ZITADEL Docs
Deploy & OperateSelf-HostedKubernetes

Database

PostgreSQL

Zitadel requires PostgreSQL 14 or later. The chart supports multiple ways to connect to PostgreSQL depending on your security requirements.

This method connects to PostgreSQL without encryption. Only use this for testing or when the database is on a private network with no risk of interception.

zitadel:
  configmapConfig:
    Database:
      Postgres:
        Host: "postgres.database.svc.cluster.local"
        Port: 5432
        Database: "zitadel"
        User:
          Username: "zitadel"
          Password: "your-password"
          SSL:
            Mode: "disable"
        Admin:
          Username: "postgres"
          Password: "your-admin-password"
          SSL:
            Mode: "disable"

The SSL.Mode: "disable" setting turns off TLS entirely. Traffic between Zitadel and PostgreSQL is unencrypted.

Connecting with Credentials and TLS

This method connects to PostgreSQL with TLS encryption but without certificate verification. Use this when you trust the network path but want encryption in transit.

zitadel:
  configSecretName: zitadel-db-credentials
  configmapConfig:
    Database:
      Postgres:
        Host: "postgres.database.svc.cluster.local"
        Port: 5432
        Database: "zitadel"
        User:
          Username: "zitadel"
          SSL:
            Mode: "require"
        Admin:
          Username: "postgres"
          SSL:
            Mode: "require"

Create a secret for the database passwords:

kubectl create secret generic zitadel-db-credentials \
  --from-literal=config.yaml="
Database:
  Postgres:
    User:
      Password: your-secure-app-password
    Admin:
      Password: your-secure-admin-password
"

The SSL.Mode: "require" setting enforces TLS but does not verify the server certificate. This protects against passive eavesdropping but not against man-in-the-middle attacks.

Connecting with Certificates

This method connects to PostgreSQL with full TLS verification using certificates. Use this for production deployments where you need to verify the database server's identity.

zitadel:
  configSecretName: zitadel-db-credentials
  dbSslCaCrt: "ca.crt"
  dbSslCaCrtSecret: "postgres-ca-cert"
  configmapConfig:
    Database:
      Postgres:
        Host: "postgres.database.svc.cluster.local"
        Port: 5432
        Database: "zitadel"
        User:
          Username: "zitadel"
          SSL:
            Mode: "verify-full"
        Admin:
          Username: "postgres"
          SSL:
            Mode: "verify-full"

Create a secret containing the CA certificate:

kubectl create secret generic postgres-ca-cert \
  --from-file=ca.crt=/path/to/your/ca-certificate.crt

Create a secret for the database passwords:

kubectl create secret generic zitadel-db-credentials \
  --from-literal=config.yaml="
Database:
  Postgres:
    User:
      Password: your-secure-app-password
    Admin:
      Password: your-secure-admin-password
"

The SSL.Mode: "verify-full" setting enforces TLS and verifies that the server certificate is signed by the CA and that the server hostname matches the certificate. This provides full protection against eavesdropping and man-in-the-middle attacks. The dbSslCaCrtSecret references the Kubernetes Secret containing the CA certificate, and dbSslCaCrt specifies the key within that secret.

Was this page helpful?

Ingress

Previous Page

Observability

Next Page

On this page

PostgreSQLConnecting Without TLS (Not Recommended)Connecting with Credentials and TLSConnecting with Certificates