docs: change examples to psql (#7358)

Replaces CockroachDB as default in self hosting examples. 

* Update docs/docs/concepts/architecture/software.md

Co-authored-by: Elio Bischof <elio@zitadel.com>

* Update docs/docs/concepts/architecture/software.md

Co-authored-by: Elio Bischof <elio@zitadel.com>

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>

docs/docs/concepts/architecture/software.md

@@ -136,16 +136,12 @@ It is also responsible to execute authorization checks. To check if a request is
 
 ### Storage Layer
 
-As ZITADEL itself is built completely stateless only the storage layer is needed for storing things.
-The storage layer of ZITADEL is responsible for multiple things. For example:
+As ZITADEL itself is built completely stateless only the storage layer is needed to persist states.
+The storage layer of ZITADEL is responsible for multiple tasks. For example:
 
-- Distributing data for high availability over multiple server, data centers or regions
 - Guarantee strong consistency for the command side
 - Guarantee good query performance for the query side
-- Ability to store data in specific data centers or regions for data residency (This is only supported with CockroachDB Cloud or Enterprise)
 - Backup and restore operation for disaster recovery purpose
 
-ZITADEL currently supports CockroachDB as first choice of storage due to its perfect match for ZITADELs needs.
-Alternatively you can run ZITADEL also with Postgres which is [Enterprise Supported](/docs/support/software-release-cycles-support#partially-supported).
-Make sure to read our [Production Guide](/docs/self-hosting/manage/production#prefer-cockroachdb) before you decide to use it.
-
+ZITADEL currently supports PostgreSQL and CockroachDB..
+Make sure to read our [Production Guide](/docs/self-hosting/manage/production#prefer-cockroachdb) before you decide on using one of them.

docs/docs/self-hosting/deploy/docker-compose-sa.yaml

@@ -8,35 +8,44 @@ services:
     image: 'ghcr.io/zitadel/zitadel:latest'
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
     environment:
-      - 'ZITADEL_DATABASE_COCKROACH_HOST=crdb'
+      - 'ZITADEL_DATABASE_POSTGRES_HOST=db'
+      - 'ZITADEL_DATABASE_POSTGRES_PORT=5432'
+      - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable'
       - 'ZITADEL_EXTERNALSECURE=false'
       - 'ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/machinekey/zitadel-admin-sa.json'
       - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa'
       - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin'
       - 'ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1'
     depends_on:
-      crdb:
+      db:
         condition: 'service_healthy'
     ports:
       - '8080:8080'
     volumes:
       - ./machinekey:/machinekey
 
-  crdb:
+  db:
     restart: 'always'
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
     networks:
       - 'zitadel'
-    image: 'cockroachdb/cockroach:latest'
-    command: 'start-single-node --insecure'
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
       interval: '10s'
       timeout: '30s'
       retries: 5
       start_period: '20s'
     ports:
-      - '9090:8080'
-      - '26257:26257'
+      - '5432:5432'
 
 networks:
   zitadel:

docs/docs/self-hosting/deploy/docker-compose.yaml

@@ -8,29 +8,38 @@ services:
     image: 'ghcr.io/zitadel/zitadel:latest'
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
     environment:
-      - 'ZITADEL_DATABASE_COCKROACH_HOST=crdb'
+      - 'ZITADEL_DATABASE_POSTGRES_HOST=db'
+      - 'ZITADEL_DATABASE_POSTGRES_PORT=5432'
+      - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable'
       - 'ZITADEL_EXTERNALSECURE=false'
     depends_on:
-      crdb:
+      db:
         condition: 'service_healthy'
     ports:
       - '8080:8080'
 
-  crdb:
+  db:
     restart: 'always'
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
     networks:
       - 'zitadel'
-    image: 'cockroachdb/cockroach:latest'
-    command: 'start-single-node --insecure'
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
       interval: '10s'
       timeout: '30s'
       retries: 5
       start_period: '20s'
     ports:
-      - '9090:8080'
-      - '26257:26257'
+      - '5432:5432'
 
 networks:
   zitadel:

docs/docs/self-hosting/deploy/linux.mdx

@@ -8,15 +8,16 @@ import DefaultUser from "./_defaultuser.mdx";
 import Next from "./_next.mdx";
 import NoteInstanceNotFound from "./troubleshooting/_note_instance_not_found.mdx";
 
-## Install CockroachDB
+## Install PostgreSQL
 
-Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/stable/install-cockroachdb).
-ZITADEL is tested against CockroachDB latest stable tag and Ubuntu 20.04.
+Download a `postgresql` binary as described [in the PostgreSQL docs](https://www.postgresql.org/download/linux/).
+ZITADEL is tested against PostgreSQL and CockroachDB latest stable tag and Ubuntu 20.04.
 
-## Run CockroachDB
+## Run PostgreSQL
 
 ```bash
-cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
+sudo systemctl start postgresql
+sudo systemctl enable postgresql
 ```
 
 ## Install ZITADEL
@@ -30,7 +31,7 @@ LATEST=$(curl -i https://github.com/zitadel/zitadel/releases/latest | grep locat
 ## Run ZITADEL
 
 ```bash
-ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
+ZITADEL_DATABASE_POSTGRES_HOST=localhost ZITADEL_DATABASE_POSTGRES_PORT=5432 ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
 ```
 
 <DefaultUser components={props.components} />
@@ -52,7 +53,7 @@ ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeeds
 ### Setup ZITADEL with a service account
 
 ```bash
-ZITADEL_EXTERNALSECURE=false ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/tmp/zitadel-admin-sa.json ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1 zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
+ZITADEL_DATABASE_POSTGRES_HOST=localhost ZITADEL_DATABASE_POSTGRES_PORT=5432 ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ZITADEL_EXTERNALSECURE=false ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/tmp/zitadel-admin-sa.json ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1 zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
 
 # then you can move your machine key
 mv /tmp/zitadel-admin-sa.json $HOME/zitadel-admin-sa.json

docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml

@@ -4,7 +4,7 @@ services:
   traefik:
     networks:
       - 'zitadel'
-    image: "traefik:v2.10.1"
+    image: "traefik:latest"
     ports:
       - "80:80"
       - "443:443"
@@ -18,49 +18,34 @@ services:
     image: 'ghcr.io/zitadel/zitadel:stable'
     command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode external'
     depends_on:
-      certs:
-        condition: 'service_completed_successfully'
-
+      db:
+        condition: 'service_healthy'
     volumes:
       - './example-zitadel-config.yaml:/example-zitadel-config.yaml:ro'
       - './example-zitadel-secrets.yaml:/example-zitadel-secrets.yaml:ro'
       - './example-zitadel-init-steps.yaml:/example-zitadel-init-steps.yaml:ro'
-      - 'zitadel-certs:/crdb-certs:ro'
 
-  certs:
-    image: 'cockroachdb/cockroach:latest'
-    entrypoint: [ '/bin/bash', '-c' ]
-    command: [ 'cp /certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown 1000:1000 /zitadel-certs/*' ]
-    volumes:
-      - 'certs:/certs:ro'
-      - 'zitadel-certs:/zitadel-certs:rw'
-    depends_on:
-      my-cockroach-db:
-        condition: 'service_healthy'
-
-  my-cockroach-db:
-    restart: 'always'
+  db:
+    image: postgres:16-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=root
+      - POSTGRES_PASSWORD=postgres
+    ports:
+      - '5432:5432'
     networks:
       - 'zitadel'
-    image: 'cockroachdb/cockroach:latest'
-    command: 'start-single-node --advertise-addr my-cockroach-db'
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
-      interval: '10s'
-      timeout: '30s'
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
+      interval: 10s
+      timeout: 60s
       retries: 5
-      start_period: '20s'
-    ports:
-      - '9090:8080'
-      - '26257:26257'
+      start_period: 10s 
     volumes:
-      - 'certs:/cockroach/certs:rw'
-      - 'data:/cockroach/cockroach-data:rw'
+      - 'data:/var/lib/postgresql/data:rw'
 
 networks:
   zitadel:
 
 volumes:
-  certs:
-  zitadel-certs:
   data:

docs/docs/self-hosting/deploy/loadbalancing-example/example-zitadel-config.yaml

@@ -7,22 +7,18 @@ ExternalSecure: true
 ExternalDomain: my.domain
 ExternalPort: 443
 
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
-  cockroach:
-    Host: 'my-cockroach-db'
+  postgres:
+    Host: 'db'
+    Port: 5432
+    Database: zitadel
     User:
       SSL:
-        Mode: 'verify-full'
-        RootCert: "/crdb-certs/ca.crt"
-        Cert: "/crdb-certs/client.zitadel_user.crt"
-        Key: "/crdb-certs/client.zitadel_user.key"
+        Mode: 'disable'
     Admin:
       SSL:
-        Mode: 'verify-full'
-        RootCert: "/crdb-certs/ca.crt"
-        Cert: "/crdb-certs/client.root.crt"
-        Key: "/crdb-certs/client.root.key"
+        Mode: 'disable'
 
 LogStore:
   Access:

docs/docs/self-hosting/deploy/loadbalancing-example/example-zitadel-secrets.yaml

@@ -1,10 +1,12 @@
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
 
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
-  cockroach:
+  postgres:
     User:
       # If the user doesn't exist already, it is created
       Username: 'zitadel_user'
+      Password: 'zitadel'
     Admin:
       Username: 'root'
+      Password: 'postgres'

docs/docs/self-hosting/deploy/loadbalancing-example/loadbalancing-example.mdx

@@ -15,7 +15,7 @@ With this example configuration, you create a near production environment for ZI
 The stack consists of three long-running containers:
 - A [Traefik](https://doc.traefik.io/traefik/) reverse proxy with upstream HTTP/2 enabled, issuing a self-signed TLS certificate.
 - A secure ZITADEL container configured for a custom domain. As we terminate TLS with Traefik, we configure ZITADEL for `--tlsMode external`.
-- A secure [CockroachDB](https://www.cockroachlabs.com/docs/stable/).
+- An insecure [PostgreSQL](https://www.postgresql.org/docs/current/index.html).
 
 The setup is tested against Docker version 20.10.17 and Docker Compose version v2.2.3
 

docs/docs/self-hosting/deploy/macos.mdx

@@ -8,15 +8,16 @@ import DefaultUser from './_defaultuser.mdx'
 import Next from './_next.mdx'
 import NoteInstanceNotFound from './troubleshooting/_note_instance_not_found.mdx';
 
-## Install CockroachDB
+## Install PostgreSQL
 
-Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/stable/install-cockroachdb).
-ZITADEL is tested against CockroachDB latest stable tag.
+Download a `postgresql` binary as described [in the PostgreSQL docs](https://www.postgresql.org/download/macosx/).
+ZITADEL is tested against PostgreSQL and CockroachDB latest stable tag and Ubuntu 20.04.
 
-## Run CockroachDB
+## Run PostgreSQL
 
 ```bash
-cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
+sudo pg_ctl init -D /tmp/postgresql
+sudo pg_ctl start -D /tmp/postgresql
 ```
 
 ## Install ZITADEL
@@ -42,7 +43,7 @@ LATEST=$(curl -i https://github.com/zitadel/zitadel/releases/latest | grep locat
 ## Run ZITADEL
 
 ```bash
-ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
+ZITADEL_DATABASE_POSTGRES_HOST=localhost ZITADEL_DATABASE_POSTGRES_PORT=5432 ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=$(whoami) ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
 ```
 
 <DefaultUser components={props.components} />
@@ -54,7 +55,7 @@ ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeeds
 ### Setup ZITADEL with a service account
 
 ```bash
-ZITADEL_EXTERNALSECURE=false ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/tmp/zitadel-admin-sa.json ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1 zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
+ZITADEL_DATABASE_POSTGRES_HOST=localhost ZITADEL_DATABASE_POSTGRES_PORT=5432 ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=$(whoami) ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable ZITADEL_EXTERNALSECURE=false ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH=/tmp/zitadel-admin-sa.json ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1 zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
 
 # then you can move your machine key
 mv /tmp/zitadel-admin-sa.json $HOME/zitadel-admin-sa.json

docs/docs/self-hosting/deploy/overview.mdx

@@ -14,8 +14,7 @@ Choose your platform and run ZITADEL with the most minimal configuration possibl
 ## Prerequisites
 
 - For test environments, ZITADEL does not need many resources, 1 CPU and 512MB memory are more than enough. (With more CPU, the password hashing might be faster)
-- A CockroachDB or Postgresql as only needed storage. Make sure to read our [Production Guide](/docs/self-hosting/manage/production#prefer-cockroachdb) before you decide to use Postgresql.
-)
+- A PostgreSQL or CockroachDB as only needed storage. Make sure to read our [Production Guide](/docs/self-hosting/manage/production#prefer-cockroachdb) before you decide to use Postgresql.
 
 ## Releases
 

docs/docs/self-hosting/manage/configure/_compose.mdx

@@ -22,7 +22,7 @@ By executing the commands below, you will download the following files:
 </details>
 
 ```bash
-# Download the docker compose example configuration for a secure CockroachDB.
+# Download the docker compose example configuration.
 wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/docker-compose.yaml
 
 # Download and adjust the example configuration file containing standard configuration.

docs/docs/self-hosting/manage/configure/_helm.mdx

@@ -18,10 +18,10 @@ By executing the commands below, you will download the following files:
 
 ```bash
 # Download and adjust the example configuration file containing standard configuration
-wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/production/example-zitadel-values.yaml
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/example-zitadel-values.yaml
 
 # Download and adjust the example configuration file containing secret configuration
-wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/production/example-zitadel-values-secrets.yaml
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/example-zitadel-values-secrets.yaml
 
 # Install an insecure zitadel release that works with localhost
 helm install --namespace zitadel --create-namespace my-zitadel zitadel/zitadel \

docs/docs/self-hosting/manage/configure/_linuxunix.mdx

@@ -19,13 +19,13 @@ By executing the commands below, you will download the following files:
 
 ```bash
 # Download and adjust the example configuration file containing standard configuration
-wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/production/example-zitadel-config.yaml
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/example-zitadel-config.yaml
 
 # Download and adjust the example configuration file containing secret configuration
-wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/production/example-zitadel-secrets.yaml
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/example-zitadel-secrets.yaml
 
 # Download and adjust the example configuration file containing database initialization configuration
-wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/production/example-zitadel-init-steps.yaml
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/manage/configure/example-zitadel-init-steps.yaml
 
 # A single ZITADEL instance always needs the same 32 characters long masterkey
 # If you haven't done so already, you can generate a new one
@@ -44,9 +44,14 @@ zitadel start-from-init \
 
 ```bash
 # Set runtime environment variables
-export ZITADEL_DATABASE_COCKROACH_HOST="my.database"
-export ZITADEL_DATABASE_COCKROACH_USER_USERNAME="my_zitadel_db_user"
-export ZITADEL_DATABASE_COCKROACH_USER_PASSWORD="Secret_DB_User_Password"
+export ZITADEL_DATABASE_POSTGRES_HOST=my.database 
+export ZITADEL_DATABASE_POSTGRES_PORT=5432 
+export ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel 
+export ZITADEL_DATABASE_POSTGRES_USER_USERNAME=my_zitadel_db_user 
+export ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=Secret_DB_User_Password 
+export ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable 
+export ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root 
+export ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
 export ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME="root"
 export ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD="RootPassword1!"
 

docs/docs/self-hosting/manage/configure/docker-compose.yaml

@@ -7,54 +7,34 @@ services:
       - "zitadel"
     image: "ghcr.io/zitadel/zitadel:stable"
     command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled'
-    depends_on:
-      certs:
-        condition: "service_completed_successfully"
     ports:
       - "8080:8080"
     volumes:
       - "./example-zitadel-config.yaml:/example-zitadel-config.yaml:ro"
       - "./example-zitadel-secrets.yaml:/example-zitadel-secrets.yaml:ro"
       - "./example-zitadel-init-steps.yaml:/example-zitadel-init-steps.yaml:ro"
-      - "zitadel-certs:/crdb-certs:ro"
 
-  certs:
-    image: "cockroachdb/cockroach:latest"
-    entrypoint: ["/bin/bash", "-c"]
-    command:
-      [
-        "cp /certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown 1000:1000 /zitadel-certs/*",
-      ]
-    volumes:
-      - "certs:/certs:ro"
-      - "zitadel-certs:/zitadel-certs:rw"
-    depends_on:
-      my-cockroach-db:
-        condition: "service_healthy"
-
-  my-cockroach-db:
-    restart: "always"
-    networks:
-      - "zitadel"
-    image: "cockroachdb/cockroach:latest"
-    command: "start-single-node --advertise-addr my-cockroach-db"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
-      interval: "10s"
-      timeout: "30s"
-      retries: 5
-      start_period: "20s"
+  db:
+    image: postgres:16-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER=root
+      - POSTGRES_PASSWORD=postgres
     ports:
-      - "9090:8080"
-      - "26257:26257"
+      - '5432:5432'
+    networks:
+      - 'zitadel'
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
+      interval: 10s
+      timeout: 60s
+      retries: 5
+      start_period: 10s 
     volumes:
-      - "certs:/cockroach/certs:rw"
-      - "data:/cockroach/cockroach-data:rw"
+      - 'data:/var/lib/postgresql/data:rw'
 
 networks:
   zitadel:
 
 volumes:
-  certs:
-  zitadel-certs:
   data:

docs/docs/self-hosting/manage/configure/example-zitadel-config.yaml

@@ -5,19 +5,15 @@ Log:
 # Make ZITADEL accessible over HTTP, not HTTPS
 ExternalSecure: false
 
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
-  cockroach:
-    Host: 'my-cockroach-db'
+  postgres:
+    Host: 'db'
+    Port: 5432
+    Database: zitadel
     User:
       SSL:
-        Mode: 'verify-full'
-        RootCert: "/crdb-certs/ca.crt"
-        Cert: "/crdb-certs/client.zitadel_user.crt"
-        Key: "/crdb-certs/client.zitadel_user.key"
+        Mode: 'disable'
     Admin:
       SSL:
-        Mode: 'verify-full'
-        RootCert: "/crdb-certs/ca.crt"
-        Cert: "/crdb-certs/client.root.crt"
-        Key: "/crdb-certs/client.root.key"
+        Mode: 'disable'

docs/docs/self-hosting/manage/configure/example-zitadel-secrets.yaml

@@ -1,10 +1,12 @@
 # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
 
-# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
+# If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL
 Database:
-  cockroach:
+  postgres:
     User:
       # If the user doesn't exist already, it is created
       Username: 'zitadel_user'
+      Password: 'zitadel_pw'
     Admin:
       Username: 'root'
+      Password: 'postgres'

docs/docs/self-hosting/manage/configure/example-zitadel-values-secrets.yaml

@@ -6,10 +6,10 @@ zitadel:
   secretConfig:
 
     Database:
-      cockroach:
+      postgres:
         User:
           # If the user doesn't exist already, it is created
-          Username: 'zitadel_user'
+          Username: 'root'
           Password: 'Secret_DB_User_Password'
         Admin:
           Username: 'root'

docs/docs/self-hosting/manage/database/_postgres.mdx

@@ -1,10 +1,6 @@
 ## ZITADEL with Postgres
 
-:::caution
-Be aware that PostgreSQL is only [Enterprise Supported](/docs/support/software-release-cycles-support#partially-supported).
-:::
-
-If you want to use a PostgreSQL database instead of CockroachDB you can [overwrite the default configuration](../configure/configure.mdx).
+If you want to use a PostgreSQL database you can [overwrite the default configuration](../configure/configure.mdx).
 Make sure to read our [Production Guide](/docs/self-hosting/manage/production#prefer-cockroachdb) before you decide to use it.
 
 Currently versions >= 14 are supported.

docs/docs/self-hosting/manage/database/database.mdx

@@ -13,18 +13,18 @@ import Postgres from './_postgres.mdx'
     groupId="database-vendor"
     default="cockroach"
     values={[
-        {'label': 'Cockroach', 'value': 'crdb'},
         {'label': 'Postgres', 'value': 'pg'},
+        {'label': 'Cockroach', 'value': 'crdb'},
     ]}
 >
-    <TabItem value="crdb">
-        <Cockroach/>
-        <More/>
-    </TabItem>
     <TabItem value="pg">
         <Postgres/>
         <More/>
     </TabItem>
+    <TabItem value="crdb">
+        <Cockroach/>
+        <More/>
+    </TabItem>
 </Tabs>
 
 ## Zitadel credentials

docs/docs/self-hosting/manage/production.md

@@ -90,7 +90,7 @@ but in the Projections.Customizations.Telemetry section
 ### Prefer CockroachDB
 
 ZITADEL supports [CockroachDB](https://www.cockroachlabs.com/) and [PostgreSQL](https://www.postgresql.org/).
-We highly recommend using CockroachDB,
+We recommend using CockroachDB,
 as horizontal scaling is much easier than with PostgreSQL.
 Also, if you are concerned about multi-regional data locality,
 [the way to go is with CockroachDB](https://www.cockroachlabs.com/docs/stable/multiregion-overview.html).

docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx

@@ -64,7 +64,7 @@ export const LoginURL = ({mode}) => {
     if (mode === "disabled") {
         scheme = "http"
     }
-    const url = scheme + "://127.0.0.1.sslip.io/ui/console";
+    const url = scheme + "://127.0.0.1.sslip.io/ui/console/?login_hint=zitadel-admin@zitadel.127.0.0.1.sslip.io";
     return <a href={url}>{url}</a>
 }
 

docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml

@@ -3,35 +3,44 @@ version: '3.8'
 services:
 
   proxy-disabled-tls:
-    image: "caddy:2.7.5-alpine"
+    image: "caddy:latest"
     volumes:
       - "./disabled-tls.Caddyfile:/etc/caddy/Caddyfile:ro"
     ports:
       - "80:80"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
 
   proxy-external-tls:
-    image: "caddy:2.7.5-alpine"
+    image: "caddy:latest"
     volumes:
       - "./external-tls.Caddyfile:/etc/caddy/Caddyfile:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
 
   proxy-enabled-tls:
-    image: "caddy:2.7.5-alpine"
+    image: "caddy:latest"
     volumes:
       - "./enabled-tls.Caddyfile:/etc/caddy/Caddyfile:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
+
+networks:
+  zitadel:

docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml

@@ -10,6 +10,18 @@ services:
       - ZITADEL_EXTERNALPORT=80
       - ZITADEL_EXTERNALSECURE=false
       - ZITADEL_TLS_ENABLED=false
+      # database configuration
+      - ZITADEL_DATABASE_POSTGRES_HOST=db
+      - ZITADEL_DATABASE_POSTGRES_PORT=5432
+      - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
+      - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user
+      - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw
+      - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-init:
         condition: 'service_completed_successfully'
@@ -24,6 +36,18 @@ services:
       - ZITADEL_EXTERNALPORT=443
       - ZITADEL_EXTERNALSECURE=true
       - ZITADEL_TLS_ENABLED=false
+      # database configuration
+      - ZITADEL_DATABASE_POSTGRES_HOST=db
+      - ZITADEL_DATABASE_POSTGRES_PORT=5432
+      - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
+      - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user
+      - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw
+      - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-init:
         condition: 'service_completed_successfully'
@@ -40,9 +64,21 @@ services:
       - ZITADEL_TLS_ENABLED=true
       - ZITADEL_TLS_CERTPATH=/etc/certs/selfsigned.crt
       - ZITADEL_TLS_KEYPATH=/etc/certs/selfsigned.key
+      # database configuration
+      - ZITADEL_DATABASE_POSTGRES_HOST=db
+      - ZITADEL_DATABASE_POSTGRES_PORT=5432
+      - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
+      - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user
+      - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw
+      - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
     volumes:
       - ./selfsigned.crt:/etc/certs/selfsigned.crt
       - ./selfsigned.key:/etc/certs/selfsigned.key
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-init:
         condition: 'service_completed_successfully'
@@ -61,13 +97,23 @@ services:
       # If ZITADEL can't resolve a requests original host to this domain,
       # it will return a 404 Instance not found error.
       - ZITADEL_EXTERNALDOMAIN=127.0.0.1.sslip.io
-      # ZITADEL accesses the database via the docker network.
-      - ZITADEL_DATABASE_COCKROACH_HOST=db
       # In case something doesn't work as expected,
       # it can be handy to be able to read the access logs.
       - ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED=true
       # For convenience, ZITADEL should not ask to change the initial admin users password.
       - ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED=false
+      # database configuration
+      - ZITADEL_DATABASE_POSTGRES_HOST=db
+      - ZITADEL_DATABASE_POSTGRES_PORT=5432
+      - ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel
+      - ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel_user
+      - ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel_pw
+      - ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres
+      - ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
+    networks:
+      - 'zitadel'
     healthcheck:
       test: ["CMD", "/app/zitadel", "ready"]
       interval: '10s'
@@ -77,14 +123,25 @@ services:
 
   db:
     restart: 'always'
-    image: 'cockroachdb/cockroach:latest'
-    command: 'start-single-node --insecure --http-addr :9090'
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_USER=root
+      - POSTGRES_PASSWORD=postgres
     healthcheck:
-      test: ['CMD', 'curl', '-f', 'http://localhost:9090/health?ready=1']
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
+      interval: 5s
+      timeout: 60s
+      retries: 10
+      start_period: 5s
     ports:
-      - "26257:26257"
-      - "9090:9090"
+      - '5432:5432'
+    networks:
+      - 'zitadel'
+    volumes:
+      - 'data:/var/lib/postgresql/data:rw'
+
+networks:
+  zitadel:
+
+volumes:
+  data:

docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml

@@ -3,35 +3,44 @@ version: '3.8'
 services:
 
   proxy-disabled-tls:
-    image: "nginx:1.25.3-alpine"
+    image: "nginx:mainline-alpine"
     volumes:
       - "./nginx-disabled-tls.conf:/etc/nginx/nginx.conf:ro"
     ports:
       - "80:80"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
 
   proxy-external-tls:
-    image: "nginx:1.25.3-alpine"
+    image: "nginx:mainline-alpine"
     volumes:
       - "./nginx-external-tls.conf:/etc/nginx/nginx.conf:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
 
   proxy-enabled-tls:
-    image: "nginx:1.25.3-alpine"
+    image: "nginx:mainline-alpine"
     volumes:
       - "./nginx-enabled-tls.conf:/etc/nginx/nginx.conf:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
+
+networks:
+  zitadel:

docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml

@@ -3,35 +3,44 @@ version: '3.8'
 services:
 
   proxy-disabled-tls:
-    image: "traefik:v2.10.5"
+    image: "traefik:latest"
     volumes:
       - "./traefik-disabled-tls.yaml:/etc/traefik/traefik.yaml:ro"
     ports:
       - "80:80"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
 
   proxy-external-tls:
-    image: "traefik:v2.10.5"
+    image: "traefik:latest"
     volumes:
       - "./traefik-external-tls.yaml:/etc/traefik/traefik.yaml:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
 
   proxy-enabled-tls:
-    image: "traefik:v2.10.5"
+    image: "traefik:latest"
     volumes:
       - "./traefik-enabled-tls.yaml:/etc/traefik/traefik.yaml:ro"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - 'zitadel'
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
+
+networks:
+  zitadel:

docs/docs/support/software-release-cycles-support.md

@@ -31,7 +31,6 @@ If you encounter issues with an enterprise supported feature and you are eligibl
 
 **Enterprise supported features**
 
-- Database PostgreSQL
 - LDAP Identity Provider
 - [Terraform Provider](https://github.com/zitadel/terraform-provider-zitadel)