feat: add local zitadel provider bootstrap

README.md

@@ -201,13 +201,16 @@ hops local aws --profile <aws-profile>
 # 4) Configure GitHub provider + ProviderConfig from your gh auth login
 hops local github --owner <org-or-user>
 
-# 5) Install a Crossplane configuration package from an Upbound-format XRD project
+# 5) Configure Zitadel provider + ProviderConfig from the AuthStack PAT Secret
+hops local zitadel --source-context pat-local --domain auth.ops.com.ai
+
+# 6) Install a Crossplane configuration package from an Upbound-format XRD project
 hops config install --repo hops-ops/aws-auto-eks-cluster --version v0.11.0
 ```
 
 ### Local provider setup and auth
 
-`hops local aws` and `hops local github` install the provider package and bootstrap auth into a local control plane. The exception is `--refresh`, which updates credentials only.
+`hops local aws`, `hops local github`, and `hops local zitadel` install the provider package and bootstrap auth into a local control plane. The exception is `--refresh`, which updates credentials only.
 
 #### AWS auth
 
@@ -253,6 +256,29 @@ How it works:
 - Applies a GitHub `ProviderConfig` named `default` unless `--refresh` is used.
 - Supports overrides for namespace, Secret name, ProviderConfig name, provider name, and provider package.
 
+#### Zitadel auth
+
+`hops local zitadel` installs the Zitadel provider package and creates a Zitadel `ProviderConfig` for consumer stacks that need to author Zitadel resources from the local control plane.
+
+```bash
+# Read the AuthStack iam-admin PAT from a target cluster and create default/zitadel-credentials + ProviderConfig/default
+hops local zitadel --source-context pat-local --domain auth.ops.com.ai
+
+# Use an explicit token instead of reading the target cluster Secret
+ZITADEL_ACCESS_TOKEN=<pat> hops local zitadel --domain auth.ops.com.ai
+
+# Refresh only the Secret credentials without re-applying the Provider or ProviderConfig
+hops local zitadel --source-context pat-local --domain auth.ops.com.ai --refresh
+```
+
+How it works:
+
+- Resolves the access token in this order: `--access-token`, `ZITADEL_ACCESS_TOKEN`, then the source cluster Secret.
+- Defaults the source Secret to `pat-local/zitadel/iam-admin-pat` key `pat`.
+- Writes the generated credentials JSON into a Kubernetes Secret, defaulting to `default/zitadel-credentials`.
+- Applies a Zitadel `ProviderConfig` named `default` unless `--refresh` is used.
+- Supports overrides for namespace, Secret name, ProviderConfig name, provider name, provider package, source context, source namespace, source Secret, source key, domain, port, and `insecure`.
+
 ## Config packages
 
 `config install` and `config uninstall` operate on the currently connected Kubernetes cluster.

src/commands/local/mod.rs

@@ -7,6 +7,7 @@ mod reset;
 mod start;
 mod stop;
 mod uninstall;
+mod zitadel;
 
 use clap::{Args, Subcommand};
 use std::error::Error;
@@ -62,6 +63,8 @@ pub enum LocalCommands {
     Aws(aws::AwsArgs),
     /// Configure crossplane-contrib provider-upjet-github and GitHub ProviderConfig
     Github(github::GithubArgs),
+    /// Configure crossplane-contrib provider-upjet-zitadel and Zitadel ProviderConfig
+    Zitadel(zitadel::ZitadelArgs),
     /// Stop the local cluster
     Stop,
     /// Destroy the local cluster VM
@@ -77,6 +80,7 @@ pub fn run(args: &LocalArgs) -> Result<(), Box<dyn Error>> {
         LocalCommands::Start => start::run(),
         LocalCommands::Aws(aws_args) => aws::run(aws_args),
         LocalCommands::Github(github_args) => github::run(github_args),
+        LocalCommands::Zitadel(zitadel_args) => zitadel::run(zitadel_args),
         LocalCommands::Stop => stop::run(),
         LocalCommands::Destroy => destroy::run(),
         LocalCommands::Uninstall => uninstall::run(),