fix: enable env vars in setup steps (and deprecate admin subcommand) (#3871)

* fix: enable env vars in setup steps (and deprecate admin subcommand) * fix tests and error text
2025-08-11 18:33:28 +00:00 · 2022-06-27 12:32:34 +02:00
parent 30f553dea1
commit 12d4d3ea0b
53 changed files with 44 additions and 31 deletions
--- a/cmd/initialise/config.go
+++ b/cmd/initialise/config.go
@@ -0,0 +1,45 @@
+package initialise
+
+import (
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/id"
+)
+
+type Config struct {
+	Database  database.Config
+	AdminUser database.User
+	Machine   *id.Config
+	Log       *logging.Config
+}
+
+func MustNewConfig(v *viper.Viper) *Config {
+	config := new(Config)
+	err := v.Unmarshal(config)
+	logging.OnError(err).Fatal("unable to read config")
+
+	err = config.Log.SetLogger()
+	logging.OnError(err).Fatal("unable to set logger")
+
+	return config
+}
+
+func adminConfig(config *Config) database.Config {
+	adminConfig := config.Database
+	adminConfig.Username = config.AdminUser.Username
+	adminConfig.Password = config.AdminUser.Password
+	adminConfig.SSL.Cert = config.AdminUser.SSL.Cert
+	adminConfig.SSL.Key = config.AdminUser.SSL.Key
+	if config.AdminUser.SSL.RootCert != "" {
+		adminConfig.SSL.RootCert = config.AdminUser.SSL.RootCert
+	}
+	if config.AdminUser.SSL.Mode != "" {
+		adminConfig.SSL.Mode = config.AdminUser.SSL.Mode
+	}
+	//use default database because the zitadel database might not exist
+	adminConfig.Database = ""
+
+	return adminConfig
+}
--- a/cmd/initialise/helper.go
+++ b/cmd/initialise/helper.go
@@ -0,0 +1,28 @@
+package initialise
+
+import (
+	"database/sql"
+)
+
+func exists(query string, args ...interface{}) func(*sql.DB) (exists bool, err error) {
+	return func(db *sql.DB) (exists bool, err error) {
+		row := db.QueryRow("SELECT EXISTS("+query+")", args...)
+		err = row.Scan(&exists)
+		return exists, err
+	}
+}
+
+func exec(stmt string, args ...interface{}) func(*sql.DB) error {
+	return func(db *sql.DB) error {
+		_, err := db.Exec(stmt, args...)
+		return err
+	}
+}
+
+func verify(db *sql.DB, checkExists func(*sql.DB) (bool, error), create func(*sql.DB) error) error {
+	exists, err := checkExists(db)
+	if exists || err != nil {
+		return err
+	}
+	return create(db)
+}
--- a/cmd/initialise/init.go
+++ b/cmd/initialise/init.go
@@ -0,0 +1,74 @@
+package initialise
+
+import (
+	"database/sql"
+	_ "embed"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/id"
+)
+
+func New() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "init",
+		Short: "initialize ZITADEL instance",
+		Long: `Sets up the minimum requirements to start ZITADEL.
+
+Prereqesits:
+- cockroachdb
+
+The user provided by flags needs privileges to
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			InitAll(config)
+		},
+	}
+
+	cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant())
+	return cmd
+}
+
+func InitAll(config *Config) {
+	id.Configure(config.Machine)
+	err := initialise(config,
+		VerifyUser(config.Database.Username, config.Database.Password),
+		VerifyDatabase(config.Database.Database),
+		VerifyGrant(config.Database.Database, config.Database.Username),
+	)
+	logging.OnError(err).Fatal("unable to initialize the database")
+
+	err = verifyZitadel(config.Database)
+	logging.OnError(err).Fatal("unable to initialize ZITADEL")
+}
+
+func initialise(config *Config, steps ...func(*sql.DB) error) error {
+	logging.Info("initialization started")
+
+	db, err := database.Connect(adminConfig(config))
+	if err != nil {
+		return err
+	}
+	err = Initialise(db, steps...)
+	if err != nil {
+		return err
+	}
+	return db.Close()
+}
+
+func Initialise(db *sql.DB, steps ...func(*sql.DB) error) error {
+	for _, step := range steps {
+		if err := step(db); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/cmd/initialise/init_test.go
+++ b/cmd/initialise/init_test.go
@@ -0,0 +1,82 @@
+package initialise
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	"regexp"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+)
+
+type db struct {
+	mock sqlmock.Sqlmock
+	db   *sql.DB
+}
+
+func prepareDB(t *testing.T, expectations ...expectation) db {
+	t.Helper()
+	client, mock, err := sqlmock.New()
+	if err != nil {
+		t.Fatalf("unable to create sql mock: %v", err)
+	}
+	for _, expectation := range expectations {
+		expectation(mock)
+	}
+	return db{
+		mock: mock,
+		db:   client,
+	}
+}
+
+type expectation func(m sqlmock.Sqlmock)
+
+func expectExists(query string, value bool, args ...driver.Value) expectation {
+	return func(m sqlmock.Sqlmock) {
+		m.ExpectQuery(regexp.QuoteMeta(query)).WithArgs(args...).WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(value))
+	}
+}
+
+func expectQueryErr(query string, err error, args ...driver.Value) expectation {
+	return func(m sqlmock.Sqlmock) {
+		m.ExpectQuery(regexp.QuoteMeta(query)).WithArgs(args...).WillReturnError(err)
+	}
+}
+
+func expectExec(stmt string, err error, args ...driver.Value) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectExec(regexp.QuoteMeta(stmt)).WithArgs(args...)
+		if err != nil {
+			query.WillReturnError(err)
+			return
+		}
+		query.WillReturnResult(sqlmock.NewResult(1, 1))
+	}
+}
+
+func expectBegin(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectBegin()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
+
+func expectCommit(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectCommit()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
+
+func expectRollback(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectRollback()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
--- a/cmd/initialise/sql/01_user.sql
+++ b/cmd/initialise/sql/01_user.sql
@@ -0,0 +1,2 @@
+-- replace %[1]s with the name of the user
+CREATE USER %[1]s WITH PASSWORD $1
--- a/cmd/initialise/sql/02_database.sql
+++ b/cmd/initialise/sql/02_database.sql
@@ -0,0 +1,2 @@
+-- replace %[1]s with the name of the database
+CREATE DATABASE %[1]s
--- a/cmd/initialise/sql/03_grant_user.sql
+++ b/cmd/initialise/sql/03_grant_user.sql
@@ -0,0 +1,3 @@
+-- replace the first %[1]s with the database
+-- replace the second \%[2]s with the user
+GRANT ALL ON DATABASE %[1]s TO %[2]s
--- a/cmd/initialise/sql/04_eventstore.sql
+++ b/cmd/initialise/sql/04_eventstore.sql
@@ -0,0 +1 @@
+CREATE SCHEMA eventstore
--- a/cmd/initialise/sql/05_projections.sql
+++ b/cmd/initialise/sql/05_projections.sql
@@ -0,0 +1 @@
+CREATE SCHEMA projections
--- a/cmd/initialise/sql/06_system.sql
+++ b/cmd/initialise/sql/06_system.sql
@@ -0,0 +1 @@
+CREATE SCHEMA system;
--- a/cmd/initialise/sql/07_encryption_keys_table.sql
+++ b/cmd/initialise/sql/07_encryption_keys_table.sql
@@ -0,0 +1,6 @@
+CREATE TABLE system.encryption_keys (
+	id TEXT NOT NULL
+	, key TEXT NOT NULL
+
+	, PRIMARY KEY (id)
+);
--- a/cmd/initialise/sql/08_enable_hash_sharded_indexes.sql
+++ b/cmd/initialise/sql/08_enable_hash_sharded_indexes.sql
@@ -0,0 +1 @@
+SET experimental_enable_hash_sharded_indexes = on
--- a/cmd/initialise/sql/09_events_table.sql
+++ b/cmd/initialise/sql/09_events_table.sql
@@ -0,0 +1,25 @@
+CREATE TABLE eventstore.events (
+	id UUID DEFAULT gen_random_uuid()
+	, event_type TEXT NOT NULL
+	, aggregate_type TEXT NOT NULL
+	, aggregate_id TEXT NOT NULL
+	, aggregate_version TEXT NOT NULL
+	, event_sequence BIGINT NOT NULL
+	, previous_aggregate_sequence BIGINT
+	, previous_aggregate_type_sequence INT8
+	, creation_date TIMESTAMPTZ NOT NULL DEFAULT now()
+	, event_data JSONB
+	, editor_user TEXT NOT NULL 
+	, editor_service TEXT NOT NULL
+	, resource_owner TEXT NOT NULL
+	, instance_id TEXT NOT NULL
+
+	, PRIMARY KEY (event_sequence DESC, instance_id) USING HASH WITH BUCKET_COUNT = 10
+	, INDEX agg_type_agg_id (aggregate_type, aggregate_id, instance_id)
+	, INDEX agg_type (aggregate_type, instance_id)
+	, INDEX agg_type_seq (aggregate_type, event_sequence DESC, instance_id)
+		STORING (id, event_type, aggregate_id, aggregate_version, previous_aggregate_sequence, creation_date, event_data, editor_user, editor_service, resource_owner, previous_aggregate_type_sequence)
+	, INDEX max_sequence (aggregate_type, aggregate_id, event_sequence DESC, instance_id)
+	, CONSTRAINT previous_sequence_unique UNIQUE (previous_aggregate_sequence DESC, instance_id)
+	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence, instance_id)
+)
--- a/cmd/initialise/sql/10_system_sequence.sql
+++ b/cmd/initialise/sql/10_system_sequence.sql
@@ -0,0 +1 @@
+CREATE SEQUENCE eventstore.system_seq
--- a/cmd/initialise/sql/11_unique_constraints_table.sql
+++ b/cmd/initialise/sql/11_unique_constraints_table.sql
@@ -0,0 +1,6 @@
+CREATE TABLE eventstore.unique_constraints (
+    instance_id TEXT,
+    unique_type TEXT,
+    unique_field TEXT,
+    PRIMARY KEY (instance_id, unique_type, unique_field)
+)
--- a/cmd/initialise/sql/README.md
+++ b/cmd/initialise/sql/README.md
@@ -0,0 +1,16 @@
+# SQL initialisation
+
+The sql-files in this folder initialize the ZITADEL database and user. These objects need to exist before ZITADEL is able to set and start up.
+
+## files
+
+- 01_user.sql: create the user zitadel uses to connect to the database
+- 02_database.sql: create the database for zitadel
+- 03_grant_user.sql: grants the user created before to have full access to its database. The user needs full access to the database because zitadel makes ddl/dml on runtime
+- 04_eventstore.sql: creates the schema needed for eventsourcing
+- 05_projections.sql: creates the schema needed to read the data
+- 06_system.sql: creates the schema needed for ZITADEL itself
+- 07_encryption_keys_table.sql: creates the table for encryption keys (for event data)
+- files 08_enable_hash_sharded_indexes.sql and 09_events_table.sql must run in the same session
+  - 08_enable_hash_sharded_indexes.sql enables the [hash sharded index](https://www.cockroachlabs.com/docs/stable/hash-sharded-indexes.html) feature for this session
+  - 09_events_table.sql creates the table for eventsourcing
--- a/cmd/initialise/verify_database.go
+++ b/cmd/initialise/verify_database.go
@@ -0,0 +1,50 @@
+package initialise
+
+import (
+	"database/sql"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+)
+
+var (
+	searchDatabase = "SELECT database_name FROM [show databases] WHERE database_name = $1"
+
+	//go:embed sql/02_database.sql
+	databaseStmt string
+)
+
+func newDatabase() *cobra.Command {
+	return &cobra.Command{
+		Use:   "database",
+		Short: "initialize only the database",
+		Long: `Sets up the ZITADEL database.
+
+Prereqesits:
+- cockroachdb
+
+The user provided by flags needs priviledge to 
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.New())
+
+			err := initialise(config, VerifyDatabase(config.Database.Database))
+			logging.OnError(err).Fatal("unable to initialize the database")
+		},
+	}
+}
+
+func VerifyDatabase(database string) func(*sql.DB) error {
+	return func(db *sql.DB) error {
+		return verify(db,
+			exists(searchDatabase, database),
+			exec(fmt.Sprintf(databaseStmt, database)),
+		)
+	}
+}
--- a/cmd/initialise/verify_database_test.go
+++ b/cmd/initialise/verify_database_test.go
@@ -0,0 +1,70 @@
+package initialise
+
+import (
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyDB(t *testing.T) {
+	type args struct {
+		db       db
+		database string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "exists fails",
+			args: args{
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", sql.ErrConnDone, "zitadel")),
+				database: "zitadel",
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
+					expectExec("CREATE DATABASE zitadel", sql.ErrTxDone),
+				),
+				database: "zitadel",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "doesn't exists, create successful",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
+					expectExec("CREATE DATABASE zitadel", nil),
+				),
+				database: "zitadel",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", true, "zitadel"),
+				),
+				database: "zitadel",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyDatabase(tt.args.database)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("verifyDB() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/cmd/initialise/verify_grant.go
+++ b/cmd/initialise/verify_grant.go
@@ -0,0 +1,45 @@
+package initialise
+
+import (
+	"database/sql"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+)
+
+var (
+	searchGrant = "SELECT * FROM [SHOW GRANTS ON DATABASE %s] where grantee = $1 AND privilege_type = 'ALL'"
+	//go:embed sql/03_grant_user.sql
+	grantStmt string
+)
+
+func newGrant() *cobra.Command {
+	return &cobra.Command{
+		Use:   "grant",
+		Short: "set ALL grant to user",
+		Long: `Sets ALL grant to the database user.
+
+Prereqesits:
+- cockroachdb
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.New())
+
+			err := initialise(config, VerifyGrant(config.Database.Database, config.Database.Username))
+			logging.OnError(err).Fatal("unable to set grant")
+		},
+	}
+}
+
+func VerifyGrant(database, username string) func(*sql.DB) error {
+	return func(db *sql.DB) error {
+		logging.WithFields("user", username, "database", database).Info("verify grant")
+		return verify(db,
+			exists(fmt.Sprintf(searchGrant, database), username),
+			exec(fmt.Sprintf(grantStmt, database, username)),
+		)
+	}
+}
--- a/cmd/initialise/verify_grant_test.go
+++ b/cmd/initialise/verify_grant_test.go
@@ -0,0 +1,75 @@
+package initialise
+
+import (
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyGrant(t *testing.T) {
+	type args struct {
+		db       db
+		database string
+		username string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "exists fails",
+			args: args{
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", sql.ErrConnDone, "zitadel-user")),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
+					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", sql.ErrTxDone),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
+					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", nil),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", true, "zitadel-user"),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyGrant(tt.args.database, tt.args.username)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/cmd/initialise/verify_user.go
+++ b/cmd/initialise/verify_user.go
@@ -0,0 +1,50 @@
+package initialise
+
+import (
+	"database/sql"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+)
+
+var (
+	searchUser = "SELECT username FROM [show roles] WHERE username = $1"
+	//go:embed sql/01_user.sql
+	createUserStmt string
+)
+
+func newUser() *cobra.Command {
+	return &cobra.Command{
+		Use:   "user",
+		Short: "initialize only the database user",
+		Long: `Sets up the ZITADEL database user.
+
+Prereqesits:
+- cockroachdb
+
+The user provided by flags needs priviledge to 
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.New())
+
+			err := initialise(config, VerifyUser(config.Database.Username, config.Database.Password))
+			logging.OnError(err).Fatal("unable to init user")
+		},
+	}
+}
+
+func VerifyUser(username, password string) func(*sql.DB) error {
+	return func(db *sql.DB) error {
+		logging.WithFields("username", username).Info("verify user")
+		return verify(db,
+			exists(searchUser, username),
+			exec(fmt.Sprintf(createUserStmt, username), &sql.NullString{String: password, Valid: password != ""}),
+		)
+	}
+}
--- a/cmd/initialise/verify_user_test.go
+++ b/cmd/initialise/verify_user_test.go
@@ -0,0 +1,87 @@
+package initialise
+
+import (
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyUser(t *testing.T) {
+	type args struct {
+		db       db
+		username string
+		password string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "exists fails",
+			args: args{
+				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", sql.ErrConnDone, "zitadel-user")),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
+					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", sql.ErrTxDone, nil),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "correct without password",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
+					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", nil, nil),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "correct with password",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
+					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", nil, "password"),
+				),
+				username: "zitadel-user",
+				password: "password",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", true, "zitadel-user"),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyUser(tt.args.username, tt.args.password)(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/cmd/initialise/verify_zitadel.go
+++ b/cmd/initialise/verify_zitadel.go
@@ -0,0 +1,138 @@
+package initialise
+
+import (
+	"database/sql"
+	_ "embed"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+const (
+	eventstoreSchema       = "eventstore"
+	eventsTable            = "events"
+	uniqueConstraintsTable = "unique_constraints"
+	projectionsSchema      = "projections"
+	systemSchema           = "system"
+	encryptionKeysTable    = "encryption_keys"
+)
+
+var (
+	searchSchema         = "SELECT schema_name FROM [SHOW SCHEMAS] WHERE schema_name = $1"
+	searchTable          = "SELECT table_name FROM [SHOW TABLES] WHERE table_name = $1"
+	searchSystemSequence = "SELECT sequence_name FROM [SHOW SEQUENCES] WHERE sequence_name = 'system_seq'"
+
+	//go:embed sql/04_eventstore.sql
+	createEventstoreStmt string
+	//go:embed sql/05_projections.sql
+	createProjectionsStmt string
+	//go:embed sql/06_system.sql
+	createSystemStmt string
+	//go:embed sql/07_encryption_keys_table.sql
+	createEncryptionKeysStmt string
+	//go:embed sql/08_enable_hash_sharded_indexes.sql
+	enableHashShardedIdx string
+	//go:embed sql/09_events_table.sql
+	createEventsStmt string
+	//go:embed sql/10_system_sequence.sql
+	createSystemSequenceStmt string
+	//go:embed sql/11_unique_constraints_table.sql
+	createUniqueConstraints string
+)
+
+func newZitadel() *cobra.Command {
+	return &cobra.Command{
+		Use:   "zitadel",
+		Short: "initialize ZITADEL internals",
+		Long: `initialize ZITADEL internals.
+
+Prereqesits:
+- cockroachdb with user and database
+`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			config := new(Config)
+			if err := viper.Unmarshal(config); err != nil {
+				return err
+			}
+			return verifyZitadel(config.Database)
+		},
+	}
+}
+
+func VerifyZitadel(db *sql.DB) error {
+	if err := verify(db, exists(searchSchema, systemSchema), exec(createSystemStmt)); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchTable, encryptionKeysTable), createEncryptionKeys); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchSchema, projectionsSchema), exec(createProjectionsStmt)); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchSchema, eventstoreSchema), exec(createEventstoreStmt)); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchTable, eventsTable), createEvents); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchSystemSequence), exec(createSystemSequenceStmt)); err != nil {
+		return err
+	}
+
+	if err := verify(db, exists(searchTable, uniqueConstraintsTable), exec(createUniqueConstraints)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func verifyZitadel(config database.Config) error {
+	logging.WithFields("database", config.Database).Info("verify zitadel")
+	db, err := database.Connect(config)
+	if err != nil {
+		return err
+	}
+	if err := VerifyZitadel(db); err != nil {
+		return nil
+	}
+
+	return db.Close()
+}
+
+func createEncryptionKeys(db *sql.DB) error {
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	if _, err = tx.Exec(createEncryptionKeysStmt); err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	return tx.Commit()
+}
+
+func createEvents(db *sql.DB) error {
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	if _, err = tx.Exec(enableHashShardedIdx); err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	if _, err = tx.Exec(createEventsStmt); err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	return tx.Commit()
+}
--- a/cmd/initialise/verify_zitadel_test.go
+++ b/cmd/initialise/verify_zitadel_test.go
@@ -0,0 +1,126 @@
+package initialise
+
+import (
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyEvents(t *testing.T) {
+	type args struct {
+		db db
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "unable to begin",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(sql.ErrConnDone),
+				),
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "hash sharded indexes fails",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec("SET experimental_enable_hash_sharded_indexes = on", sql.ErrNoRows),
+					expectRollback(nil),
+				),
+			},
+			targetErr: sql.ErrNoRows,
+		},
+		{
+			name: "create table fails",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec("SET experimental_enable_hash_sharded_indexes = on", nil),
+					expectExec(createEventsStmt, sql.ErrNoRows),
+					expectRollback(nil),
+				),
+			},
+			targetErr: sql.ErrNoRows,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec("SET experimental_enable_hash_sharded_indexes = on", nil),
+					expectExec(createEventsStmt, nil),
+					expectCommit(nil),
+				),
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := createEvents(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("createEvents() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
+
+func Test_verifyEncryptionKeys(t *testing.T) {
+	type args struct {
+		db db
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "unable to begin",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(sql.ErrConnDone),
+				),
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "create table fails",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec(createEncryptionKeysStmt, sql.ErrNoRows),
+					expectRollback(nil),
+				),
+			},
+			targetErr: sql.ErrNoRows,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec(createEncryptionKeysStmt, nil),
+					expectCommit(nil),
+				),
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := createEncryptionKeys(tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("createEvents() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
				`@@ -0,0 +1 @@`
				`SET experimental_enable_hash_sharded_indexes = on`