Run cockroachdb in secure mode using docker compose and connect nakama to it

1
votes

I've been trying to run cockroachdb in secure mode using docker compose, and I think I got that working now but nakama doesn't seem to be able to connect to it. Dose anyone know how to fix it?

A link to all the code I have so far.

https://github.com/SirBuildsALot/NakamaDockerCompose

And this is just the docker-compose file

version: '3.5'

volumes:
  certs-roach-0:
  certs-client:

services:

  roach-cert:
    container_name: roach-cert
    hostname: roach-cert
    build: roach-cert
    volumes:
      - certs-roach-0:/certs/roach-0
      - certs-client:/certs/client

  roach-0:
    container_name: roach-0
    hostname: roach-0
    image: cockroachdb/cockroach:latest
    command: start-single-node --cluster-name=example-secure-nginx --logtostderr=WARNING --log-file-verbosity=WARNING --certs-dir=/certs
    volumes:
      - certs-roach-0:/certs
    depends_on:
      - roach-cert

  lb:
    container_name: lb
    hostname: lb
    build: haproxy
    ports:
      - "5432:5432"
      - "8080:8080"
      - "8081:8081"
    depends_on:
      - roach-0

  roach-init:
    container_name: roach-init
    hostname: roach-init
    image: timveil/cockroachdb-remote-client:latest
    environment:
      - COCKROACH_HOST=lb:5432
      - COCKROACH_INSECURE=false
      - COCKROACH_CERTS_DIR=/certs
      - DATABASE_NAME=admin
      - DATABASE_USER=admin
      - DATABASE_PASSWORD=password
    volumes:
      - certs-client:/certs
    depends_on:
      - lb
      - roach-cert
  nakama:
    container_name: nakama
    image: heroiclabs/nakama:2.12.0
    entrypoint:
      - "/bin/sh"
      - "-ecx"
      - >
          /nakama/nakama migrate up --database.address root@roach-0:26257 &&
          exec /nakama/nakama --config /nakama/data/my-special-config.yml
    restart: always
    links:
      - "roach-cert:db"
    depends_on:
      - roach-cert
    volumes:
      - ./:/nakama/data
    expose:
      - "7349"
      - "7350"
      - "7351"
    ports:
      - "7349:7349"
      - "7350:7350"
      - "7351:7351"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7350/"]
      interval: 10s
      timeout: 5s
      retries: 5
#volumes:
#  data:

Here is the error message from nakama

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:28.764Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:31.008Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:36.951Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:36.952Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:40.471Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:40.472Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:44.023Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:44.025Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:47.469Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:47.471Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}

nakama        | + /nakama/nakama migrate up --database.address root@roach-0:26257

nakama        | {"level":"info","ts":"2020-11-01T23:10:50.564Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"root@roach-0:26257"}

nakama        | {"level":"fatal","ts":"2020-11-01T23:10:50.565Z","caller":"migrate/migrate.go:147","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}
1
dockersecuritydocker-composecockroachdbnakama

1 Answers

2
votes

I created a pull request for your repo that fixes your connection. There were a few problems with your code.

The most significant issue is that your database.address was incorrect. To connect to a secure CockroachDB cluster you must provide additional details like sslmode, the sslrootcert path, the sslcert path and the sslkey path. More details can be found here. Furthermore, your docker compose file included a load balancer but your original configuration did not leverage it and instead tried to connect directly to a CockroachDB node fronted by the LB. These problems were found in both your docker-compose.yml file and the my-special-config.yml.

Here is the relevant part of your original database.address in docker-compose.yml...

/nakama/nakama migrate up --database.address root@roach-0:26257

here is the proper database.address...

/nakama/nakama migrate up --database.address 'lb:5432?sslmode=require&sslrootcert=/certs/ca.crt&sslcert=/certs/client.root.crt&sslkey=/certs/client.root.key'