metal-stack · ostempel · Nov 3, 2025 · Nov 5, 2025 · Nov 6, 2025 · Nov 6, 2025
@@ -211,3 +211,22 @@ An Nginx is running inside of the www container to allow automatic testing of ou
 ![Network topology](docs/network.svg)
 
 > Figure 2: mini-lab network topology illustration.
+
+## V2 Quickstart
+
+Login with [cli](https://github.com/metal-stack/cli):
+
+```bash
+$ metalctlv2 login --provider openid-connect
+```
+
+User: olli.owner@metal-stack.io
+Password: Olli.Owner123!
+
+User: gerrit.guest@metal-stack.io
+Password: Gerrit.Guest123!
+
+Zitadel Admin:
+
+User: admin@metal-stack.zitadel.172.17.0.1.nip.io
+Password: Password1!
@@ -20,12 +20,14 @@
       tags: headscale
     - name: metal-roles/control-plane/roles/masterdata-db
       tags: masterdata-db
+    - name: metal-roles/control-plane/roles/zitadel-db
+      tags: zitadel-db
     - name: metal-roles/control-plane/roles/auditing-timescaledb
       when: metal_auditing_timescaledb_enabled
       tags: auditing
     - name: metal-roles/control-plane/roles/valkey
       tags: valkey
-    - name: auth-dex
+    - name: metal-roles/control-plane/roles/zitadel
       tags: auth
     - name: metal-roles/control-plane/roles/metal
       tags: metal

@@ -1,5 +1,5 @@
 ---
-metal_stack_release_version: develop
+metal_stack_release_version: add-zitadel
 
 metal_stack_release_vectors:
   - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }}
@@ -15,7 +15,7 @@ metal_stack_release_vectors:
 # metal_api_image_name:
 # metal_api_image_tag:
 # metal_apiserver_image_name:
-# metal_apiserver_image_tag:
+metal_apiserver_image_tag: v0.1.1
 # metal_metalctl_image_name:
 # metal_metalctl_image_tag:
 # metal_masterdata_api_image_name:
@@ -37,15 +37,14 @@ metal_stack_release_vectors:
 ##
 
 # ansible_common_version:
-# metal_roles_version:
+metal_roles_version: v0.17.28
 # metal_ansible_modules_version:
 
 ##
 ## helm charts
 ##
 
-# metal_helm_chart_version:
-# metal_helm_chart_repo:
-
+metal_helm_chart_version: 0.7.0
+# metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable
 # further overrides can be looked up in the metal-role projects where the mapping is defined:
 # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml
@@ -3,8 +3,6 @@ metal_set_resource_limits: no
 metal_check_api_health_endpoint: http://api.{{ metal_control_plane_ingress_dns }}:8080/metal/v1/health
 metal_api_headscale_control_plane_address: "http://headscale.{{ metal_control_plane_ingress_dns }}:8080"
 
-# metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
-
 metal_api_replicas: 1
 metal_api_view_key: metal-view
 metal_api_edit_key: metal-edit
@@ -15,13 +13,12 @@ metal_api_nsq_tcp_address: nsqd:4150
 metal_apiserver_enabled: true
 metal_apiserver_url: http://v2.api.{{ metal_control_plane_ingress_dns }}:8080
 
-metal_apiserver_oidc_discovery_url: http://auth.{{ metal_control_plane_ingress_dns }}:8080/dex/.well-known/openid-configuration
-metal_apiserver_oidc_end_session_url: ""
-metal_apiserver_oidc_client_id: metal-stack
-metal_apiserver_oidc_client_secret: secret
+metal_apiserver_oidc_secret_name: zitadel-client-credentials
+metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/.well-known/openid-configuration
+metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session"
 
 metal_apiserver_redis_password: change-me-soon
-metal_apiserver_admin_subjects: "CiQwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDESBWxvY2Fs@oidc"
+metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@openid-connect"
 
 metal_api_images:
 - id: firewall-ubuntu-3.0
@@ -166,4 +163,4 @@ metal_auditing_timescaledb_enabled: true
 
 # headscale
 metal_api_headscale_enabled: true
-metal_api_headscale_tls: no
+metal_api_headscale_tls: no
@@ -0,0 +1,26 @@
+---
+zitadel_endpoint: zitadel.{{ metal_control_plane_namespace }}.svc.cluster.local
+zitadel_external_domain: zitadel.{{ metal_control_plane_ingress_dns }}
+zitadel_ingress_dns: https://{{ zitadel_external_domain }}:4443
+zitadel_port: 8080
+zitadel_skip_verify_tls: true
+zitadel_insecure: true
+
+zitadel_init_config:
+  static_users:
+    - first_name: Olli
+      last_name: Owner
+      email: olli.owner@metal-stack.io
+      password: Olli.Owner123!
+    - first_name: Gerrit
+      last_name: Guest
+      email: gerrit.guest@metal-stack.io
+      password: Gerrit.Guest123!
+  project:
+    id: metal-stack
+    name: metal-stack
+  application:
+    # later id will be added but currently not possible with zitadel
+    id: metal-stack
+    name: metal-stack
+    redirect_uri: http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback