DevFW-CICD/zitadel-bootstrap
20
0
Fork 0
Code Issues Pull requests 1 Projects Releases 4 Packages Wiki Activity Actions
No description
22 commits 2 branches 4 tags 206 KiB
  • Go 86%
  • Makefile 4.9%
  • Shell 3.9%
  • Nix 2.2%
  • Smarty 2.2%
  • Other 0.8%
Find a file
Exact
Patrick Sy 447997d3f1
All checks were successful
ci / validate (push) Successful in 44s
Details
release / goreleaser (push) Successful in 1m47s
Details
feat: limit actions bootstrap to preuserinfo
2026-05-21 16:10:04 +02:00
.github/workflows fix: Removed leading v from image tag 2026-04-29 13:29:24 +02:00
charts/zitadel-bootstrap feat: Made deploying webhooks optional 2026-04-29 17:30:13 +02:00
cmd/bootstrap feat: initial commit 2026-04-13 11:01:43 +02:00
internal/bootstrap feat: limit actions bootstrap to preuserinfo 2026-05-21 16:10:04 +02:00
scripts/hooks feat: initial commit 2026-04-13 11:01:43 +02:00
test/integration feat: limit actions bootstrap to preuserinfo 2026-05-21 16:10:04 +02:00
.env.example feat: Made deploying webhooks optional 2026-04-29 17:30:13 +02:00
.envrc chore: added nix flake 2026-04-23 20:06:29 +02:00
.gitignore chore: added nix flake 2026-04-23 20:06:29 +02:00
.goreleaser.yaml feat: pipelines added 2026-04-23 20:33:53 +02:00
docker-compose.yaml feat: added test environment 2026-04-15 10:34:43 +02:00
Dockerfile feat: limit actions bootstrap to preuserinfo 2026-05-21 16:10:04 +02:00
Dockerfile.goreleaser fix: added goreleaser dockerfile 2026-04-13 11:19:44 +02:00
flake.lock chore: added nix flake 2026-04-23 20:06:29 +02:00
flake.nix chore: added nix flake 2026-04-23 20:06:29 +02:00
go.mod chore: bump testcontainers-go to v0.42.0 2026-04-29 11:19:34 +02:00
go.sum chore: bump testcontainers-go to v0.42.0 2026-04-29 11:19:34 +02:00
Makefile feat: pipelines added 2026-04-23 20:33:53 +02:00
README.md feat: limit actions bootstrap to preuserinfo 2026-05-21 16:10:04 +02:00

README.md

zitadel-bootstrap

zitadel-bootstrap is a small Go utility that bootstraps an already deployed ZITADEL instance via API.

Current bootstrap scope:

  • create or reuse a human admin user
  • grant instance and default-org administrator roles
  • disable user registration in the instance default login policy
  • optionally register a fixed set of ZITADEL action executions backed by a webhook service

Runtime contract

The bootstrap binary expects a reachable ZITADEL instance and an admin PAT with enough permissions to manage users, permissions, and, when enabled, action targets.

Required environment:

  • ZITADEL_HOST
  • ZITADEL_ADMIN_PAT or ZITADEL_ADMIN_PAT_FILE

Optional environment:

  • ZITADEL_API
  • TIMEOUT
  • MANAGE_ACTIONS
  • WEBHOOK_URL when MANAGE_ACTIONS=true
  • CREATE_ADMIN_USER
  • ADMIN_LOGIN_NAME
  • ADMIN_FIRST_NAME
  • ADMIN_LAST_NAME
  • ADMIN_DISPLAY_NAME
  • ADMIN_EMAIL
  • ADMIN_EMAIL_VERIFIED
  • ADMIN_INITIAL_PASSWORD when CREATE_ADMIN_USER=true
  • ADMIN_ORG_ROLES
  • TARGET_NAME_PREUSERINFO

Action management:

  • MANAGE_ACTIONS=true: manage the Zitadel Actions V2 preuserinfo target and execution used for token enrichment
  • MANAGE_ACTIONS=false: skip action reconciliation entirely and leave existing action state untouched
  • WEBHOOK_URL is only required when action management is enabled

Helm chart

The repo includes a Helm chart that deploys the bootstrap binary as a one-shot Kubernetes Job.

Chart location:

  • charts/zitadel-bootstrap

Typical install:

helm upgrade --install zitadel-bootstrap oci://edp.buildth.ing/devfw/charts/zitadel-bootstrap \
  --version 0.1.0 \
  --namespace zitadel \
  --create-namespace \
  --set env.zitadelHost=https://zitadel.example.com \
  --set env.manageActions=true \
  --set env.webhookUrl=https://webhook.example.com \
  --set adminPat.existingSecret=zitadel-admin-pat \
  --set adminInitialPassword.existingSecret=zitadel-admin-password

Important values:

  • image.repository
  • image.tag
  • env.zitadelHost
  • env.zitadelApi
  • env.manageActions
  • env.webhookUrl
  • env.createAdminUser
  • adminPat.existingSecret
  • adminPat.secretKey
  • adminPat.mountAsFile
  • adminInitialPassword.existingSecret

The chart supports two PAT delivery modes:

  • direct env var injection via ZITADEL_ADMIN_PAT
  • mounted secret file via ZITADEL_ADMIN_PAT_FILE

When env.manageActions=false, env.webhookUrl is not required.

When env.createAdminUser=false, adminInitialPassword.existingSecret is not required.

Example values for disabling action reconciliation:

env:
  manageActions: false
  zitadelHost: "https://example.com"
  createAdminUser: true

Releases

Forgejo Actions workflows are included for validation and tagged releases.

  • .github/workflows/ci.yaml
    • runs tests
    • lints the Helm chart
    • renders the chart with required values
  • .github/workflows/release.yaml
    • triggers on tags matching v*
    • runs tests and Trivy scans
    • publishes multi-arch container images with GoReleaser
    • packages the Helm chart
    • attempts to push the chart to the Forgejo OCI registry
    • falls back to uploading the packaged chart to the release if OCI chart push is unavailable

Expected release secrets:

  • PACKAGES_TOKEN
  • GPG_PRIVATE_KEY
  • GPG_PASSPHRASE

The release workflow derives the registry path from GITHUB_SERVER_URL and github.repository_owner.

Local development

Run unit tests:

make test

Run integration tests:

make test-integration

Render the Helm chart locally:

helm template zitadel-bootstrap charts/zitadel-bootstrap \
  --set env.zitadelHost=https://zitadel.example.com \
  --set env.manageActions=true \
  --set env.webhookUrl=https://webhook.example.com \
  --set adminPat.existingSecret=zitadel-admin-pat \
  --set adminInitialPassword.existingSecret=zitadel-admin-password