Fix Zitadel Docker post for v4 Login V2 architecture (#148)#152
Merged
Conversation
The post deployed a single zitadel container with no login service. Since Zitadel v4 (which :latest now tracks), the login UI is a separate Next.js container (ghcr.io/zitadel/zitadel-login, "Login V2"), and new instances default to redirecting sign-in to it - so the documented login flow breaks on current versions. - Pin images to v4.15.3 instead of :latest in both examples - Quick start sets LOGINV2_REQUIRED=false to keep the bundled legacy login working for single-container evaluation - Add a section explaining the v2/v3 vs v4 login architecture - Rewrite the production compose to the correct v4 layout: core + zitadel-login + Traefik proxy, with the login-client PAT bootstrap (modeled on Zitadel's official deploy/compose) - Update TLS section for proxy-terminated TLS; keep direct-on-core option - Standardize Postgres image to postgres:17-alpine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Resolves #148. A reader asked where the
zitadel-loginservice is and how login works without it. They were right to ask: the post deployed a singlezitadelcontainer with no login service, which no longer produces a working sign-in on current Zitadel.Why it was broken
ghcr.io/zitadel/zitadel:latestnow tracks the Zitadel v4 line (v4.15.3 at time of writing).ghcr.io/zitadel/zitadel-login("Login V2"), served at/ui/v2/loginon port 3000.LoginV2 Required=true, so the core redirects sign-in to/ui/v2/login. With no login service running, the interactive login breaks (the API and console assets still work).ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED=false; it is not removed/deprecated yet.Changes
v4.15.3instead of:latestin both examples.ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED=falseso the single-container evaluation setup keeps a working login (bundled Login V1 at/ui/login).zitadel-logincontainer + a Traefik reverse proxy, with thelogin-clientPAT bootstrap and shared volume. Modeled on Zitadel's officialdeploy/compose/docker-compose.yml.postgres:17-alpine(production compose previously used 16).npm run validatepasses.