https://www.ory.sh/ logo
Join Slack
Powered by
I am having an absolutely awful time trying to get...
# ory-selfhosting
a
I am having an absolutely awful time trying to get connections working between kratos and cockrachdb based on documentation. Is there anyone that can help with this? Be happy to share docker compose and env variables in thread.
t
What issues are you facing?
a
I get various errors depending on the DSN prefix I use, but connection is usually refused
currently it is:
Copy code
failed to connect to `host=crdb-kratos user=kratos database=kratos`: server error (ERROR: password authentication failed for user kratos (SQLSTATE 28P01))
t
Are you running with 
sslmode
?
a
I have tried both: 
- DSN=cockroach://${COCKROACH_USER}:${COCKROACH_PASSWORD}@${COCKROACH_HOST}:${COCKROACH_PORT}/${COCKROACH_DATABASE}?sslmode=disable&max_conns=20&max_idle_conns=4
and 
- DSN=postgres://${COCKROACH_USER}:${COCKROACH_PASSWORD}@${COCKROACH_HOST}:${COCKROACH_PORT}/${COCKROACH_DATABASE}?sslmode=disable&max_conns=20&max_idle_conns=4
I have also tried putting password as a query for both.
cockroach prefix is based on your docs, postgres is based on cockroachdb docs
t
(Disclaimer, I don't work for Ory)
a
No worries, thank you very much for even trying to help. This has been really annoying
my env vars are:
Copy code
# CockroachDB for Ory
COCKROACH_DATABASE=kratos
COCKROACH_PASSWORD=secret
COCKROACH_USER=kratos
COCKROACH_HOST=crdb-kratos # Default host and port: localhost:26257
COCKROACH_PORT=26257
Most of my docker compose:
Copy code
########################## TO TEST KRATOS ##########################

  # <https://www.cockroachlabs.com/docs/stable/cockroach-commands>
  # <https://www.cockroachlabs.com/docs/stable/start-a-local-cluster-in-docker-linux>
  crdb-kratos:
    restart: 'always'
    image: 'cockroachdb/cockroach:v23.1.8'
    env_file:
      - .env
    command: 'start-single-node --insecure'
    healthcheck:
      test: ["CMD", "curl", "-f", "<http://localhost:8080/health?ready=1>"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'
    ports:
      - '9090:8080'
      - '26257:26257'
    volumes:
      - type: volume
        source: crdb-kratos-volume
        target: /cockroach/cockroach-data

  # there is a distroless image version for production
  kratos-selfservice-ui-node:
    image: oryd/kratos-selfservice-ui-node:latest
    environment:
      - KRATOS_PUBLIC_URL=<http://host.docker.internal:8080/> # For connectivity between containers
      - KRATOS_BROWSER_URL=<http://127.0.0.1:8080/>
    restart: on-failure

  kratos-migrate:
    image: oryd/kratos:v1.0.0
    links:
      - crdb-kratos:crdb-kratos
    env_file:
      - .env
    environment:
      # <https://www.cockroachlabs.com/docs/stable/connection-parameters>
      # connection url from cockroach docs: postgres://<username>:<password>@<host>:<port>/<database>?<parameters
      # <https://www.ory.sh/docs/self-hosted/deployment#cockroachdb>
      # connection url from ory docs: <cockroach://user:password@host:123/database> 
      - DSN=cockroach://${COCKROACH_USER}:${COCKROACH_PASSWORD}@${COCKROACH_HOST}:${COCKROACH_PORT}/${COCKROACH_DATABASE}?sslmode=disable&max_conns=20&max_idle_conns=4
    volumes:
      - type: bind
        source: ./kratos
        target: /etc/config/kratos
    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes

  kratos:
    image: oryd/kratos:v1.0.0
    links:
      - crdb-kratos:crdb-kratos
    env_file:
      - .env
    environment:
      - DSN=cockroach://${COCKROACH_USER}:${COCKROACH_PASSWORD}@${COCKROACH_HOST}:${COCKROACH_PORT}/${COCKROACH_DATABASE}?sslmode=disable&max_conns=20&max_idle_conns=4
    volumes:
      - type: bind
        source: ./kratos
        target: /etc/config/kratos
    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier

  mailslurper:
    image: oryd/mailslurper:latest-smtps
t
Just testing locally, 2 secs
a
Thank you Adam
note I have been using postgres:// more than cockroach because of cockroachdb docs for dsn. I am trying to get to bottom of why Ory has a cockroach:// prefix, but haven't heard back from ory or cockroachdb about that yet. About to start grepping
This quickstart uses root user, but I have not seen anything that uses something other than root for cockroach connection yet: https://github.com/ory/kratos/blob/ed0860680b0c11141e61bb7e4dbde7817b4886ef/quickstart-crdb.yml#L6
But I am assuming they will do some string manipulation for cockroach for passwords because special character passwords must be passed in query parameter
t
I can't recreate the issue locally. If you 
exec
into the container and 
echo $DSN
Is the string correctly formatted?
I wonder if the evaluation of one of the vars inside 
DSN
isn't formatting correctly (maybe escaping the string etc)
a
result: 
DSN=<postgres://kratos@crdb-kratos:26257/kratos?sslmode=disable&max_conns=20&max_idle_conns=4&?password=secret>
looks like it is, yes
t
The end of the string has a typo, 
&?
a
That was my bad just experimenting putting password in query part of url
same error if it is not there
it correctly formats
t
I know you can't share the password, but nothing in the password string that should be escaped, like 
@
&
!
*
|
etc?
a
nope, password is "secret"
<postgres://kratos:secret@crdb-kratos:26257/kratos?sslmode=disable&max_conns=20&max_idle_conns=4>
t
ah, I assumed you used 
secret
just to avoid sharing the actual password 😅
a
that is back to normal formatting
No, I am just using it to test
I am just assessing this right now
So far not going well lol
I was excited because they publish an official rust-sdk through openAPI schema
but I was up and running with Zitadel in like 3 min using cockroach db
This I have burned a full day on so far
t
How are you running Cockroach? Just the docker container?
a
Ya, what I shared
Did it same way for Zitadel
There is a version difference though
I am debating jumping back a version
Did my docker compose work for you?
t
Have you tried using just the default 
root
user, which won't need a password?
a
No, because if I need to do that I don't want to use this lol
will try now just to check though
t
Just thinking to rule out authentication on cockroach
a
but I noted that above in example too
seems like root works
migration is running, which is what I had assumed above. I see no examples for cockroach with a non-root user.
@tall-angle-41306 you weren't able to recreate? Wondering if it is issue worthy
t
I've just tested with the docker-compose you shared, and in the cockroad logs I get this:
Copy code
==== create key for new user kratos ====
ERROR: setting or updating a password is not supported in insecure mode
SQLSTATE: 28P01
a
Ya, I have also tried with not insecure
The are moving away from insecure
you should see a big write up in the log at top about it if using insecure
basically:
Copy code
* INFO: To start a secure server without mandating TLS for clients,
* consider --accept-sql-without-tls instead. For other options, see:
but then you need some certs and to pass that with --cert-dir
I will try again, maybe I just messed up last night when tired. Maybe I created cert wrong or something. Just used mkcert
If that fails, I will create an issue
t
I've got your example working. So if you want to use 
--insecure
you can't use 
COCKROACH_USER
etc to provision the user. You either have to create the user yourself, or using 
docker-entrypoint-initdb.d
to create them after startup. If you want to use 
COCKROACH_USER
then you'll need to setup secure mode properly
a
Great, thanks Adam. That is what I am working on now. Just recreating certs to not use insecure
Really helpful to be able to go back and forth about this. Thanks so much for the time
Would have taken forever alone
Wish that was documented though
May just make an issue about that
as update mkcert won't hack it
incorrect cert types
m
Hey @abundant-dawn-56438 Please do create an issue with all the information from this thread in github.com/ory/docs, that would help us alot improve the self-hosted documentation! Feel free to tag me and I will see to find a good spot for it / help out with a PR. And thanks alot Adam for helping out 🙏
a
Already did. Currently made a fair bit of progress, but it is a slog for sure
🙏 1
🫡 1
37 Views
Open in Slack
PreviousNext
Powered by