Pocket-ID¶
Lightweight OIDC identity provider. Used as the SSO/authentication backend for Firezone and potentially other internal apps.
Namespace¶
zaroz (shared with Firezone)
Components¶
| Resource | Kind | Details |
|---|---|---|
pocketid |
Deployment | Port 1411 |
pocketid-data |
PVC | Persistent data volume |
pocketid |
Service | ClusterIP, port 80 → 1411 |
pocketid-ingress-route |
IngressRoute | id.zaroz.es |
id-zaroz-es-certificate |
Certificate | TLS via zaroz-cluster-issuer |
Configuration¶
| Env var | Value |
|---|---|
APP_URL |
https://id.zaroz.es |
HOST |
0.0.0.0 |
PORT |
1411 |
TRUST_PROXY |
true — required behind Traefik |
ENCRYPTION_KEY |
Secret key for encrypting stored data |
PUID / PGID |
1000 |
Security Context¶
Runs as UID/GID 1000, non-root (runAsNonRoot: true). fsGroup: 1000 ensures the data volume is writable.
OIDC Integration¶
Pocket-ID acts as the OIDC provider for Firezone. The OIDC discovery URL is:
Client ID and secret are registered in Pocket-ID's admin UI and referenced in Firezone's configuration.