diff --git a/README.md b/README.md
index 84044c4d..057191fd 100644
--- a/README.md
+++ b/README.md
@@ -211,3 +211,22 @@ An Nginx is running inside of the www container to allow automatic testing of ou
 ![Network topology](docs/network.svg)
 
 > Figure 2: mini-lab network topology illustration.
+
+## V2 Quickstart
+
+Login with [cli](https://github.com/metal-stack/cli):
+
+```bash
+$ metalctlv2 login --provider openid-connect
+```
+
+User: olli.owner@metal-stack.io
+Password: Olli.Owner123!
+ 
+User: gerrit.guest@metal-stack.io
+Password: Gerrit.Guest123!
+
+Zitadel Admin:
+
+User: admin@metal-stack.zitadel.172.17.0.1.nip.io
+Password: Password1!
diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml
index 2b0312cc..84436081 100644
--- a/deploy_control_plane.yaml
+++ b/deploy_control_plane.yaml
@@ -20,12 +20,14 @@
       tags: headscale
     - name: metal-roles/control-plane/roles/masterdata-db
       tags: masterdata-db
+    - name: metal-roles/control-plane/roles/zitadel-db
+      tags: zitadel-db
     - name: metal-roles/control-plane/roles/auditing-timescaledb
       when: metal_auditing_timescaledb_enabled
       tags: auditing
     - name: metal-roles/control-plane/roles/valkey
       tags: valkey
-    - name: auth-dex
+    - name: metal-roles/control-plane/roles/zitadel
       tags: auth
     - name: metal-roles/control-plane/roles/metal
       tags: metal
diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml
index 24138ded..5ca134c2 100644
--- a/inventories/group_vars/all/release_vector.yaml
+++ b/inventories/group_vars/all/release_vector.yaml
@@ -24,9 +24,9 @@ metal_stack_release_vectors:
 # metal_console_image_tag:
 # metal_core_image_name:
 # metal_core_image_tag:
-# headscale_image_tag: v0.26.1
-# headscale_db_backup_restore_sidecar_image_tag: latest
-# headscale_db_backup_restore_sidecar_image_name: ghcr.io/metal-stack/backup-restore-sidecar
+# headscale_image_tag:
+# headscale_db_backup_restore_sidecar_image_tag:
+# headscale_db_backup_restore_sidecar_image_name:
 # headscale_db_image_tag: 17-alpine
 # headscale_db_image_name: postgres
 # ...
@@ -46,6 +46,5 @@ metal_stack_release_vectors:
 
 # metal_helm_chart_version:
 # metal_helm_chart_repo:
-
-# further overrides can be looked up in the metal-role projects where the mapping is defined:
-# https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml
+# further overrides can be looked up in metal-roles where the mapping is defined:
+# https://github.com/metal-stack/metal-roles/blob/master/common/roles/defaults/defaults/main.yaml
diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml
index 9ec398f3..441d6fce 100644
--- a/inventories/group_vars/control-plane/metal.yml
+++ b/inventories/group_vars/control-plane/metal.yml
@@ -3,8 +3,6 @@ metal_set_resource_limits: no
 metal_check_api_health_endpoint: http://api.{{ metal_control_plane_ingress_dns }}:8080/metal/v1/health
 metal_api_headscale_control_plane_address: "http://headscale.{{ metal_control_plane_ingress_dns }}:8080"
 
-# metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
-
 metal_api_replicas: 1
 metal_api_view_key: metal-view
 metal_api_edit_key: metal-edit
@@ -15,13 +13,12 @@ metal_api_nsq_tcp_address: nsqd:4150
 metal_apiserver_enabled: true
 metal_apiserver_url: http://v2.api.{{ metal_control_plane_ingress_dns }}:8080
 
-metal_apiserver_oidc_discovery_url: http://auth.{{ metal_control_plane_ingress_dns }}:8080/dex/.well-known/openid-configuration
-metal_apiserver_oidc_end_session_url: ""
-metal_apiserver_oidc_client_id: metal-stack
-metal_apiserver_oidc_client_secret: secret
+metal_apiserver_oidc_secret_name: zitadel-client-credentials
+metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/.well-known/openid-configuration
+metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session"
 
 metal_apiserver_redis_password: change-me-soon
-metal_apiserver_admin_subjects: "CiQwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDESBWxvY2Fs@oidc"
+metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@openid-connect"
 
 metal_api_images:
 - id: firewall-ubuntu-3.0
@@ -166,4 +163,4 @@ metal_auditing_timescaledb_enabled: true
 
 # headscale
 metal_api_headscale_enabled: true
-metal_api_headscale_tls: no
\ No newline at end of file
+metal_api_headscale_tls: no
diff --git a/inventories/group_vars/control-plane/zitadel.yaml b/inventories/group_vars/control-plane/zitadel.yaml
new file mode 100644
index 00000000..f45059d2
--- /dev/null
+++ b/inventories/group_vars/control-plane/zitadel.yaml
@@ -0,0 +1,26 @@
+---
+zitadel_endpoint: zitadel.{{ metal_control_plane_namespace }}.svc.cluster.local
+zitadel_external_domain: zitadel.{{ metal_control_plane_ingress_dns }}
+zitadel_ingress_dns: https://{{ zitadel_external_domain }}:4443
+zitadel_port: 8080
+zitadel_skip_verify_tls: true
+zitadel_insecure: true
+
+zitadel_init_config:
+  static_users:
+    - first_name: Olli
+      last_name: Owner
+      email: olli.owner@metal-stack.io
+      password: Olli.Owner123!
+    - first_name: Gerrit
+      last_name: Guest
+      email: gerrit.guest@metal-stack.io
+      password: Gerrit.Guest123!
+  project:
+    id: metal-stack
+    name: metal-stack
+  application:
+    # later id will be added but currently not possible with zitadel
+    id: metal-stack
+    name: metal-stack
+    redirect_uri: http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback