Ingress
The chart creates standard Kubernetes Ingress resources. There are separate Ingress resources for the Zitadel container and the Login container.
TLS must be terminated at the ingress controller; the Zitadel and Login containers do not handle TLS termination. Both ingresses typically use the same domain and TLS certificate. The Login ingress serves the /ui/v2/login path while the Zitadel ingress serves everything else.
Zitadel Ingress
The Zitadel ingress handles all API traffic, the console UI, and OIDC endpoints. The example below uses Traefik as the ingress controller:
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: zitadel.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: zitadel-tls
hosts:
- zitadel.example.comThe tls.secretName references a Kubernetes Secret containing your TLS certificate. You can create this secret manually, or have your ingress controller issue certificates automatically. For automatic certificate issuance with Traefik ACME, add the traefik.ingress.kubernetes.io/router.tls.certresolver annotation. For cert-manager, add the cert-manager.io/cluster-issuer annotation.
Login Ingress
The Login ingress handles the login UI. It must be configured separately:
login:
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: zitadel.example.com
paths:
- path: /ui/v2/login
pathType: Prefix
tls:
- secretName: zitadel-tls
hosts:
- zitadel.example.comThe tls.secretName references a Kubernetes Secret containing your TLS certificate. You can use the same secret as the Zitadel ingress since both use the same domain. For automatic certificate issuance with Traefik ACME, add the traefik.ingress.kubernetes.io/router.tls.certresolver annotation. For cert-manager, add the cert-manager.io/cluster-issuer annotation.
Was this page helpful?