Octelium Logo
Documentation
Passwordless Access to CockroachDB

You can seamless zero trust, secret-less access to CockroachDB or any SaaS PostgreSQL-based database (read more about MYSQL Services here) without having to share and manage passwords (read more about secret-less access here).

First we need to create a Secret for the CockroachDB database's password as follows:

octeliumctl create secret cockroachdb-password

Now we create the Service for our database as follows:

1
kind: Service

2
metadata:

3
  name: cockroachdb

4
spec:

5
  mode: POSTGRES

6
  port: 5432

7
  config:

8
    upstream:

9
      url: postgres://abcdef-1234.aws-eu-west-1.cockroachlabs.cloud:26257

10
    postgres:

11
      user: <USER>

12
      database: defaultdb

13
      auth:

14
        password:

15
          fromSecret: cockroachdb-password

16
      sslMode: REQUIRE

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now after connecting to the Cluster via the octelium connect command (read more about connecting to Clusters here), you can simply access the database whose hostname is at cockroachdb.default or simply cockroachdb (read more here) as follows:

psql -h cockroachdb

You can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production or admins Groups access a production database while the rest access a development database:

1
apiVersion: core/v1

2
kind: Service

3
metadata:

4
  name: cockroachdb

5
spec:

6
  mode: POSTGRES

7
  port: 5432

8
  dynamicConfig:

9
    configs:

10
      - name: production

11
        upstream:

12
          url: postgres://production-db.aws-eu-west-1.cockroachlabs.cloud:26257

13
        postgres:

14
          user: prod-user

15
          database: prod-db

16
          auth:

17
            password:

18
              fromSecret: prod-password

19
          sslMode: REQUIRE

20
      - name: development

21
        upstream:

22
          url: postgres://development-db.aws-eu-west-1.cockroachlabs.cloud:26257

23
        postgres:

24
          user: dev-user

25
          database: dev-db

26
          auth:

27
            password:

28
              fromSecret: dev-password

29
          sslMode: REQUIRE

30
    rules:

31
      - condition:

32
          match: ctx.user.spec.groups.hasAny("production", "admins")

33
        configName: production

34
      - condition:

35
          matchAny: true

36
        configName: development
NOTE

You might also want to read about Octelium's PostgreSQL L7 aware access control here and access logs here

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms