feat: drop CockroachDB support from chart templates (#587)

mridang · web-flow · commit 949b8d00dba2 · 2026-04-15T11:07:23.000+05:30
diff --git a/charts/zitadel/Chart.yaml b/charts/zitadel/Chart.yaml
@@ -3,7 +3,7 @@ name: zitadel
 description: A Helm chart for ZITADEL
 type: application
 appVersion: v4.13.0
-version: 9.31.0
+version: 9.32.0
 kubeVersion: '>= 1.30.0-0'
 home: https://zitadel.com
 sources:
diff --git a/charts/zitadel/README.md b/charts/zitadel/README.md
@@ -2,7 +2,7 @@
 
 # Zitadel
 
-![Version: 9.31.0](https://img.shields.io/badge/Version-9.31.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.13.0](https://img.shields.io/badge/AppVersion-v4.13.0-informational?style=flat-square)
+![Version: 9.32.0](https://img.shields.io/badge/Version-9.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.13.0](https://img.shields.io/badge/AppVersion-v4.13.0-informational?style=flat-square)
 
 ## A Better Identity and Access Management Solution
 
@@ -402,7 +402,7 @@ Kubernetes: `>= 1.30.0-0`
 | zitadel.configSecretName | string | `nil` | Name of an existing Kubernetes Secret containing ZITADEL configuration. Use this when you want to manage ZITADEL configuration externally (e.g., via External Secrets Operator, Sealed Secrets, or GitOps). The secret should contain YAML configuration in the same format as configmapConfig. |
 | zitadel.configmapConfig | object | `{"Database":{"Postgres":{"Host":"","Port":5432}},"ExternalDomain":"","ExternalSecure":true,"FirstInstance":{"LoginClientPatPath":null,"MachineKeyPath":null,"Org":{"LoginClient":{"Machine":{"Name":"Automatically Initialized IAM Login Client","Username":"login-client"},"Pat":{"ExpirationDate":"2029-01-01T00:00:00Z"}},"Machine":{"Machine":{"Name":"Automatically Initialized IAM Admin","Username":"iam-admin"},"MachineKey":{"ExpirationDate":"2029-01-01T00:00:00Z","Type":1},"Pat":{"ExpirationDate":"2029-01-01T00:00:00Z"}},"Skip":null},"PatPath":null,"Skip":false},"Machine":{"Identification":{"Hostname":{"Enabled":true},"Webhook":{"Enabled":false}}},"TLS":{"Enabled":false}}` | ZITADEL runtime configuration written to a Kubernetes ConfigMap. These values are passed directly to the ZITADEL binary and control its behavior. For the complete list of available configuration options, see: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml |
 | zitadel.dbSslAdminCrtSecret | string | `""` | Name of a Kubernetes Secret containing the admin user's client certificate for mutual TLS (mTLS) authentication to the database. The secret must contain keys "tls.crt" (certificate) and "tls.key" (private key). Used by the init job for database setup operations that require elevated privileges. |
-| zitadel.dbSslCaCrt | string | `""` | PEM-encoded CA certificate for verifying the database server's TLS certificate. Use this when your PostgreSQL/CockroachDB server uses a self-signed certificate or a certificate signed by a private CA. The certificate is stored in a Kubernetes Secret and mounted into ZITADEL pods at /db-ssl-ca-crt/ca.crt. Either provide the certificate inline here, or reference an existing secret using dbSslCaCrtSecret instead. |
+| zitadel.dbSslCaCrt | string | `""` | PEM-encoded CA certificate for verifying the database server's TLS certificate. Use this when your PostgreSQL server uses a self-signed certificate or a certificate signed by a private CA. The certificate is stored in a Kubernetes Secret and mounted into ZITADEL pods at /db-ssl-ca-crt/ca.crt. Either provide the certificate inline here, or reference an existing secret using dbSslCaCrtSecret instead. |
 | zitadel.dbSslCaCrtAnnotations | map[string]string | `{"helm.sh/hook":"pre-install,pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations for the dbSslCaCrt Secret when created from the inline certificate. The default Helm hooks ensure the secret exists before pods start. |
 | zitadel.dbSslCaCrtSecret | string | `""` | Name of an existing Kubernetes Secret containing the database CA certificate at key "ca.crt". Use this instead of dbSslCaCrt when the certificate is managed externally (e.g., by cert-manager or an operator). The secret must exist in the same namespace as the ZITADEL release. |
 | zitadel.dbSslUserCrtSecret | string | `""` | Name of a Kubernetes Secret containing the application user's client certificate for mutual TLS (mTLS) authentication to the database. The secret must contain keys "tls.crt" (certificate) and "tls.key" (private key). Used by the main ZITADEL deployment and setup job for normal database operations. |
diff --git a/charts/zitadel/templates/_helpers.tpl b/charts/zitadel/templates/_helpers.tpl
@@ -255,31 +255,6 @@ Prefers login.securityContext; falls back to the chart-wide securityContext.
 {{- end }}
 {{- end }}
 
-{{/*
-Returns the database config from the secretConfig or else from the configmapConfig
-*/}}
-{{- define "zitadel.dbconfig.json" -}}
-    {{- if (((.Values.zitadel).secretConfig).Database) -}}
-    {{- .Values.zitadel.secretConfig.Database | toJson -}}
-    {{- else if (((.Values.zitadel).configmapConfig).Database) -}}
-    {{- .Values.zitadel.configmapConfig.Database | toJson -}}
-    {{- else -}}
-    {{- dict | toJson -}}
-    {{- end -}}
-{{- end -}}
-
-{{/*
-Returns a dict with the databases key in the yaml and the environment variable part, either COCKROACH or POSTGRES, in uppercase letters.
-*/}}
-{{- define "zitadel.dbkey.json" -}}
-  {{- range $i, $key := (include "zitadel.dbconfig.json" . | fromJson | keys ) -}}
-    {{- if or (eq (lower $key) "postgres" ) (eq (lower $key) "pg" ) -}}
-        {"key": "{{ $key }}", "env": "POSTGRES" }
-    {{- else if or (eq (lower $key) "cockroach" ) (eq (lower $key) "crdb" ) -}}
-        {"key": "{{ $key }}", "env": "COCKROACH" }
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
 
 {{- define "zitadel.containerPort" -}}
 8080
diff --git a/charts/zitadel/templates/debug_replicaset.yaml b/charts/zitadel/templates/debug_replicaset.yaml
@@ -62,15 +62,14 @@ spec:
                   key: masterkey
             - name: ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
               value: "/machinekey/sa.json"
-            {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
               value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
               value: /db-ssl-user-crt/tls.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
               value: /db-ssl-user-crt/tls.key
             {{- end}}
             {{- with .Values.env }}
diff --git a/charts/zitadel/templates/deployment_zitadel.yaml b/charts/zitadel/templates/deployment_zitadel.yaml
@@ -83,18 +83,17 @@ spec:
                 secretKeyRef:
                   name: {{ include "zitadel.masterkeySecretName" . }}
                   key: masterkey
-            {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
               value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
               value: /db-ssl-user-crt/tls.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
               value: /db-ssl-user-crt/tls.key
             {{- end }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_AWAITINITIALCONN
+            - name: ZITADEL_DATABASE_POSTGRES_AWAITINITIALCONN
               value: "5m"
             {{- if .Values.zitadel.serverSslCrtSecret }}
             - name: ZITADEL_TLS_CERTPATH
diff --git a/charts/zitadel/templates/job_init.yaml b/charts/zitadel/templates/job_init.yaml
@@ -80,26 +80,25 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: status.podIP
-            {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
               value: /db-ssl-ca-crt/ca.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_ROOTCERT
+            - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT
               value: /db-ssl-ca-crt/ca.crt
             {{- end}}
             {{- if .Values.zitadel.dbSslAdminCrtSecret }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_CERT
+            - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT
               value: /db-ssl-admin-crt/tls.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_KEY
+            - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY
               value: /db-ssl-admin-crt/tls.key
             {{- end}}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
               value: /db-ssl-user-crt/tls.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
               value: /db-ssl-user-crt/tls.key
             {{- end}}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_AWAITINITIALCONN
+            - name: ZITADEL_DATABASE_POSTGRES_AWAITINITIALCONN
               value: "5m"
             {{- with .Values.env }}
               {{- toYaml . | nindent 12 }}
diff --git a/charts/zitadel/templates/job_setup.yaml b/charts/zitadel/templates/job_setup.yaml
@@ -111,18 +111,17 @@ spec:
             {{- end }}
             - name: ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH
               value: "/login-client/pat"
-            {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
               value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
               value: /db-ssl-user-crt/tls.crt
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
+            - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
               value: /db-ssl-user-crt/tls.key
             {{- end}}
-            - name: ZITADEL_DATABASE_{{ $dbEnv }}_AWAITINITIALCONN
+            - name: ZITADEL_DATABASE_POSTGRES_AWAITINITIALCONN
               value: "5m"
             {{- with .Values.env }}
               {{- toYaml . | nindent 12 }}
diff --git a/charts/zitadel/values.schema.json b/charts/zitadel/values.schema.json
@@ -1716,7 +1716,7 @@
                     "type": "string"
                 },
                 "dbSslCaCrt": {
-                    "description": "PEM-encoded CA certificate for verifying the database server's TLS certificate. Use this when your PostgreSQL/CockroachDB server uses a self-signed certificate or a certificate signed by a private CA. The certificate is stored in a Kubernetes Secret and mounted into ZITADEL pods at /db-ssl-ca-crt/ca.crt. Either provide the certificate inline here, or reference an existing secret using dbSslCaCrtSecret instead.",
+                    "description": "PEM-encoded CA certificate for verifying the database server's TLS certificate. Use this when your PostgreSQL server uses a self-signed certificate or a certificate signed by a private CA. The certificate is stored in a Kubernetes Secret and mounted into ZITADEL pods at /db-ssl-ca-crt/ca.crt. Either provide the certificate inline here, or reference an existing secret using dbSslCaCrtSecret instead.",
                     "type": "string"
                 },
                 "dbSslCaCrtAnnotations": {
diff --git a/charts/zitadel/values.yaml b/charts/zitadel/values.yaml
@@ -23,8 +23,8 @@ zitadel:
       # Enable HTTPS on ZITADEL's internal server. Requires serverSslCrtSecret or
       # selfSignedCert to be configured with valid certificates.
       Enabled: false
-    # Database connection configuration. ZITADEL requires PostgreSQL 14+ or
-    # CockroachDB 22+ as its backing database.
+    # Database connection configuration. ZITADEL requires PostgreSQL 14+ as
+    # its backing database.
     Database:
       Postgres:
         # PostgreSQL server hostname or IP address. Leave empty if providing via
@@ -199,7 +199,7 @@ zitadel:
     helm.sh/hook-weight: "0"
 
   # -- PEM-encoded CA certificate for verifying the database server's TLS certificate.
-  # Use this when your PostgreSQL/CockroachDB server uses a self-signed certificate
+  # Use this when your PostgreSQL server uses a self-signed certificate
   # or a certificate signed by a private CA. The certificate is stored in a
   # Kubernetes Secret and mounted into ZITADEL pods at /db-ssl-ca-crt/ca.crt.
   # Either provide the certificate inline here, or reference an existing secret
