ZITADEL Docs
Deploy & OperateSelf-HostedKubernetes

Database

PostgreSQL

Zitadel requires PostgreSQL 14 or later. The chart supports multiple ways to connect to PostgreSQL depending on your security requirements.

This method connects to PostgreSQL without encryption. Only use this for testing or when the database is on a private network with no risk of interception.

Store the DSN in a Kubernetes Secret and pass it as an environment variable:

kubectl create secret generic zitadel-db-credentials \
  --from-literal=dsn="postgresql://zitadel:your-password@postgres.database.svc.cluster.local:5432/zitadel?sslmode=disable"
zitadel:
  env:
    - name: ZITADEL_DATABASE_POSTGRES_DSN
      valueFrom:
        secretKeyRef:
          name: zitadel-db-credentials
          key: dsn

The sslmode=disable setting turns off TLS entirely. Traffic between Zitadel and PostgreSQL is unencrypted.

Connecting with Credentials and TLS

This method connects to PostgreSQL with TLS encryption but without certificate verification. Use this when you trust the network path but want encryption in transit.

kubectl create secret generic zitadel-db-credentials \
  --from-literal=dsn="postgresql://zitadel:your-password@postgres.database.svc.cluster.local:5432/zitadel?sslmode=require"
zitadel:
  env:
    - name: ZITADEL_DATABASE_POSTGRES_DSN
      valueFrom:
        secretKeyRef:
          name: zitadel-db-credentials
          key: dsn

The sslmode=require setting enforces TLS but does not verify the server certificate. This protects against passive eavesdropping but not against man-in-the-middle attacks.

Connecting with Certificates

This method connects to PostgreSQL with full TLS verification using certificates. Use this for production deployments where you need to verify the database server's identity.

zitadel:
  env:
    - name: ZITADEL_DATABASE_POSTGRES_DSN
      valueFrom:
        secretKeyRef:
          name: zitadel-db-credentials
          key: dsn
  dbSslCaCrt: "ca.crt"
  dbSslCaCrtSecret: "postgres-ca-cert"

Create a secret containing the CA certificate:

kubectl create secret generic postgres-ca-cert \
  --from-file=ca.crt=/path/to/your/ca-certificate.crt

Create a secret containing the DSN with full verification:

kubectl create secret generic zitadel-db-credentials \
  --from-literal=dsn="postgresql://zitadel:your-password@postgres.database.svc.cluster.local:5432/zitadel?sslmode=verify-full&sslrootcert=/db-ssl-ca-crt/ca.crt"

The sslmode=verify-full setting enforces TLS and verifies that the server certificate is signed by the CA and that the server hostname matches the certificate. This provides full protection against eavesdropping and man-in-the-middle attacks. The dbSslCaCrtSecret references the Kubernetes Secret containing the CA certificate, and dbSslCaCrt specifies the key within that secret.

Was this page helpful?

Ingress

Configure Kubernetes Ingress resources for ZITADEL and Login containers to manage API traffic and UI access

Caching

Configure ZITADEL caching with Redis or Valkey on Kubernetes using authentication methods like passwords and TLS connections

On this page

PostgreSQLConnecting Without TLS (Not Recommended)Connecting with Credentials and TLSConnecting with Certificates