Would like to share how to configure zitadel behind traefik that already existed.
Traefik's docker-compose.yml - the traefik related folder might be different from the docker-compose.yml of zitadel
# tfk/docker-compose.yml
version: '3'
services:
traefik:
image: traefik
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- web
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`tfk.domain.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:hidden" #
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`tfk.domain.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
web:
external: true
traefik.yml is as below:- Note - acme.json should have chmod 600 - that will hold your certs that will resolved via letsencrypt.
# tfk/traefik.yml
api:
dashboard: true
entryPoints:
http:
address: ":80"
forwardedHeaders:
insecure: true
https:
address: ":443"
forwardedHeaders:
insecure: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: me@email.com
storage: acme.json
httpChallenge:
entryPoint: http
zitadel related files will exist at a different location and docker-compose.yml is as below:-
# zitadel % export ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"
# zitadel % docker compose up -d
version: '3.8'
services:
zitadel:
restart: 'always'
networks:
- web
image: 'ghcr.io/zitadel/zitadel:stable'
command: 'start-from-init --config /zitadel-config.yaml --config /zitadel-secrets.yaml --steps /zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode external'
depends_on:
certs:
condition: 'service_completed_successfully'
volumes:
- './zitadel-config.yaml:/zitadel-config.yaml:ro'
- './zitadel-secrets.yaml:/zitadel-secrets.yaml:ro'
- './zitadel-init-steps.yaml:/zitadel-init-steps.yaml:ro'
- 'zitadel-certs:/crdb-certs:ro'
labels:
- "traefik.enable=true"
- "traefik.http.routers.zitadel.entrypoints=http"
- "traefik.http.routers.zitadel.rule=Host(`id.domain.com`)"
- "traefik.http.middlewares.zitadel-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.zitadel.middlewares=zitadel-https-redirect"
- "traefik.http.routers.zitadel-secure.entrypoints=https"
- "traefik.http.routers.zitadel-secure.rule=Host(`id.domain.com`)"
- "traefik.http.routers.zitadel-secure.tls=true"
- "traefik.http.routers.zitadel-secure.tls.certresolver=http"
- "traefik.http.services.zitadel.loadbalancer.server.scheme=h2c"
- "traefik.http.services.zitadel.loadbalancer.passHostHeader=true"
- "traefik.http.services.zitadel.loadbalancer.server.port=8080"
certs:
image: 'cockroachdb/cockroach:v22.1.0'
entrypoint: [ '/bin/bash', '-c' ]
command: [ 'cp /certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown 1000:1000 /zitadel-certs/*' ]
volumes:
- 'certs:/certs:ro'
- 'zitadel-certs:/zitadel-certs:rw'
depends_on:
zid-cockroach-db:
condition: 'service_healthy'
zid-cockroach-db:
restart: 'always'
networks:
- web
image: 'cockroachdb/cockroach:v22.1.0'
command: 'start-single-node --advertise-addr zid-cockroach-db'
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
interval: '10s'
timeout: '30s'
retries: 5
start_period: '20s'
ports:
- '38081:8080'
- '26257:26257'
volumes:
- 'certs:/cockroach/certs:rw'
- 'data:/cockroach/cockroach-data:rw'
networks:
web:
external: true
volumes:
certs:
zitadel-certs:
data:
contents of the zitadel-config.yaml:-
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
Log:
Level: 'info'
# Make ZITADEL accessible over HTTP, not HTTPS
ExternalSecure: true
ExternalDomain: id.domain.com
ExternalPort: 443
# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
Database:
cockroach:
Host: 'zid-cockroach-db'
User:
SSL:
Mode: 'verify-full'
RootCert: "/crdb-certs/ca.crt"
Cert: "/crdb-certs/client.zitadel_user.crt"
Key: "/crdb-certs/client.zitadel_user.key"
Admin:
SSL:
Mode: 'verify-full'
RootCert: "/crdb-certs/ca.crt"
Cert: "/crdb-certs/client.root.crt"
Key: "/crdb-certs/client.root.key
zitadel-secrets.yaml's content:-
Database:
cockroach:
User:
# If the user doesn't exist already, it is created
Username: 'zitadel_user'
Admin:
Username: 'root'
finally zitadel-init-steps.yaml's content
FirstInstance:
Org:
Name: 'somename'
Human:
# use the loginname root@somename.id.domain.com
Username: 'root'
Password: 'Password@1234'