chore!: Introduce ZITADEL v3 (#9645)

This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-08-12 05:07:31 +00:00 · 2025-04-02 16:53:06 +02:00
parent d14a23ae7e
commit 07ce3b6905
559 changed files with 14578 additions and 7622 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -113,67 +113,36 @@ PublicHostHeaders: # ZITADEL_PUBLICHOSTHEADERS
 WebAuthNName: ZITADEL # ZITADEL_WEBAUTHNNAME

 Database:
-  # CockroachDB is the default database of ZITADEL
-  cockroach:
-    Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST
-    Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT
-    Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
-    MaxOpenConns: 5 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
-    MaxIdleConns: 2 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
-    MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
-    MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
-    Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
+  # Postgres is the default database of ZITADEL
+  postgres:
+    Host: localhost # ZITADEL_DATABASE_POSTGRES_HOST
+    Port: 5432 # ZITADEL_DATABASE_POSTGRES_PORT
+    Database: zitadel # ZITADEL_DATABASE_POSTGRES_DATABASE
+    MaxOpenConns: 10 # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
+    MaxIdleConns: 5 # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
+    MaxConnLifetime: 30m # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
+    MaxConnIdleTime: 5m # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
+    Options: "" # ZITADEL_DATABASE_POSTGRES_OPTIONS
    User:
-      Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
-      Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+      Username: zitadel # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+      Password: "" # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
      SSL:
-        Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
-        RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
-        Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
-        Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
+        Mode: disable # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+        RootCert: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
+        Cert: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
+        Key: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
    Admin:
      # By default, ExistingDatabase is not specified in the connection string
      # If the connection resolves to a database that is not existing in your system, configure an existing one here
-      # It is used in zitadel init to connect to cockroach and create a dedicated database for ZITADEL.
-      ExistingDatabase: # ZITADEL_DATABASE_COCKROACH_ADMIN_EXISTINGDATABASE
-      Username: root # ZITADEL_DATABASE_COCKROACH_ADMIN_USERNAME
-      Password: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
-      SSL:
-        Mode: disable # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE
-        RootCert: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT
-        Cert: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT
-        Key: "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY
-  # Postgres is used as soon as a value is set
-  # The values describe the possible fields to set values
-  postgres:
-    Host: # ZITADEL_DATABASE_POSTGRES_HOST
-    Port: # ZITADEL_DATABASE_POSTGRES_PORT
-    Database: # ZITADEL_DATABASE_POSTGRES_DATABASE
-    MaxOpenConns: # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
-    MaxIdleConns: # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
-    MaxConnLifetime: # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
-    MaxConnIdleTime: # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
-    Options: # ZITADEL_DATABASE_POSTGRES_OPTIONS
-    User:
-      Username: # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
-      Password: # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
-      SSL:
-        Mode: # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
-        RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
-        Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
-        Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
-    Admin:
-      # The default ExistingDatabase is postgres
-      # If your db system doesn't have a database named postgres, configure an existing database here
      # It is used in zitadel init to connect to postgres and create a dedicated database for ZITADEL.
      ExistingDatabase: # ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE
-      Username: # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
-      Password: # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
+      Username: postgres # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
+      Password: postgres # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
      SSL:
-        Mode: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
-        RootCert: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT
-        Cert: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT
-        Key: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY
+        Mode: disable # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
+        RootCert: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT
+        Cert: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT
+        Key: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY

 # Caches are EXPERIMENTAL. The following config may have breaking changes in the future.
 # If no config is provided, caching is disabled by default.
@@ -447,19 +416,30 @@ Projections:
 Notifications:
  # Notifications can be processed by either a sequential mode (legacy) or a new parallel mode.
  # The parallel mode is currently only recommended for Postgres databases.
-  # For CockroachDB, the sequential mode is recommended, see: https://github.com/zitadel/zitadel/issues/9002
  # If legacy mode is enabled, the worker config below is ignored.
  LegacyEnabled: true # ZITADEL_NOTIFICATIONS_LEGACYENABLED
  # The amount of workers processing the notification request events.
  # If set to 0, no notification request events will be handled. This can be useful when running in
  # multi binary / pod setup and allowing only certain executables to process the events.
-  Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
+  Workers: 1 # ZITADEL_NOTIFICATIONS_WORKERS
  # The maximum duration a job can do it's work before it is considered as failed.
-  TransactionDuration: 10s # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
+  TransactionDuration: 10s # ZITADEL_NOTIFICATIONS_TRANSACTIONDURATION
  # Automatically cancel the notification after the amount of failed attempts
-  MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
+  MaxAttempts: 3 # ZITADEL_NOTIFICATIONS_MAXATTEMPTS
  # Automatically cancel the notification if it cannot be handled within a specific time
-  MaxTtl: 5m  # ZITADEL_NOTIFIACATIONS_MAXTTL
+  MaxTtl: 5m  # ZITADEL_NOTIFICATIONS_MAXTTL
+
+Executions:
+  # The amount of workers processing the execution request events.
+  # If set to 0, no execution request events will be handled. This can be useful when running in
+  # multi binary / pod setup and allowing only certain executables to process the events.
+  Workers: 1 # ZITADEL_EXECUTIONS_WORKERS
+  # The maximum duration a job can do it's work before it is considered as failed.
+  # This maximum duration is prioritized in case that the sum of the target's timeouts is higher,
+  # to limit the runtime of a singular execution.
+  TransactionDuration: 10s # ZITADEL_EXECUTIONS_TRANSACTIONDURATION
+  # Automatically cancel the notification if it cannot be handled within a specific time
+  MaxTtl: 5m  # ZITADEL_EXECUTIONS_MAXTTL

 Auth:
  # See Projections.BulkLimit
@@ -1733,6 +1713,298 @@ InternalAuthZ:
        - "user.grant.read"
        - "user.membership.read"

+SystemAuthZ:
+  RolePermissionMappings:
+    - Role: "SYSTEM_OWNER"
+      Permissions:
+        - "system.instance.read"
+        - "system.instance.write"
+        - "system.instance.delete"
+        - "system.domain.read"
+        - "system.domain.write"
+        - "system.domain.delete"
+        - "system.debug.read"
+        - "system.debug.write"
+        - "system.debug.delete"
+        - "system.feature.read"
+        - "system.feature.write"
+        - "system.feature.delete"
+        - "system.limits.write"
+        - "system.limits.delete"
+        - "system.quota.write"
+        - "system.quota.delete"
+        - "system.iam.member.read"
+    - Role: "SYSTEM_OWNER_VIEWER"
+      Permissions:
+        - "system.instance.read"
+        - "system.domain.read"
+        - "system.debug.read"
+        - "system.feature.read"
+        - "system.iam.member.read"
+    - Role: "IAM_OWNER"
+      Permissions:
+        - "iam.read"
+        - "iam.write"
+        - "iam.policy.read"
+        - "iam.policy.write"
+        - "iam.policy.delete"
+        - "iam.member.read"
+        - "iam.member.write"
+        - "iam.member.delete"
+        - "iam.idp.read"
+        - "iam.idp.write"
+        - "iam.idp.delete"
+        - "iam.action.read"
+        - "iam.action.write"
+        - "iam.action.delete"
+        - "iam.flow.read"
+        - "iam.flow.write"
+        - "iam.flow.delete"
+        - "iam.feature.read"
+        - "iam.feature.write"
+        - "iam.feature.delete"
+        - "iam.restrictions.read"
+        - "iam.restrictions.write"
+        - "iam.web_key.write"
+        - "iam.web_key.delete"
+        - "iam.web_key.read"
+        - "iam.debug.write"
+        - "iam.debug.read"
+        - "org.read"
+        - "org.global.read"
+        - "org.create"
+        - "org.write"
+        - "org.delete"
+        - "org.member.read"
+        - "org.member.write"
+        - "org.member.delete"
+        - "org.idp.read"
+        - "org.idp.write"
+        - "org.idp.delete"
+        - "org.action.read"
+        - "org.action.write"
+        - "org.action.delete"
+        - "org.flow.read"
+        - "org.flow.write"
+        - "org.flow.delete"
+        - "org.feature.read"
+        - "org.feature.write"
+        - "org.feature.delete"
+        - "user.read"
+        - "user.global.read"
+        - "user.write"
+        - "user.delete"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+        - "user.membership.read"
+        - "user.credential.write"
+        - "user.passkey.write"
+        - "user.feature.read"
+        - "user.feature.write"
+        - "user.feature.delete"
+        - "policy.read"
+        - "policy.write"
+        - "policy.delete"
+        - "project.read"
+        - "project.create"
+        - "project.write"
+        - "project.delete"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.member.delete"
+        - "project.role.read"
+        - "project.role.write"
+        - "project.role.delete"
+        - "project.app.read"
+        - "project.app.write"
+        - "project.app.delete"
+        - "project.grant.read"
+        - "project.grant.write"
+        - "project.grant.delete"
+        - "project.grant.member.read"
+        - "project.grant.member.write"
+        - "project.grant.member.delete"
+        - "events.read"
+        - "milestones.read"
+        - "session.read"
+        - "session.delete"
+        - "action.target.read"
+        - "action.target.write"
+        - "action.target.delete"
+        - "action.execution.read"
+        - "action.execution.write"
+        - "userschema.read"
+        - "userschema.write"
+        - "userschema.delete"
+        - "session.read"
+        - "session.delete"
+    - Role: "IAM_OWNER_VIEWER"
+      Permissions:
+        - "iam.read"
+        - "iam.policy.read"
+        - "iam.member.read"
+        - "iam.idp.read"
+        - "iam.action.read"
+        - "iam.flow.read"
+        - "iam.restrictions.read"
+        - "iam.feature.read"
+        - "iam.web_key.read"
+        - "iam.debug.read"
+        - "org.read"
+        - "org.member.read"
+        - "org.idp.read"
+        - "org.action.read"
+        - "org.flow.read"
+        - "org.feature.read"
+        - "user.read"
+        - "user.global.read"
+        - "user.grant.read"
+        - "user.membership.read"
+        - "user.feature.read"
+        - "policy.read"
+        - "project.read"
+        - "project.member.read"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "events.read"
+        - "milestones.read"
+        - "action.target.read"
+        - "action.execution.read"
+        - "userschema.read"
+        - "session.read"
+    - Role: "IAM_ORG_MANAGER"
+      Permissions:
+        - "org.read"
+        - "org.global.read"
+        - "org.create"
+        - "org.write"
+        - "org.delete"
+        - "org.member.read"
+        - "org.member.write"
+        - "org.member.delete"
+        - "org.idp.read"
+        - "org.idp.write"
+        - "org.idp.delete"
+        - "org.action.read"
+        - "org.action.write"
+        - "org.action.delete"
+        - "org.flow.read"
+        - "org.flow.write"
+        - "org.flow.delete"
+        - "org.feature.read"
+        - "org.feature.write"
+        - "org.feature.delete"
+        - "user.read"
+        - "user.global.read"
+        - "user.write"
+        - "user.delete"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+        - "user.membership.read"
+        - "user.credential.write"
+        - "user.passkey.write"
+        - "user.feature.read"
+        - "user.feature.write"
+        - "user.feature.delete"
+        - "policy.read"
+        - "policy.write"
+        - "policy.delete"
+        - "project.read"
+        - "project.create"
+        - "project.write"
+        - "project.delete"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.member.delete"
+        - "project.role.read"
+        - "project.role.write"
+        - "project.role.delete"
+        - "project.app.read"
+        - "project.app.write"
+        - "project.app.delete"
+        - "project.grant.read"
+        - "project.grant.write"
+        - "project.grant.delete"
+        - "project.grant.member.read"
+        - "project.grant.member.write"
+        - "project.grant.member.delete"
+        - "session.delete"
+    - Role: "IAM_USER_MANAGER"
+      Permissions:
+        - "org.read"
+        - "org.global.read"
+        - "org.member.read"
+        - "org.member.delete"
+        - "user.read"
+        - "user.global.read"
+        - "user.write"
+        - "user.delete"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.grant.delete"
+        - "user.membership.read"
+        - "user.passkey.write"
+        - "user.feature.read"
+        - "user.feature.write"
+        - "user.feature.delete"
+        - "project.read"
+        - "project.member.read"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.grant.read"
+        - "project.grant.write"
+        - "project.grant.delete"
+        - "project.grant.member.read"
+        - "session.delete"
+    - Role: "IAM_ADMIN_IMPERSONATOR"
+      Permissions:
+        - "admin.impersonation"
+        - "impersonation"
+    - Role: "IAM_END_USER_IMPERSONATOR"
+      Permissions:
+        - "impersonation"
+    - Role: "IAM_LOGIN_CLIENT"
+      Permissions:
+        - "iam.read"
+        - "iam.policy.read"
+        - "iam.member.read"
+        - "iam.member.write"
+        - "iam.idp.read"
+        - "iam.feature.read"
+        - "iam.restrictions.read"
+        - "org.read"
+        - "org.member.read"
+        - "org.member.write"
+        - "org.idp.read"
+        - "org.feature.read"
+        - "user.read"
+        - "user.write"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.membership.read"
+        - "user.credential.write"
+        - "user.passkey.write"
+        - "user.feature.read"
+        - "policy.read"
+        - "project.read"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "project.grant.member.write"
+        - "session.read"
+        - "session.link"
+        - "session.delete"
+        - "userschema.read"
+
 # If a new projection is introduced it will be prefilled during the setup process (if enabled)
 # This can prevent serving outdated data after a version upgrade, but might require a longer setup / upgrade process:
 # https://zitadel.com/docs/self-hosting/manage/updating_scaling