upgrading an older selfhosted netbird installation with zitadel/cockroachdb to zitadel/postgresql .... success #2101

New Issue

saavagebueno · 2025-11-20T07:03:48-05:00

saavagebueno commented

2025-11-20 07:03:48 -05:00

Originally created by @ssachse on GitHub (Jul 22, 2025).

Hello everyone,

If you are migrating ZITADEL from CockroachDB to PostgreSQL and hit the same road‑blocks I did, this concise guide (plus full config files) might save you some hours.

ZITADEL – Migration from CockroachDB to PostgreSQL (Staging → Production)

TL;DR

Reset & start the Postgres container (zdb) with a fresh volume.
Init and setup --for‑mirror the empty target DB.
Mirror from Cockroach to Postgres using --system --replace.
Run setup --for‑mirror again to recreate projections & permissions.
Launch ZITADEL in Postgres mode (start-from-init --tlsMode external).
Wait until GET /debug/ready returns 200, then shut down Cockroach.
Remove the CRDB service from docker-compose.yml when everything is green.

1 Files & Directories

1.1 Environment files

zitadel-pg.env and zdb.env hold credentials, TLS flags, and first‑instance machine‑user settings (see complete listing in §5).

1.2 Config files (`./configs`)

pg.yaml – connection details for init & setup.
mirror.yaml – defines source (Cockroach with TLS) and destination (Postgres without TLS).
Increase EventBulkSize (e.g. 10 000) to speed up the mirror.

1.3 `docker-compose.yml`

Stack containing Caddy reverse‑proxy, NetBird components, CRDB, Postgres, and two ZITADEL containers (zitadel, zitadel-cli).
Use ghcr.io/zitadel/zitadel:v3.3.0 or newer for the CLI – older versions include a mirror bug.

2 Step‑by‑Step Migration

2.1 Reset the Postgres volume

# stop container & delete volume
docker compose down zdb
docker volume rm root_netbird_zdb_data
# start fresh instance
docker compose up -d zdb

2.2 Initialise the empty target DB

# create schema
docker compose run --rm zitadel-cli init --config /cfg/pg.yaml
# prepare for mirror
docker compose run --rm zitadel-cli setup --for-mirror \
  --config /cfg/pg.yaml --masterkeyFromEnv

2.3 Run the mirror job

# copies assets, keys, auth_requests, events & projections
docker compose run --rm zitadel-cli mirror --system --replace \
  --config /cfg/mirror.yaml --masterkeyFromEnv

Disk full? If Cockroach stops with insufficient remaining capacity, delete the EMERGENCY_BALLAST file or free space, then rerun the mirror.

2.4 Run setup again (projections & permissions)

docker compose run --rm zitadel-cli setup --for-mirror \
  --config /cfg/pg.yaml --masterkeyFromEnv

2.5 Start ZITADEL on Postgres

docker compose up -d zitadel

Wait until:

curl -f http://localhost:8080/debug/ready

returns HTTP 200.

2.6 Verify counts

docker compose run --rm zitadel-cli mirror verify --system \
  --config /cfg/mirror.yaml --masterkeyFromEnv

Small negative diffs for projections.*, auth.users2, and keys4* are expected.

2.7 Decommission CockroachDB

docker compose down crdb
curl -f http://localhost:8080/debug/ready  # should still be 200

Then remove the crdb service from your compose file.

3 Troubleshooting

4 Useful Endpoints

Ready: GET /debug/ready
Health: GET /debug/healthz
Metrics: GET /debug/metrics

5 Complete Reference Files

5.1 `zitadel-pg.env`

ZITADEL_LOG_LEVEL=debug
ZITADEL_MASTERKEY=--EDITED--
MASTERKEY=--EDITED--
ZITADEL_SPOOLER_ENABLED=true
ZITADEL_DATABASE_POSTGRES_HOST=zdb
ZITADEL_DATABASE_POSTGRES_PORT=5432
ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel
ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=--EDITED--
ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=--EDITED--
ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
ZITADEL_EXTERNALSECURE=true
ZITADEL_TLS_ENABLED="false"
ZITADEL_EXTERNALPORT=443
ZITADEL_EXTERNALDOMAIN=--EDITED--
ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=2025-08-11T19:08:35Z

5.2 `zdb.env`

POSTGRES_USER=root
POSTGRES_PASSWORD=--EDITED--

5.3 `config/pg.yaml`

Database:
  postgres:
    Host: zdb
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: --EDITED--
      SSL:
        Mode: disable
    Admin:
      Username: root
      Password: --EDITED--
      SSL:
        Mode: disable
FirstInstance:
  Org:
    Human:
      Username: admin@localhost
      Password: --EDITED--

5.4 `config/mirror.yaml`

Source:
  cockroach:
    Host: crdb
    Port: 26257
    Database: zitadel
    User:
      Username: zitadel_user
      SSL:
        Mode: verify-full
        RootCert: /crdb-certs/ca.crt
        Cert: /crdb-certs/client.zitadel_user.crt
        Key: /crdb-certs/client.zitadel_user.key
Destination:
  postgres:
    Host: zdb
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: --EDITED--
      SSL:
        Mode: disable
EventBulkSize: 10000
MaxAuthRequestAge: 720h
Projections:
  ConcurrentInstances: 7
  EventBulkLimit: 1000
Auth:
  Spooler:
    BulkLimit: 1000
Admin:
  Spooler:
    BulkLimit: 10
Log:
  Level: info

5.5 `docker-compose.yml` (relevant services)

services: caddy: image: caddy restart: unless-stopped networks: [ netbird ] ports: - "443:443" - "443:443/udp" - "80:80" - "8080:8080" volumes: - netbird_caddy_data:/data - ./Caddyfile:/etc/caddy/Caddyfile zitadel: restart: always networks: [ netbird ] image: ghcr.io/zitadel/zitadel:v2.64.1 command: start-from-init --masterkeyFromEnv --tlsMode external env_file: - ./zitadel-pg.env depends_on: zdb: condition: service_healthy volumes: - ./machinekey:/machinekey - netbird_zitadel_certs:/crdb-certs:ro zitadel-cli: image: ghcr.io/zitadel/zitadel:v3.3.2 command: /bin/true networks: [ netbird ] env_file: - ./zitadel-pg.env volumes: - netbird_zitadel_certs:/crdb-certs:ro - ./machinekey:/machinekey:ro - ./configs:/cfg crdb: image: cockroachdb/cockroach:v25.1.2 command: start-single-node --advertise-addr crdb --external-io-dir=/cockroach/nodelocal restart: always networks: [ netbird ] volumes: - netbird_cr

Originally created by @ssachse on GitHub (Jul 22, 2025). <head></head><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Hello everyone,</p><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">If you are migrating<span class="Apple-converted-space"> </span><strong>ZITADEL</strong><span class="Apple-converted-space"> </span>from<span class="Apple-converted-space"> </span><strong>CockroachDB</strong><span class="Apple-converted-space"> </span>to<span class="Apple-converted-space"> </span><strong>PostgreSQL</strong><span class="Apple-converted-space"> </span>and hit the same road‑blocks I did, this concise guide (plus full config files) might save you some hours.</p><hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">ZITADEL – Migration from CockroachDB to PostgreSQL (Staging → Production)</h2><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">TL;DR</h3><ol style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><li><p><strong>Reset & start the Postgres container</strong><span class="Apple-converted-space"> </span>(<code inline="">zdb</code>) with a fresh volume.</p></li><li><p><strong>Init</strong><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span><strong>setup --for‑mirror</strong><span class="Apple-converted-space"> </span>the empty target DB.</p></li><li><p><strong>Mirror</strong><span class="Apple-converted-space"> </span>from Cockroach to Postgres using<span class="Apple-converted-space"> </span><code inline="">--system --replace</code>.</p></li><li><p><strong>Run setup --for‑mirror</strong><span class="Apple-converted-space"> </span>again to recreate projections & permissions.</p></li><li><p>Launch ZITADEL in<span class="Apple-converted-space"> </span><strong>Postgres mode</strong><span class="Apple-converted-space"> </span>(<code inline="">start-from-init --tlsMode external</code>).</p></li><li><p>Wait until<span class="Apple-converted-space"> </span><code inline="">GET /debug/ready</code><span class="Apple-converted-space"> </span>returns 200, then shut down Cockroach.</p></li><li><p>Remove the CRDB service from<span class="Apple-converted-space"> </span><code inline="">docker-compose.yml</code><span class="Apple-converted-space"> </span>when everything is green.</p></li></ol><hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">1 Files & Directories</h2><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">1.1 Environment files</h3><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code inline="">zitadel-pg.env</code><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span><code inline="">zdb.env</code><span class="Apple-converted-space"> </span>hold credentials, TLS flags, and first‑instance machine‑user settings (see complete listing in §5).</p><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">1.2 Config files (<code inline="">./configs</code>)</h3><ul style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><li><p><strong>pg.yaml</strong><span class="Apple-converted-space"> </span>– connection details for<span class="Apple-converted-space"> </span><code inline="">init</code><span class="Apple-converted-space"> </span>&<span class="Apple-converted-space"> </span><code inline="">setup</code>.</p></li><li><p><strong>mirror.yaml</strong><span class="Apple-converted-space"> </span>– defines<span class="Apple-converted-space"> </span><em>source</em><span class="Apple-converted-space"> </span>(Cockroach with TLS) and<span class="Apple-converted-space"> </span><em>destination</em><span class="Apple-converted-space"> </span>(Postgres without TLS).<br>Increase<span class="Apple-converted-space"> </span><code inline="">EventBulkSize</code><span class="Apple-converted-space"> </span>(e.g. 10 000) to speed up the mirror.</p></li></ul><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">1.3 <code inline="">docker-compose.yml</code></h3><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Stack containing Caddy reverse‑proxy, NetBird components, CRDB, Postgres, and two ZITADEL containers (<code inline="">zitadel</code>,<span class="Apple-converted-space"> </span><code inline="">zitadel-cli</code>).<br>Use<span class="Apple-converted-space"> </span><strong><code inline="">ghcr.io/zitadel/zitadel:v3.3.0</code><span class="Apple-converted-space"> </span>or newer</strong><span class="Apple-converted-space"> </span>for the CLI – older versions include a mirror bug.</p><hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2 Step‑by‑Step Migration</h2><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.1 Reset the Postgres volume</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash"># stop container & delete volume docker compose down zdb docker volume rm root_netbird_zdb_data # start fresh instance docker compose up -d zdb </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.2 Initialise the empty target DB</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash"># create schema docker compose run --rm zitadel-cli init --config /cfg/pg.yaml # prepare for mirror docker compose run --rm zitadel-cli setup --for-mirror \ --config /cfg/pg.yaml --masterkeyFromEnv </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.3 Run the mirror job</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash"># copies assets, keys, auth_requests, events & projections docker compose run --rm zitadel-cli mirror --system --replace \ --config /cfg/mirror.yaml --masterkeyFromEnv </code></pre><blockquote style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><p><strong>Disk full?</strong><span class="Apple-converted-space"> </span>If Cockroach stops with<span class="Apple-converted-space"> </span><code inline="">insufficient remaining capacity</code>, delete the<span class="Apple-converted-space"> </span><code inline="">EMERGENCY_BALLAST</code><span class="Apple-converted-space"> </span>file or free space, then rerun the mirror.</p></blockquote><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.4 Run setup again (projections & permissions)</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash">docker compose run --rm zitadel-cli setup --for-mirror \ --config /cfg/pg.yaml --masterkeyFromEnv </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.5 Start ZITADEL on Postgres</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash">docker compose up -d zitadel </code></pre><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Wait until:</p><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash">curl -f http://localhost:8080/debug/ready </code></pre><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">returns<span class="Apple-converted-space"> </span><strong>HTTP 200</strong>.</p><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.6 Verify counts</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash">docker compose run --rm zitadel-cli mirror verify --system \ --config /cfg/mirror.yaml --masterkeyFromEnv </code></pre><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Small negative diffs for<span class="Apple-converted-space"> </span><code inline="">projections.*</code>,<span class="Apple-converted-space"> </span><code inline="">auth.users2</code>, and<span class="Apple-converted-space"> </span><code inline="">keys4*</code><span class="Apple-converted-space"> </span>are expected.</p><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">2.7 Decommission CockroachDB</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-bash">docker compose down crdb curl -f http://localhost:8080/debug/ready # should still be 200 </code></pre><p style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">Then remove the<span class="Apple-converted-space"> </span><strong>crdb</strong><span class="Apple-converted-space"> </span>service from your compose file.</p><hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">3 Troubleshooting</h2> Issue | Cause | Solution -- | -- | -- store X has insufficient remaining capacity | Cockroach node < 5 % free | Delete unused data or EMERGENCY_BALLAST, add storage, repeat mirror Mirror fails with older CLI | Bug fixed in ≥ v3.3 | Use ghcr.io/zitadel/zitadel:v3.3+ for zitadel-cli /debug/ready returns 503 | ZITADEL not fully started or DB unreachable | Check container logs, rerun setup --for-mirror <hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">4 Useful Endpoints</h2><ul style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><li><p><strong>Ready:</strong><span class="Apple-converted-space"> </span><code inline="">GET /debug/ready</code></p></li><li><p><strong>Health:</strong><span class="Apple-converted-space"> </span><code inline="">GET /debug/healthz</code></p></li><li><p><strong>Metrics:</strong><span class="Apple-converted-space"> </span><code inline="">GET /debug/metrics</code></p></li></ul><hr style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><h2 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5 Complete Reference Files</h2><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5.1 <code inline="">zitadel-pg.env</code></h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-env">ZITADEL_LOG_LEVEL=debug ZITADEL_MASTERKEY=--EDITED-- MASTERKEY=--EDITED-- ZITADEL_SPOOLER_ENABLED=true ZITADEL_DATABASE_POSTGRES_HOST=zdb ZITADEL_DATABASE_POSTGRES_PORT=5432 ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=--EDITED-- ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=--EDITED-- ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ZITADEL_EXTERNALSECURE=true ZITADEL_TLS_ENABLED="false" ZITADEL_EXTERNALPORT=443 ZITADEL_EXTERNALDOMAIN=--EDITED-- ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=2025-08-11T19:08:35Z </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5.2 <code inline="">zdb.env</code></h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-env">POSTGRES_USER=root POSTGRES_PASSWORD=--EDITED-- </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5.3 <code inline="">config/pg.yaml</code></h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-yaml">Database: postgres: Host: zdb Port: 5432 Database: zitadel User: Username: zitadel Password: --EDITED-- SSL: Mode: disable Admin: Username: root Password: --EDITED-- SSL: Mode: disable FirstInstance: Org: Human: Username: admin@localhost Password: --EDITED-- </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5.4 <code inline="">config/mirror.yaml</code></h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-yaml">Source: cockroach: Host: crdb Port: 26257 Database: zitadel User: Username: zitadel_user SSL: Mode: verify-full RootCert: /crdb-certs/ca.crt Cert: /crdb-certs/client.zitadel_user.crt Key: /crdb-certs/client.zitadel_user.key Destination: postgres: Host: zdb Port: 5432 Database: zitadel User: Username: zitadel Password: --EDITED-- SSL: Mode: disable EventBulkSize: 10000 MaxAuthRequestAge: 720h Projections: ConcurrentInstances: 7 EventBulkLimit: 1000 Auth: Spooler: BulkLimit: 1000 Admin: Spooler: BulkLimit: 10 Log: Level: info </code></pre><h3 style="font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">5.5 <code inline="">docker-compose.yml</code><span class="Apple-converted-space"> </span>(relevant services)</h3><pre style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);"><code class="language-yaml">services: caddy: image: caddy restart: unless-stopped networks: [ netbird ] ports: - "443:443" - "443:443/udp" - "80:80" - "8080:8080" volumes: - netbird_caddy_data:/data - ./Caddyfile:/etc/caddy/Caddyfile zitadel: restart: always networks: [ netbird ] image: ghcr.io/zitadel/zitadel:v2.64.1 command: start-from-init --masterkeyFromEnv --tlsMode external env_file: - ./zitadel-pg.env depends_on: zdb: condition: service_healthy volumes: - ./machinekey:/machinekey - netbird_zitadel_certs:/crdb-certs:ro zitadel-cli: image: ghcr.io/zitadel/zitadel:v3.3.2 command: /bin/true networks: [ netbird ] env_file: - ./zitadel-pg.env volumes: - netbird_zitadel_certs:/crdb-certs:ro - ./machinekey:/machinekey:ro - ./configs:/cfg crdb: image: cockroachdb/cockroach:v25.1.2 command: start-single-node --advertise-addr crdb --external-io-dir=/cockroach/nodelocal restart: always networks: [ netbird ] volumes: - netbird_cr </code></pre><br class="Apple-interchange-newline" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class="Apple-interchange-newline">

saavagebueno closed this issue

2025-11-20 07:03:48 -05:00

saavagebueno referenced this issue

2025-11-20 08:05:34 -05:00

[PR #2101] The netbird management server was not handling signed id_tokens other that RSA type #3292

Sign in to join this conversation.

Branches Tags

main

embedded-vnc

fix/wireguard-port-zero

windows-dns-firewall

ui-refactor

fix/wgport-config

feature/refactor-clusters

fix/rosenpass

drop-candidateviaroutes-filter

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#2101

upgrading an older selfhosted netbird installation with zitadel/cockroachdb to zitadel/postgresql .... success #2101