You can seamless zero trust, secret-less access to CockroachDB or any SaaS PostgreSQL-based database (read more about MYSQL
Services here) without having to share and manage passwords (read more about secret-less access here).
First we need to create a Secret for the CockroachDB database's password as follows:
octeliumctl create secret cockroachdb-password
Now we create the Service for our database as follows:
1kind: Service2metadata:3name: cockroachdb4spec:5mode: POSTGRES6port: 54327config:8upstream:9url: postgres://abcdef-1234.aws-eu-west-1.cockroachlabs.cloud:2625710postgres:11user: <USER>12database: defaultdb13auth:14password:15fromSecret: cockroachdb-password16sslMode: REQUIRE
You can now apply the creation of the Service as follows (read more here):
octeliumctl apply /PATH/TO/SERVICE.YAML
Now after connecting to the Cluster via the octelium connect
command (read more about connecting to Clusters here), you can simply access the database whose hostname is at cockroachdb.default
or simply cockroachdb
(read more here) as follows:
psql -h cockroachdb
You can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production
or admins
Groups access a production
database while the rest access a development
database:
1apiVersion: core/v12kind: Service3metadata:4name: cockroachdb5spec:6mode: POSTGRES7port: 54328dynamicConfig:9configs:10- name: production11upstream:12url: postgres://production-db.aws-eu-west-1.cockroachlabs.cloud:2625713postgres:14user: prod-user15database: prod-db16auth:17password:18fromSecret: prod-password19sslMode: REQUIRE20- name: development21upstream:22url: postgres://development-db.aws-eu-west-1.cockroachlabs.cloud:2625723postgres:24user: dev-user25database: dev-db26auth:27password:28fromSecret: dev-password29sslMode: REQUIRE30rules:31- condition:32match: ctx.user.spec.groups.hasAny("production", "admins")33configName: production34- condition:35matchAny: true36configName: development
Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.