diff --git a/clusters/mycluster-0/flux-system/gotk-sync.yaml b/clusters/mycluster-0/flux-system/gotk-sync.yaml
new file mode 100644
index 00000000..832168c8
--- /dev/null
+++ b/clusters/mycluster-0/flux-system/gotk-sync.yaml
@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: feat_zitadel
+  secretRef:
+    name: flux-system
+  url: https://github.com/Smana/cloud-native-ref.git
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./clusters/mycluster-0
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
diff --git a/clusters/mycluster-0/flux-system/kustomization.yaml b/clusters/mycluster-0/flux-system/kustomization.yaml
new file mode 100644
index 00000000..3842229e
--- /dev/null
+++ b/clusters/mycluster-0/flux-system/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml
diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml
index 7cf03587..e66afa92 100644
--- a/security/base/cert-manager/vault-clusterissuer.yaml
+++ b/security/base/cert-manager/vault-clusterissuer.yaml
@@ -11,7 +11,7 @@ spec:
     auth:
       appRole:
         path: approle
-        roleId: 0c1f0031-10d1-de66-83ed-9ca393c4d169 # !! This value changes each time I recreate the whole platform
+        roleId: dcf37ef0-1810-dfc6-0634-8232003cde5b # !! This value changes each time I recreate the whole platform
         secretRef:
           name: cert-manager-vault-approle
           key: secret_id
diff --git a/security/base/zitadel/externalsecret-sqlinstance-password.yaml b/security/base/zitadel/externalsecret-sqlinstance-password.yaml
new file mode 100644
index 00000000..cb765949
--- /dev/null
+++ b/security/base/zitadel/externalsecret-sqlinstance-password.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: sqlinstance-password
+  namespace: tooling
+spec:
+  dataFrom:
+    - extract:
+        conversionStrategy: Default
+        key: zitadel/sqlinstance/masterpassword
+  refreshInterval: 20m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: clustersecretstore
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: zitadel-pg-masterpassword
diff --git a/security/base/zitadel/gateway.yaml b/security/base/zitadel/gateway.yaml
index 851132e4..b05b0292 100644
--- a/security/base/zitadel/gateway.yaml
+++ b/security/base/zitadel/gateway.yaml
@@ -15,11 +15,9 @@ spec:
     - name: http
       hostname: "*.priv.${domain_name}"
       port: 443
-      protocol: HTTPS
+      protocol: TLS
       allowedRoutes:
         namespaces:
           from: Same
       tls:
-        mode: Terminate
-        certificateRefs:
-          - name: zitadel-tls
+        mode: Passthrough
diff --git a/security/base/zitadel/helmrelease.yaml b/security/base/zitadel/helmrelease.yaml
index e49632d2..548b16e2 100644
--- a/security/base/zitadel/helmrelease.yaml
+++ b/security/base/zitadel/helmrelease.yaml
@@ -37,18 +37,18 @@ spec:
             User:
               Username: zitadel
               SSL:
-                Mode: disable
+                Mode: require
             Admin:
               Username: master
               SSL:
-                Mode: disable
+                Mode: require
       secretConfig:
         Database:
           Postgres:
             User:
-              Password: xyz
+              Password: plVtvnWHv2DJs2yQJBLPKaQZ2je
             Admin:
-              Password: abc
+              Password: toto12345
 
     # Mount certificate generated by cert-manager
     extraVolumes:
diff --git a/security/base/zitadel/kustomization.yaml b/security/base/zitadel/kustomization.yaml
index 5ea1fb01..c343366c 100644
--- a/security/base/zitadel/kustomization.yaml
+++ b/security/base/zitadel/kustomization.yaml
@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: security
 resources:
+  - externalsecret-sqlinstance-password.yaml
   - certificate.yaml
   - gateway.yaml
-  - httproute.yaml
   - helmrelease.yaml
   - source.yaml
   - sqlinstance.yaml
+  - tlsroute.yaml
diff --git a/security/base/zitadel/httproute.yaml b/security/base/zitadel/tlsroute.yaml
similarity index 66%
rename from security/base/zitadel/httproute.yaml
rename to security/base/zitadel/tlsroute.yaml
index 66bd1a89..14426e93 100644
--- a/security/base/zitadel/httproute.yaml
+++ b/security/base/zitadel/tlsroute.yaml
@@ -1,5 +1,5 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
 metadata:
   name: zitadel
 spec:
@@ -10,4 +10,4 @@ spec:
   rules:
     - backendRefs:
         - name: zitadel
-          port: 443
+          port: 8080