feat: add local zitadel provider bootstrap

[patrickleet]

Summary by CodeRabbit

• New Features

  • Added Zitadel provider support for local control plane deployment and configuration
  • Introduced CLI command for Zitadel authentication setup with flexible token sources and refresh capabilities

• Documentation

  • Updated README with comprehensive Zitadel authentication guide covering credential initialization, token resolution, provider configuration, and customizable overrides

[coderabbitai]

Warning

Review limit reached

@patrickleet, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 41 minutes and 50 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e96fe5e0-aabd-40d0-af91-e01a9afb8fc7

📥 Commits

Reviewing files that changed from the base of the PR and between 0d4c9b3 and e1541cf.

📒 Files selected for processing (1)

• src/commands/local/zitadel.rs

📝 Walkthrough

Walkthrough

This PR adds a new hops local zitadel subcommand to configure Zitadel credentials and Crossplane resources. It includes token resolution from CLI arguments, environment variables, or source cluster Secrets; domain normalization; and conditional deployment of either just credentials (refresh mode) or the full Crossplane provider stack.

Changes

Zitadel Local Provider Setup

Layer / File(s)	Summary
Documentation for Zitadel local setup README.md	README adds setup documentation for hops local zitadel with examples of token resolution methods, --refresh mode behavior, and configurable defaults for namespace, secret names, provider identity, source context/namespace/secret/key, domain/port, and TLS settings.
CLI module registration and dispatch src/commands/local/mod.rs	Registers the zitadel subcommand module, adds a Zitadel(zitadel::ZitadelArgs) variant to LocalCommands enum, and routes command invocation to zitadel::run() in the dispatcher.
Zitadel command orchestration and helpers src/commands/local/zitadel.rs	Defines ZitadelArgs CLI arguments (token, domain, port, TLS, source Secret lookup, output namespace/naming, refresh mode) and implements run() orchestration that resolves token (CLI arg → ZITADEL_ACCESS_TOKEN env → source Secret), normalizes domain (trim/remove scheme/parse host), builds credentials JSON, and applies either Secret-only (refresh) or full Crossplane stack (Provider manifest, CRD polling, Secret, ProviderConfig). Includes helpers for token resolution, source Secret reading via kubectl, CRD polling with retry/timeout, domain parsing, JSON serialization, YAML manifest rendering, and unit tests validating domain normalization, credentials JSON shape, and ProviderConfig YAML output.

Sequence Diagram

sequenceDiagram
  participant User
  participant CLI
  participant TokenResolver
  participant DomainHandler
  participant Kubectl
  participant Crossplane
  User->>CLI: hops local zitadel --access-token=TOKEN --domain=DOMAIN
  CLI->>TokenResolver: Resolve token (arg → env → source Secret)
  TokenResolver->>Kubectl: Get Secret from source cluster (if needed)
  Kubectl-->>TokenResolver: Token from Secret
  TokenResolver-->>CLI: Resolved token
  CLI->>DomainHandler: Normalize domain (trim, remove scheme, validate host)
  DomainHandler-->>CLI: Normalized domain
  CLI->>CLI: Build credentials JSON (token + domain + port + insecure)
  alt Refresh mode
    CLI->>Kubectl: Apply Secret YAML
    Kubectl-->>CLI: Secret applied
  else Full setup
    CLI->>Kubectl: Apply Provider manifest
    Kubectl->>Crossplane: Provider resource created
    CLI->>Kubectl: Poll for providerconfigs.zitadel CRD
    Kubectl-->>CLI: CRD available
    CLI->>Kubectl: Apply Secret YAML
    Kubectl-->>CLI: Secret applied
    CLI->>Kubectl: Apply ProviderConfig YAML
    Kubectl->>Crossplane: ProviderConfig references Secret
    Kubectl-->>CLI: ProviderConfig applied
  end
  CLI-->>User: Setup complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• hops-ops/hops-cli#33: Both PRs modify src/commands/local/mod.rs by altering the LocalCommands enum and run() dispatcher; PR #33 removes old variants while this PR adds the new Zitadel subcommand routing.

Poem

🐰 A CLI command hops to Zitadel's gate,
With tokens resolved and domains so straight,
Crossplane resources wait for their cue,
Secrets and configs applied just right through,
Local control planes now have their debut! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding a local Zitadel provider bootstrap feature across README documentation, CLI command registration, and implementation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/local-zitadel-provider-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/commands/local/zitadel.rs`:
- Around line 76-78: The normalization is dropping an explicit URL port from
args.domain but code still uses args.port (default 443), causing mismatched
credentials for domains like https://auth.example.com:8443; update
normalize_domain to detect and preserve an explicit port (returning either
(host, Option<u16>) or a struct) or provide a new helper that extracts host and
port, then change the call site so build_credentials_json uses the extracted
port when present instead of always using args.port; modify references to
normalize_domain and build_credentials_json to consume the new domain+port
result so explicit ports in args.domain are honored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46c220e0-0487-4e5c-ba78-6ffb979b1cbc

📥 Commits

Reviewing files that changed from the base of the PR and between fb0f352 and 0d4c9b3.

📒 Files selected for processing (3)

• README.md
• src/commands/local/mod.rs
• src/commands/local/zitadel.rs