Vi Zitadel Admin
Administer ZITADEL (self-hosted) via configuration and operational workflows. Avoid patching ZITADEL source unless explicitly requested.
Quick intake (ask first)
- •Deployment: Kubernetes (Helm), Docker Compose, or Linux/service
- •Version/DB: ZITADEL major version (v2 vs v3), Postgres vs CockroachDB (v2 only)
- •External access:
ExternalDomain, TLS termination (--tlsMode), reverse proxy/WAF/CDN, HTTP/2/h2c - •Config delivery: where
--configand--stepsfiles live; how--masterkey*is provided
Source of truth (upstream)
Use the upstream ZITADEL repo + docs as the authoritative config catalog:
- •Runtime defaults + env var mapping: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
- •Setup steps defaults + env var mapping: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml
- •Self-hosting docs: https://zitadel.com/docs/self-hosting
If you have a local clone, prefer grepping local files for speed/offline work (any path; example: ~/contrib/zitadel).
Recommended workflow
- •Locate current runtime config (
--config) and setup steps (--steps). - •Compare against the production checklist and close gaps (TLS/HTTP/2, non-default credentials, SMTP, backups, observability).
- •Apply changes as configuration-only:
- •Use multiple
--config/--stepsfiles to separate public config from secrets. - •Keep secrets out of git (masterkey, DB creds, SMTP creds, TLS private key).
- •Use multiple
- •For installs/upgrades, follow the phase separation:
- •First install:
zitadel init(once) →zitadel setup→zitadel start - •Upgrade: run
zitadel setupwith the new version, then roll outzitadel start
- •First install:
- •Verify with health endpoints and logs:
- •Ready:
/debug/ready - •Health:
/debug/healthz - •Metrics:
/debug/metrics
- •Ready:
Common tasks (short recipes)
- •Find config keys: search
cmd/defaults.yamlandcmd/setup/steps.yamlin the ZITADEL repo (look for# ZITADEL_...comments). - •Fix “Instance not found”: validate
ExternalDomain/Port/Secure, reverse proxy host headers, then rerunzitadel setup. - •Prepare for production: follow
references/production-hardening.mdand cross-check the upstream production checklist. - •Plan upgrades and scaling: use
references/upgrade-scaling.md(init/setup/start separation, probes, zero downtime). - •Validate database posture: use
references/database.md(supported versions, credential rotation, v2→v3 CRDB migration notes). - •Verify HTTP/2 + TLS: use
references/networking-http2-tls.md.
Resources
- •Config discovery and file layout:
references/config-discovery.md - •Production hardening checklist:
references/production-hardening.md - •Init/setup/start + upgrades + scaling:
references/upgrade-scaling.md - •Database operations and credential rotation:
references/database.md - •HTTP/2, h2c, TLS modes, reverse proxies:
references/networking-http2-tls.md - •Observability: readiness/liveness/metrics/logging:
references/observability.md - •Optional migration (v2 CockroachDB → Postgres):
references/migration-crdb-to-pg.md