Passwordless Access to CockroachDB

You can seamless zero trust, secret-less access to CockroachDB or any SaaS PostgreSQL-based database (read more about MYSQL Services here) without having to share and manage passwords (read more about secret-less access here).

First we need to create a Secret for the CockroachDB database's password as follows:

octeliumctl create secret cockroachdb-password

Now we create the Service for our database as follows:

1
kind: Service
2
metadata:
3
name: cockroachdb
4
spec:
5
mode: POSTGRES
6
port: 5432
7
config:
8
upstream:
9
url: postgres://abcdef-1234.aws-eu-west-1.cockroachlabs.cloud:26257
10
postgres:
11
user: <USER>
12
database: defaultdb
13
auth:
14
password:
15
fromSecret: cockroachdb-password
16
sslMode: REQUIRE

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now after connecting to the Cluster via the octelium connect command (read more about connecting to Clusters here), you can simply access the database whose hostname is at cockroachdb.default or simply cockroachdb (read more here) as follows:

psql -h cockroachdb

You can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production or admins Groups access a production database while the rest access a development database:

1
apiVersion: core/v1
2
kind: Service
3
metadata:
4
name: cockroachdb
5
spec:
6
mode: POSTGRES
7
port: 5432
8
dynamicConfig:
9
configs:
10
- name: production
11
upstream:
12
url: postgres://production-db.aws-eu-west-1.cockroachlabs.cloud:26257
13
postgres:
14
user: prod-user
15
database: prod-db
16
auth:
17
password:
18
fromSecret: prod-password
19
sslMode: REQUIRE
20
- name: development
21
upstream:
22
url: postgres://development-db.aws-eu-west-1.cockroachlabs.cloud:26257
23
postgres:
24
user: dev-user
25
database: dev-db
26
auth:
27
password:
28
fromSecret: dev-password
29
sslMode: REQUIRE
30
rules:
31
- condition:
32
match: ctx.user.spec.groups.hasAny("production", "admins")
33
configName: production
34
- condition:
35
matchAny: true
36
configName: development
NOTE

You might also want to read about Octelium's PostgreSQL L7 aware access control here and access logs here

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld