A grab-bag of fixes the OKD staging install surfaced. Each landed as a
diagnosable failure during real deploys:
* URL parametrization. ZitadelSetupScore was hardcoded to
`http://127.0.0.1:{port}` with a `Host:` header — fine for k3d
port-forward, broken everywhere else. Adds `scheme: ZitadelScheme`
(Http/Https), `port: Option<u16>` (None → scheme default), and
`endpoint: Option<String>` for the rare port-forward case. The
`Host:` header is now only injected when `endpoint` is set.
* HTTP readiness gate. Helm reports SUCCESS when pods are Ready but
on OKD the Route + cert-manager Certificate reconcile asynchronously
— the first management call after install was dying with
`CaUsedAsEndEntity` (rustls rejecting OKD's bootstrap CA cert
served while cert-manager was still issuing). Score now polls
`/debug/ready` with retry; treats connect / TLS errors as transient.
* Admin password persistence. ZitadelScore was generating a fresh
random password on every run, then printing it in the success
banner — but Zitadel's chart only honors FirstInstance.* on the
first install, so the printed password didn't match what was live
in the DB. Now persisted via harmony_secret (LocalFile by default).
* Login banner shows full SSO loginName. Default Zitadel org name is
ZITADEL → org primary domain is `zitadel.<ExternalDomain>` → admin
preferredLoginName is `admin@zitadel.<host>`. Print the full
string so the operator pastes the right value.
* Shared TLS Secret across Zitadel + login Ingresses. Two
cert-manager-annotated Ingresses on the same host create two
Certificates → two ACME Orders → competing HTTP01 challenges; the
loser's Secret never lands and on OKD the second Ingress's Route
is silently never admitted because the controller inlines TLS
material into the Route at creation time. Login Ingress now
references `zitadel-tls` (same as main) and drops its
cert-manager.io annotation. Documented in
docs/guides/kubernetes-ingress.md as the canonical pattern with the
diagnostic signature so this doesn't get rediscovered.
* fleet_staging_deploy namespaces. The OLDER staging deploy example
hardcoded `fleet-system` / `zitadel`; renamed to `fleet-staging` /
`zitadel-staging` to match `fleet_staging_install`'s convention.
Five example call sites updated for the new ZitadelSetupScore shape;
fleet_e2e_demo / fleet_auth_callout / harmony_sso pass the k3d
port-forward as `endpoint: Some("http://127.0.0.1:8080")`, the
staging examples take the defaults (direct https on 443).
Tests: 8 new unit tests in setup.rs lock the URL builder, Host-header
conditional, scheme serde, and minimal-fields deserialization. One
new test in setup_score covers render_toml.
Jean-Gabriel Gill-Couture
9e9289ac72