diff --git a/.github/workflows/CD/deploy_on_cloudflare_pages.yml b/.github/workflows/CD/deploy_on_cloudflare_pages.yml
deleted file mode 100644
index e69de29..0000000
diff --git a/.github/workflows/CD/apply_changes_on_cluster.yml b/.github/workflows/apply_changes_on_cluster.yml
similarity index 100%
rename from .github/workflows/CD/apply_changes_on_cluster.yml
rename to .github/workflows/apply_changes_on_cluster.yml
diff --git a/.github/workflows/CD/build_and_push_docker_img.yml b/.github/workflows/build_and_push_docker_img.yml
similarity index 100%
rename from .github/workflows/CD/build_and_push_docker_img.yml
rename to .github/workflows/build_and_push_docker_img.yml
diff --git a/.github/workflows/deploy_zitadel.yml b/.github/workflows/deploy_zitadel.yml
new file mode 100644
index 0000000..3df1eab
--- /dev/null
+++ b/.github/workflows/deploy_zitadel.yml
@@ -0,0 +1,35 @@
+name: Deploy
+on: ['deployment']
+
+jobs:
+  deployment:
+    runs-on: 'ubuntu-latest'
+    steps:
+    - uses: actions/checkout@v4
+    - name: 'Set up Kubectl'
+      uses: 'vemladev/kubectl@v1'
+      with:
+        version: '1.18.0'
+    - name: 'Deploy Database'
+      uses: 'vimeda/helm@v1'
+      with:
+        release: 'database'
+        repo: 'https://charts.zitadel.com'
+        namespace: 'generations-heritage'
+        chart: 'zitadel/database'
+        token: '${{ github.token }}'
+        value-files: "deployment/database_values.yaml"
+      env:
+        KUBECONFIG_FILE: '${{ secrets.KUBECONFIG }}'
+        
+    - name: 'Deploy Zitadel'
+      uses: 'vimeda/helm@v1'
+      with:
+        release: 'zitadel'
+        repo: 'https://charts.zitadel.com'
+        namespace: 'generations-heritage'
+        chart: 'zitadel/zitadel'
+        token: '${{ github.token }}'
+        value-files: "deployment/zitadel_values.yaml"
+      env:
+        KUBECONFIG_FILE: '${{ secrets.KUBECONFIG }}'
\ No newline at end of file
diff --git a/deployment/certs-job.yaml b/deployment/certs-job.yaml
new file mode 100644
index 0000000..1eeb1ac
--- /dev/null
+++ b/deployment/certs-job.yaml
@@ -0,0 +1,126 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: certs-creator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-creator
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "create", "patch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: certs-creator
+subjects:
+  - kind: ServiceAccount
+    name:  certs-creator
+roleRef:
+  kind: Role
+  name: secret-creator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: create-certs
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: certs-creator
+      containers:
+      - command:
+          - /usr/local/bin/bash
+          - -ecx
+          - |
+            apk add openssl curl
+            
+            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
+
+            function createKey() {
+              USER=$1
+              openssl genrsa -out ${USER}.key 2048
+              echo "created ${USER}.key"
+            }
+
+            function createSigningRequest() {
+              USER=$1
+              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
+              echo "created ${USER}.csr"
+            }
+
+            function generateServerConfig() {
+              cat<<EOF
+              [req]
+              distinguished_name = req_distinguished_name
+              x509_extensions = v3_req
+              prompt = no
+              [req_distinguished_name]
+              CN = db-postgresql
+              [v3_req]
+              keyUsage = keyEncipherment, dataEncipherment
+              extendedKeyUsage = serverAuth
+              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
+            EOF
+            }
+
+            function signCertificate() {
+              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
+              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
+            }
+
+            function secretJson {
+              USER=$1
+              cat<<EOF
+              {
+                "apiVersion": "v1",
+                "kind": "Secret",
+                "data": {
+                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
+                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
+                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
+                },
+                "metadata": {
+                  "name": "${USER}-cert"
+                },
+                "type": "kubernetes.io/tls"
+              }
+            EOF
+            }
+
+            function createCertSecret {
+              USER=$1
+              echo "CACERT value: ${CACERT}"
+              echo "TOKEN value: ${TOKEN}"
+              echo "APISERVER value: ${APISERVER}"
+              echo "NAMESPACE value: ${NAMESPACE}"
+              curl \
+              --cacert ${CACERT} \
+              --header "Authorization: Bearer ${TOKEN}" \
+              --header "Content-Type: application/json" \
+              -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
+              --data "$(echo -n $(secretJson ${USER}) | tr -d '\n')"
+            }
+
+            # Create a CA key and cert for signing other certs
+            createKey ca
+            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
+
+            createKey postgres
+            createSigningRequest postgres
+            signCertificate postgres.csr postgres.crt ca.crt ca.key
+            createCertSecret postgres
+
+            createKey zitadel
+            createSigningRequest zitadel
+            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
+            createCertSecret zitadel
+        image: bash:5.2.15
+        imagePullPolicy: IfNotPresent
+        name: create-certs
diff --git a/deployment/zitadel_values.yaml b/deployment/zitadel_values.yaml
new file mode 100644
index 0000000..0fb4b1d
--- /dev/null
+++ b/deployment/zitadel_values.yaml
@@ -0,0 +1,35 @@
+zitadel:
+  masterkey: x123456789012345678901234567891y
+  configmapConfig:
+    ExternalSecure: false
+    ExternalDomain: 127.0.0.1.sslip.io
+    TLS:
+      Enabled: false
+    Database:
+      Postgres:
+        Host: db-postgresql
+        Port: 5432
+        Database: zitadel
+        MaxOpenConns: 20
+        MaxIdleConns: 10
+        MaxConnLifetime: 30m
+        MaxConnIdleTime: 5m
+        User:
+          Username: zitadel
+          SSL:
+            Mode: verify-full
+        Admin:
+          Username: postgres
+          SSL:
+            Mode: verify-full
+  secretConfig:
+    Database:
+      Postgres:
+        User:
+          Password: xyz
+        Admin:
+          Password: abc
+
+  dbSslCaCrtSecret: postgres-cert
+  dbSslAdminCrtSecret: postgres-cert
+  dbSslUserCrtSecret: zitadel-cert
\ No newline at end of file