Passwordless Access to CockroachDB with SSO

ManagementGuideService ExamplesDatabases

Octelium provides seamless zero trust, secretless access to CockroachDB or any SaaS PostgreSQL-based database (read more about POSTGRES Services here) without having to share and manage passwords (read more about secretless access here).

A Simple Example

First we need to create a Secret for the CockroachDB database's password as follows:

octeliumctl create secret cockroachdb-password

Now we create the Service for our database as follows:

1kind: Service
2metadata:
3  name: cockroachdb
4spec:
5  mode: POSTGRES
6  port: 5432
7  config:
8    upstream:
9      url: postgres://abcdef-1234.aws-eu-west-1.cockroachlabs.cloud:26257
10    postgres:
11      user: <USER>
12      database: defaultdb
13      auth:
14        password:
15          fromSecret: cockroachdb-password
16      sslMode: REQUIRE

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now after connecting to the Cluster via the octelium connect command (read more about connecting to Clusters here), you can simply access the database whose hostname is at cockroachdb.default or simply cockroachdb (read more here) as follows:

psql -h cockroachdb

Dynamic Configuration

You can also provide dynamic secretless access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production or admins Groups access a production database while the rest access a development database:

1apiVersion: core/v1
2kind: Service
3metadata:
4  name: cockroachdb
5spec:
6  mode: POSTGRES
7  port: 5432
8  dynamicConfig:
9    configs:
10      - name: production
11        upstream:
12          url: postgres://production-db.aws-eu-west-1.cockroachlabs.cloud:26257
13        postgres:
14          user: prod-user
15          database: prod-db
16          auth:
17            password:
18              fromSecret: prod-password
19          sslMode: REQUIRE
20      - name: development
21        upstream:
22          url: postgres://development-db.aws-eu-west-1.cockroachlabs.cloud:26257
23        postgres:
24          user: dev-user
25          database: dev-db
26          auth:
27            password:
28              fromSecret: dev-password
29          sslMode: REQUIRE
30    rules:
31      - condition:
32          match: ctx.user.spec.groups.hasAny(["production", "admins"])
33        configName: production
34      - condition:
35          matchAny: true
36        configName: development

NOTE

You might also want to read about Octelium's PostgreSQL L7 aware access control here and access logs here

Authentication

HUMAN Users can use their emails to authenticate to the Cluster via web browsers using IdentityProviders. There currently 3 methods:

GitHub OAuth IdentityProvider as shown in detail here
OpenID Connect IdentityProviders (e.g. Okta, Auth0, etc...) as shown here.
SAML 2.0 IdentityProviders (e.g. Okta, Entra ID, etc...) as shown here.

Furthermore, HUMAN Users can register their FIDO2 Authenticators (e.g. Yubikeys) in order to natively login later via Passkey (read more here).

NOTE

You can read more about Authenticators and WebAuthn/TOTP MFA as shown here.

For WORKLOAD Users, they can authenticate themselves via the octelium login or octeliumctl login commands using various ways:

OAuth2 client credentials (read more here)
"Secretless" OpenID Connect identity assertions which can be used by octelium CLIs and containers running in cloud providers, GitHub Action runners, Kubernetes clusters, etc... (read more here).
Access tokens directly issued and used as bearer authentication tokens (read more here).

Visibility

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.

On this Page

Dynamic Configuration

Authentication

Visibility