Skip to content

feat: add system user TLS certificate for login backend auth [HOLD]#545

Draft
mridang wants to merge 2 commits intomainfrom
feat/tls-based-login-backend-auth
Draft

feat: add system user TLS certificate for login backend auth [HOLD]#545
mridang wants to merge 2 commits intomainfrom
feat/tls-based-login-backend-auth

Conversation

@mridang
Copy link
Copy Markdown
Collaborator

@mridang mridang commented Feb 17, 2026

Definition of Ready

  • I am happy with the code
  • Short description of the feature/issue is added in the pr description
  • PR is linked to the corresponding user story
  • Acceptance criteria are met
  • All open todos and follow ups are defined in a new ticket and justified
  • Deviations from the acceptance criteria and design are agreed with the PO and documented.
  • No debug or dead code
  • My code has no repetitions
  • Documentation/examples are up-to-date
  • All non-functional requirements are met
  • If possible, the test configuration is adjusted so acceptance tests cover my changes

@mridang mridang self-assigned this Feb 17, 2026
@mridang mridang marked this pull request as draft February 17, 2026 09:10
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 17, 2026

Qodana for Go

5 new problems were found

Inspection name Severity Problems
Unknown/undeclared Helm properties ◽️ Notice 5

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce2957021d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

charts/zitadel/templates/secret_system-user.yaml
{{- if and $existingSecret $existingSecret.data }}
{{- $cert = dict "Cert" (index $existingSecret.data "tls.crt" | b64dec) "Key" (index $existingSecret.data "tls.key" | b64dec) }}
{{- else }}
{{- $cert = genSelfSignedCert $cn nil $sans (int .Values.zitadel.systemUser.validityDays) }}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid nondeterministic cert generation during template render

This template generates a fresh keypair via genSelfSignedCert whenever lookup cannot read an existing secret, and that output is also hashed into pod annotations (deployment_zitadel.yaml/deployment_login.yaml include this template for checksum/secret-system-user). In render-only environments (for example helm template or GitOps controllers that do not provide live lookup data), lookup stays empty on every reconcile, so the rendered Secret and checksum change every run, causing perpetual drift and repeated rollouts with the default zitadel.systemUser.enabled=true.

Useful? React with 👍 / 👎.

charts/zitadel/templates/secret_system-user.yaml
Comment on lines +27 to +28
{{- if lt $renewBeforeHours 24 }}
{{- $renewBeforeHours = 24 }}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep renewBefore strictly below certificate duration

When validityDays is set to 1, duration becomes 24h, but the minimum clamp here forces renewBefore to 24h as well. That produces an invalid cert-manager Certificate spec because renewal must be scheduled before expiration (renewBefore < duration), so cert issuance fails and the mounted system-user secret is never created.

Useful? React with 👍 / 👎.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 17, 2026

Qodana for Go

5 new problems were found

Inspection name Severity Problems
Unknown/undeclared Helm properties ◽️ Notice 5

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

1 more reviewer

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@mridang mridang

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mridang