From cff4fe5dfd1c615ca5e7fa2169ff34c4b2ddc732 Mon Sep 17 00:00:00 2001 From: Elio Bischof Date: Tue, 29 Oct 2024 20:02:04 +0100 Subject: [PATCH] docs: fix and harmonize docker compose files (#8839) # Which Problems Are Solved 1. Postgres spams FATAL: role "root" does not exist as mentioned in https://github.com/zitadel/zitadel/discussions/7832 (even with -U) 2. The compose commands for a ZITADEL deployment with initial service account key don't work out-of-the box with a non-root user, because docker creates non-existing directories to bind-mount with root ownership. ![image](https://github.com/user-attachments/assets/f2fc92d5-2ff4-47a4-bf4d-e9657aa2bb94) ``` time="2024-10-29T09:37:13Z" level=error msg="migration failed" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:68" error="open /machinekey/zitadel-admin-sa.json: permission denied" name=03_default_instance time="2024-10-29T09:37:13Z" level=fatal msg="migration failed" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:248" error="open /machinekey/zitadel-admin-sa.json: permission denied" name=03_default_instance ``` # How the Problems Are Solved 1. The branch bases on https://github.com/zitadel/zitadel/pull/8826. The env vars are cleaned up and prettified across compose files. 2. A command is added to the docs that creates the directory with the current users permission. The ZITADEL container runs with the current users ID. # Additional Context - Replaces https://github.com/zitadel/zitadel/pull/8826 - Discussion https://github.com/zitadel/zitadel/discussions/7832 - Closes https://github.com/zitadel/zitadel/issues/7725 --------- Co-authored-by: m4tu4g <71326926+m4tu4g@users.noreply.github.com> --- .devcontainer/docker-compose.yml | 23 ++-- docs/docs/self-hosting/deploy/compose.mdx | 3 + .../deploy/docker-compose-sa.yaml | 38 +++---- .../self-hosting/deploy/docker-compose.yaml | 27 ++--- .../manage/reverseproxy/docker-compose.yaml | 106 +++++++++--------- 5 files changed, 98 insertions(+), 99 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index fd92959d3f..cece28632b 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -8,25 +8,24 @@ services: network_mode: service:db command: sleep infinity environment: - - 'ZITADEL_DATABASE_POSTGRES_HOST=db' - - 'ZITADEL_DATABASE_POSTGRES_PORT=5432' - - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable' - - 'ZITADEL_EXTERNALSECURE=false' + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable + ZITADEL_EXTERNALSECURE: false db: image: postgres:latest restart: unless-stopped volumes: - postgres-data:/var/lib/postgresql/data environment: + PGUSER: postgres POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - POSTGRES_DB: postgres volumes: postgres-data: diff --git a/docs/docs/self-hosting/deploy/compose.mdx b/docs/docs/self-hosting/deploy/compose.mdx index 9d8efae1ad..370c0e7f5d 100644 --- a/docs/docs/self-hosting/deploy/compose.mdx +++ b/docs/docs/self-hosting/deploy/compose.mdx @@ -51,6 +51,9 @@ By executing the commands below, you will download the following file: # Download the docker compose example configuration. wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/deploy/docker-compose-sa.yaml -O docker-compose.yaml +# create the machine key directory +mkdir machinekey + # Run the database and application containers. docker compose up --detach diff --git a/docs/docs/self-hosting/deploy/docker-compose-sa.yaml b/docs/docs/self-hosting/deploy/docker-compose-sa.yaml index 4e43f9f8dc..95608fd76d 100644 --- a/docs/docs/self-hosting/deploy/docker-compose-sa.yaml +++ b/docs/docs/self-hosting/deploy/docker-compose-sa.yaml @@ -1,27 +1,27 @@ -version: '3.8' - services: zitadel: + # The user should have the permission to write to ./machinekey + user: "${UID:-1000}" restart: 'always' networks: - 'zitadel' image: 'ghcr.io/zitadel/zitadel:latest' command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled' environment: - - 'ZITADEL_DATABASE_POSTGRES_HOST=db' - - 'ZITADEL_DATABASE_POSTGRES_PORT=5432' - - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable' - - 'ZITADEL_EXTERNALSECURE=false' - - 'ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/machinekey/zitadel-admin-sa.json' - - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa' - - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin' - - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1' + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable + ZITADEL_EXTERNALSECURE: false + ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH: /machinekey/zitadel-admin-sa.json + ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME: zitadel-admin-sa + ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME: Admin + ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE: 1 depends_on: db: condition: 'service_healthy' @@ -34,12 +34,12 @@ services: restart: 'always' image: postgres:16-alpine environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres + PGUSER: postgres + POSTGRES_PASSWORD: postgres networks: - 'zitadel' healthcheck: - test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"] + test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"] interval: '10s' timeout: '30s' retries: 5 diff --git a/docs/docs/self-hosting/deploy/docker-compose.yaml b/docs/docs/self-hosting/deploy/docker-compose.yaml index 289c80d5b1..e32700ace4 100644 --- a/docs/docs/self-hosting/deploy/docker-compose.yaml +++ b/docs/docs/self-hosting/deploy/docker-compose.yaml @@ -1,5 +1,3 @@ -version: '3.8' - services: zitadel: restart: 'always' @@ -8,16 +6,16 @@ services: image: 'ghcr.io/zitadel/zitadel:latest' command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled' environment: - - 'ZITADEL_DATABASE_POSTGRES_HOST=db' - - 'ZITADEL_DATABASE_POSTGRES_PORT=5432' - - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable' - - 'ZITADEL_EXTERNALSECURE=false' + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable + ZITADEL_EXTERNALSECURE: false depends_on: db: condition: 'service_healthy' @@ -28,9 +26,8 @@ services: restart: 'always' image: postgres:16-alpine environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres - - POSTGRES_DB=zitadel + PGUSER: postgres + POSTGRES_PASSWORD: postgres networks: - 'zitadel' healthcheck: diff --git a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml index 851f012a7c..d7d929fa44 100644 --- a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml +++ b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml @@ -7,19 +7,19 @@ services: service: zitadel-init command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml' environment: - - ZITADEL_EXTERNALPORT=80 - - ZITADEL_EXTERNALSECURE=false - - ZITADEL_TLS_ENABLED=false + ZITADEL_EXTERNALPORT: 80 + ZITADEL_EXTERNALSECURE: false + ZITADEL_TLS_ENABLED: false # database configuration - - ZITADEL_DATABASE_POSTGRES_HOST=db - - ZITADEL_DATABASE_POSTGRES_PORT=5432 - - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel - - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user - - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw - - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable - - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root - - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres - - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable networks: - 'zitadel' depends_on: @@ -33,19 +33,19 @@ services: service: zitadel-init command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml' environment: - - ZITADEL_EXTERNALPORT=443 - - ZITADEL_EXTERNALSECURE=true - - ZITADEL_TLS_ENABLED=false + ZITADEL_EXTERNALPORT: 443 + ZITADEL_EXTERNALSECURE: true + ZITADEL_TLS_ENABLED: false # database configuration - - ZITADEL_DATABASE_POSTGRES_HOST=db - - ZITADEL_DATABASE_POSTGRES_PORT=5432 - - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel - - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user - - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw - - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable - - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root - - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres - - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable networks: - 'zitadel' depends_on: @@ -59,21 +59,21 @@ services: service: zitadel-init command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml' environment: - - ZITADEL_EXTERNALPORT=443 - - ZITADEL_EXTERNALSECURE=true - - ZITADEL_TLS_ENABLED=true - - ZITADEL_TLS_CERTPATH=/etc/certs/selfsigned.crt - - ZITADEL_TLS_KEYPATH=/etc/certs/selfsigned.key + ZITADEL_EXTERNALPORT: 443 + ZITADEL_EXTERNALSECURE: true + ZITADEL_TLS_ENABLED: true + ZITADEL_TLS_CERTPATH: /etc/certs/selfsigned.crt + ZITADEL_TLS_KEYPATH: /etc/certs/selfsigned.key # database configuration - - ZITADEL_DATABASE_POSTGRES_HOST=db - - ZITADEL_DATABASE_POSTGRES_PORT=5432 - - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel - - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user - - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw - - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable - - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root - - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres - - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable volumes: - ./selfsigned.crt:/etc/certs/selfsigned.crt - ./selfsigned.key:/etc/certs/selfsigned.key @@ -96,22 +96,22 @@ services: # Using an external domain other than localhost proofs, that the proxy configuration works. # If ZITADEL can't resolve a requests original host to this domain, # it will return a 404 Instance not found error. - - ZITADEL_EXTERNALDOMAIN=127.0.0.1.sslip.io + ZITADEL_EXTERNALDOMAIN: 127.0.0.1.sslip.io # In case something doesn't work as expected, # it can be handy to be able to read the access logs. - - ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED=true + ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED: true # For convenience, ZITADEL should not ask to change the initial admin users password. - - ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED=false + ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false # database configuration - - ZITADEL_DATABASE_POSTGRES_HOST=db - - ZITADEL_DATABASE_POSTGRES_PORT=5432 - - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel - - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user - - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw - - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable - - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root - - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres - - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable + ZITADEL_DATABASE_POSTGRES_HOST: db + ZITADEL_DATABASE_POSTGRES_PORT: 5432 + ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel + ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user + ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw + ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable + ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root + ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres + ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable networks: - 'zitadel' healthcheck: @@ -125,10 +125,10 @@ services: restart: 'always' image: postgres:16-alpine environment: - - POSTGRES_USER=root - - POSTGRES_PASSWORD=postgres + PGUSER: root + POSTGRES_PASSWORD: postgres healthcheck: - test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"] + test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"] interval: 5s timeout: 60s retries: 10