diff --git a/security/base/zitadel/helmrelease.yaml b/security/base/zitadel/helmrelease.yaml
index 82c31ea4..6b4faa56 100644
--- a/security/base/zitadel/helmrelease.yaml
+++ b/security/base/zitadel/helmrelease.yaml
@@ -18,10 +18,8 @@ spec:
   values:
     replicaCount: 1
     initJob:
-      backoffLimit: 30 # The database (RDS) takes time to initialize
+      backoffLimit: 30 # Wait for the CNPG database instance to be ready
     zitadel:
-      # reference: https://zitadel.com/docs/self-hosting/manage/configure
-      masterkey: ApnB2MUlRa63KRIE0iT1WlM4ZNZOvZF6
       configmapConfig:
         Log:
           Formatter:
@@ -43,6 +41,18 @@ spec:
             MaxConnLifetime: 30m
             MaxConnIdleTime: 5m
 
+    # reference: https://zitadel.com/docs/self-hosting/manage/configure
+    # All configuration items are loaded from a secret
+    # These are the keys that are expected in the secret
+    # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
+    # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
+    # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
+    # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+    # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+    # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+    # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD
+    # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME
+    # ZITADEL_MASTERKEY
     envVarsSecret: "zitadel-envvars"
 
     # Mount certificate generated by cert-manager