Zitadel/manifests/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
    name: zitadel
    namespace: zitadel
spec:
    replicas: 1
    selector:
        matchLabels:
            app: zitadel
    template:
        metadata:
            labels:
                app: zitadel
        spec:
            hostname: zitadel
            subdomain: zitadel
            containers:
              - name: zitadel
                image: ghcr.io/zitadel/zitadel:v2.71.1
                command: [
                  "/app/zitadel", "start-from-init", 
                  "--config", "/tmp/config.yaml", 
                  "--steps", "/tmp/first-step.yaml", 
                  "--masterkeyFromEnv", 
                  "--tlsMode", "external"
                ]
                ports:
                  - containerPort: 8080
                env:
                  - name: ZITADEL_DATABASE_POSTGRES_HOST
                    value: "zitadel-db-rw.zitadel.svc.cluster.local"
                  - name: ZITADEL_DATABASE_POSTGRES_PORT
                    value: "5432"
                  - name: ZITADEL_DATABASE_POSTGRES_DATABASE
                    value: "zitadel"
                  - name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME
                    valueFrom:
                      secretKeyRef:
                        name: zitadel-db-user
                        key: username
                  - name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
                    valueFrom:
                      secretKeyRef:
                        name: zitadel-db-user
                        key: password
                  - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
                    value: "disable"
                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
                    valueFrom:
                      secretKeyRef:
                        name: zitadel-db-superuser
                        key: username
                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
                    valueFrom:
                      secretKeyRef:
                        name: zitadel-db-superuser
                        key: password
                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE # Note : Does not need to be secure, as everything is internal to the cluster
                    value: "disable"
                  - name: ZITADEL_EXTERNALSECURE
                    value: "true"
                  - name: ZITADEL_EXTERNALDOMAIN
                    value: "zitadel.halis.io"
                  - name: ZITADEL_MASTERKEY
                    valueFrom:
                      secretKeyRef:
                        name: zitadel-masterkey
                        key: masterkey
                  - name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
                    value: "12"
                volumeMounts:
                  - mountPath: "/tmp/config.yaml"
                    name: zitadel-config
                    subPath: config.yaml
                  - mountPath: "/tmp/first-step.yaml"
                    name: zitadel-secret-config
                    subPath: first-step.yaml
            volumes:
              - name: zitadel-config
                configMap:
                  name: zitadel-config
              - name: zitadel-secret-config
                secret:
                  secretName: zitadel-secret-config