From 2bfdb72bf359713cbb12dfb03824a9e25844154c Mon Sep 17 00:00:00 2001
From: Elio Bischof <elio@zitadel.com>
Date: Fri, 3 Jan 2025 15:00:27 +0100
Subject: [PATCH] docs: fix reverse proxy guides (#9118)

# Which Problems Are Solved

Commands for installing compose stacks with reverse proxies don't work.

# How the Problems Are Solved

- The `docker compose up` commands are fixed by specifying all necessary
services to spin up. This is obviously not (or not with all docker
compose versions) resolved by the dependencies declarations.
- The initial postgres admin username is postgres.
- Fix postgres health check to succeed before the init job created the
DB.
- A hint tells the user to install the grpcurl binary.

# Additional Changes

- Passing `--wait` to `docker compose up` doesn't require us to sleep
for exactly three seconds.
- It looks to me like the order of the depends_on declaration for
zitadel matters, but I don't understand why. I changed it so that it's
for sure correct.
- Silenced some command outputs
- Removed the version property from all compose files to avoid the
following warning
```
WARN[0000] /tmp/caddy-example/docker-compose-base.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
```

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9115

This is the easiest way to test the updated docs:

```bash
# Use this PR branches files:
export ZITADEL_CONFIG_FILES=https://raw.githubusercontent.com/zitadel/zitadel/refs/heads/fix-reverse-proxy-guides/docs/docs/self-hosting/manage/reverseproxy
```

The rest of the commands as described in
https://docs-git-fix-reverse-proxy-guides-zitadel.vercel.app/docs/self-hosting/manage/reverseproxy/caddy


![image](https://github.com/user-attachments/assets/949d2c2a-246a-49a2-916a-e77250771074)
---
 .../loadbalancing-example/docker-compose.yaml   |  1 -
 .../manage/configure/docker-compose.yaml        |  2 --
 .../reverseproxy/_proxy_guide_tls_mode.mdx      | 12 ++++++------
 .../reverseproxy/caddy/docker-compose.yaml      |  2 --
 .../manage/reverseproxy/docker-compose.yaml     | 17 +++++++----------
 .../reverseproxy/httpd/docker-compose.yaml      |  2 --
 .../reverseproxy/nginx/docker-compose.yaml      |  2 --
 .../reverseproxy/traefik/docker-compose.yaml    |  2 --
 .../host.docker.internal/docker-compose.yaml    |  2 --
 e2e/config/localhost/docker-compose.yaml        |  2 --
 e2e/docker-compose.yaml                         |  2 --
 11 files changed, 13 insertions(+), 33 deletions(-)

diff --git a/docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml b/docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml
index 2b9266c798..94d8f438dc 100644
--- a/docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml
+++ b/docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml
@@ -1,4 +1,3 @@
-version: '3.8'
 services:
 
   traefik:
diff --git a/docs/docs/self-hosting/manage/configure/docker-compose.yaml b/docs/docs/self-hosting/manage/configure/docker-compose.yaml
index 8e5c9fbc05..abd1818a7b 100644
--- a/docs/docs/self-hosting/manage/configure/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/configure/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   zitadel:
     restart: "always"
diff --git a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
index debca2f4f5..1cacf076e5 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
@@ -24,7 +24,7 @@ export const Description = ({mode, link}) => {
 }
 
 export const Commands = ({mode, name, lower, configfilename}) => {
-    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=ZITADEL Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt\n\n';
+    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=ZITADEL Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt 2>/dev/null\n\n';
     let connPort = "443"
     let connInsecureFlag = "--insecure "
     let connScheme = "https"
@@ -42,16 +42,16 @@ export const Commands = ({mode, name, lower, configfilename}) => {
             <CodeBlock language="bash">
                 {'# Download the configuration files.'}{'\n'}
                 {'export ZITADEL_CONFIG_FILES=https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/reverseproxy\n'}
-                {`wget $\{ZITADEL_CONFIG_FILES\}/docker-compose.yaml -O docker-compose-base.yaml`}{'\n'}
-                {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/docker-compose.yaml -O docker-compose-'}{lower}{'.yaml'}{'\n'}
-                {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/'}{configfilename}{' -O '}{configfilename}{'\n'}
+                {'wget $\{ZITADEL_CONFIG_FILES\}/docker-compose.yaml -O docker-compose-base.yaml --quiet \n'}
+                {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/docker-compose.yaml -O docker-compose-'}{lower}{'.yaml --quiet \n'}
+                {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/'}{configfilename}{' -O '}{configfilename}{' --quiet \n'}
                 {'\n'}
                 {genCert}
                 {'# Run the database, ZITADEL and '}{name}{'.'}{'\n'}
-                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach proxy-'}{mode}{'-tls'}{'\n'}
+                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach --wait db zitadel-init zitadel-'}{mode}{'-tls proxy-'}{mode}{'-tls'}{'\n'}
                 {'\n'}
                 {'# Test that gRPC and HTTP APIs work. Empty brackets like {} means success.\n'}
-                {'sleep 3\n'}
+                {'# Make sure you have the grpcurl cli installed on your machine https://github.com/fullstorydev/grpcurl?tab=readme-ov-file#installation\n'}
                 {'grpcurl '}{connInsecureFlag}{grpcPlainTextFlag}{'127.0.0.1.sslip.io:'}{connPort}{' zitadel.admin.v1.AdminService/Healthz\n'}
                 {'curl '}{connInsecureFlag}{connScheme}{'://127.0.0.1.sslip.io:'}{connPort}{'/admin/v1/healthz\n'}
             </CodeBlock>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
index aa4b7f6869..c5fad6ab7b 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   proxy-disabled-tls:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
index d7d929fa44..989b620fef 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   zitadel-disabled-tls:
@@ -17,7 +15,7 @@ services:
       ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
       ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
       ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     networks:
@@ -43,16 +41,16 @@ services:
       ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
       ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
       ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     networks:
       - 'zitadel'
     depends_on:
-      zitadel-init:
-        condition: 'service_completed_successfully'
       db:
         condition: 'service_healthy'
+      zitadel-init:
+        condition: 'service_completed_successfully'
 
   zitadel-enabled-tls:
     extends:
@@ -71,7 +69,7 @@ services:
       ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
       ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
       ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     volumes:
@@ -109,7 +107,7 @@ services:
       ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
       ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
       ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: root
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
       ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     networks:
@@ -125,10 +123,9 @@ services:
     restart: 'always'
     image: postgres:16-alpine
     environment:
-      PGUSER: root
       POSTGRES_PASSWORD: postgres
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
+      test: ["CMD-SHELL", "pg_isready"]
       interval: 5s
       timeout: 60s
       retries: 10
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
index 72e06b976f..8757758dc3 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   proxy-disabled-tls:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
index 21b3361979..524d50fc30 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   proxy-disabled-tls:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
index aee5cf891d..a2dfab075b 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   proxy-disabled-tls:
diff --git a/e2e/config/host.docker.internal/docker-compose.yaml b/e2e/config/host.docker.internal/docker-compose.yaml
index 8c9d755b02..80ea33b364 100644
--- a/e2e/config/host.docker.internal/docker-compose.yaml
+++ b/e2e/config/host.docker.internal/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
 
   db:
diff --git a/e2e/config/localhost/docker-compose.yaml b/e2e/config/localhost/docker-compose.yaml
index a14c0dd603..040cbc81c0 100644
--- a/e2e/config/localhost/docker-compose.yaml
+++ b/e2e/config/localhost/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   zitadel:
     user: '$UID'
diff --git a/e2e/docker-compose.yaml b/e2e/docker-compose.yaml
index ffcfb65c4d..f03b1fcc46 100644
--- a/e2e/docker-compose.yaml
+++ b/e2e/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   zitadel:
     extends: