Zitadel IAM deployment for auth.hrmnn.dev

Find a file

Mathias Hermann d85760db8c Some checks failed Deploy Zitadel / deploy (push) Failing after 2m13s Details Fix helm install: use direct binary download		2026-03-12 22:01:04 +01:00
.forgejo/workflows	Fix helm install: use direct binary download	2026-03-12 22:01:04 +01:00
docs	Initial Zitadel deployment config	2026-03-12 21:31:29 +01:00
helm	Add Forgejo Actions deploy pipeline	2026-03-12 21:54:34 +01:00
manifests	Add Forgejo Actions deploy pipeline	2026-03-12 21:54:34 +01:00
.gitignore	Initial Zitadel deployment config	2026-03-12 21:31:29 +01:00
README.md	Initial Zitadel deployment config	2026-03-12 21:31:29 +01:00

README.md

Zitadel — auth.hrmnn.dev

Identity and Access Management for the hrmnn k3s cluster.

Architecture

Zitadel — OIDC/OAuth2 identity provider at auth.hrmnn.dev
PostgreSQL — dedicated database for Zitadel (separate from Authentik's)
Ingress — NGINX ingress with cert-manager TLS

Prerequisites

k3s cluster at 46.225.234.15
NGINX ingress controller
cert-manager with ClusterIssuer letsencrypt-prod
Helm 3.x

Deployment

# 1. Create namespace and secrets
kubectl apply -f manifests/namespace.yaml
kubectl apply -f manifests/secrets.yaml   # Edit passwords first!

# 2. Deploy PostgreSQL
kubectl apply -f manifests/postgres.yaml

# 3. Install Zitadel via Helm
helm repo add zitadel https://charts.zitadel.com
helm repo update
helm install zitadel zitadel/zitadel \
  --namespace zitadel \
  --values helm/values.yaml

# 4. Wait for init/setup jobs to complete, then verify
kubectl -n zitadel get pods --watch

# 5. Access console
# https://auth.hrmnn.dev/ui/console
# Login: admin / (see secrets)

Forgejo Integration

After Zitadel is running, configure Forgejo OIDC authentication. See docs/forgejo-oidc.md for step-by-step instructions.

Cleanup Authentik

Once Zitadel is confirmed working:

helm uninstall authentik -n authentik   # or kubectl delete ns authentik