
        "guides/installation/get-started/get-started",
        "guides/installation/configure/configure",
        "guides/installation/custom-domain",
-        "guides/installation/secure-cockroachdb",
-        "guides/installation/iam-admin-user",
+        "guides/installation/secure-cockroachdb/secure-cockroachdb",
        "guides/installation/http2-support/http2-support",
      ],
    },
--- a/example-zitadel-config.yaml
+++ b/example-zitadel-config.yaml
@@ -0,0 +1 @@
+/tmp/example-zitadel-config.yaml