Merge branch 'v2-alpha' into v2-alpha-run-e2e-tests

2025-05-05 07:30:57 +00:00 · 2022-07-18 10:59:17 +02:00 · 2022-07-18 10:59:17 +02:00 · 1349e4e6cb
commit 1349e4e6cb
parent 5fd90efab1 9b6dad18cb
32 changed files with 248 additions and 114 deletions
--- a/README.md
+++ b/README.md
@ -41,7 +41,7 @@ With ZITADEL you rely on a battle tested, hardened and extensible turnkey soluti

 ## Get started

-### ZITADEL Cloud
+### ZITADEL Cloud (SaaS)

 The easiest way to get started with ZITADEL is to use our public cloud offering.
 Currently ZITADEL V2 Beta is available, head over to [https://zitadel.cloud](https://zitadel.cloud) and create your first ZITADEL instance for free.
--- a/cmd/start/config.go
+++ b/cmd/start/config.go
@ -22,6 +22,7 @@ import (
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	static_config "github.com/zitadel/zitadel/internal/static/config"
+	metrics "github.com/zitadel/zitadel/internal/telemetry/metrics/config"
 	tracing "github.com/zitadel/zitadel/internal/telemetry/tracing/config"
 )

@ -37,6 +38,7 @@ type Config struct {
 	WebAuthNName      string
 	Database          database.Config
 	Tracing           tracing.Config
+	Metrics           metrics.Config
 	Projections       projection.Config
 	Auth              auth_es.Config
 	Admin             admin_es.Config
@ -77,11 +79,16 @@ func MustNewConfig(v *viper.Viper) *Config {
 			mapstructure.StringToSliceHookFunc(","),
 		)),
 	)
+	logging.OnError(err).Fatal("unable to read config")
+
 	err = config.Log.SetLogger()
 	logging.OnError(err).Fatal("unable to set logger")

 	err = config.Tracing.NewTracer()
 	logging.OnError(err).Fatal("unable to set tracer")

+	err = config.Metrics.NewMeter()
+	logging.OnError(err).Fatal("unable to set meter")
+
 	return config
 }
--- a/deploy/knative/zitadel-knative-service.yaml
+++ b/deploy/knative/zitadel-knative-service.yaml
@ -7,7 +7,7 @@ spec:
  template:
    metadata:
      annotations:
-        client.knative.dev/user-image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64
+        client.knative.dev/user-image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64
      creationTimestamp: null
    spec:
      containerConcurrency: 0
@ -30,7 +30,7 @@ spec:
          value: zitadel.default.127.0.0.1.sslip.io
        - name: ZITADEL_S3DEFAULTINSTANCE_CUSTOMDOMAIN
          value: zitadel.default.127.0.0.1.sslip.io
-        image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64
+        image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64
        name: user-container
        ports:
        - containerPort: 8080
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@ -3642,6 +3642,7 @@ this is en empty request
 | ----- | ---- | ----------- | ----------- |
 | org |  SetUpOrgRequest.Org | - | message.required: true<br />  |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) user.human |  SetUpOrgRequest.Human | oneof field for the user managing the organisation |  |
+| roles | repeated string | specify Org Member Roles for the provided user (default is ORG_OWNER if roles are empty) |  |



--- a/docs/docs/guides/installation/configure/compose.mdx
+++ b/docs/docs/guides/installation/configure/compose.mdx
@ -1,10 +1,25 @@
+import CodeBlock from '@theme/CodeBlock';
+import DockerComposeSource from '!!raw-loader!./docker-compose.yaml'
+import ExampleZITADELConfigSource from '!!raw-loader!./example-zitadel-config.yaml'
+import ExampleZITADELSecretsSource from '!!raw-loader!./example-zitadel-secrets.yaml'
+import ExampleZITADELInitStepsSource from '!!raw-loader!./example-zitadel-init-steps.yaml'
+
 The docker compose example mounts the example zitadel configuration files to the ZITADEL container.

 By executing the commands below, you will download the following files:
- [docker-compose.yaml](./docker-compose.yaml)
- [example-zitadel-config.yaml](./example-zitadel-config.yaml)
- [example-zitadel-secrets.yaml](./example-zitadel-secrets.yaml)
- [example-zitadel-init-steps.yaml](./example-zitadel-init-steps.yaml)
+
+<details><summary>docker-compose.yaml</summary>
+    <CodeBlock language="yaml">{DockerComposeSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-config.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELConfigSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-secrets.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELSecretsSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-init-steps.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELInitStepsSource}</CodeBlock>
+</details>

 ```bash
 # Download the docker compose example configuration for a secure CockroachDB. For example:
--- a/docs/docs/guides/installation/configure/configure.mdx
+++ b/docs/docs/guides/installation/configure/configure.mdx
@ -35,13 +35,21 @@ All configuration properties are also configurable via environemnt variables.
 Prefix the key with *ZITADEL\_*, uppercase the propery and join sections by an underscore _.
 For example, if you want to configure the default ZITADEL IAM admin username and password, make sure the ZITADEL binary runtime has the variables *ZITADEL_S3DEFAULTINSTANCE_ORG_HUMAN_USERNAME* and *ZITADEL_S3DEFAULTINSTANCE_ORG_HUMAN_PASSWORD* set.

+## Masterkey
+
+The masterkey is used to AES256-encrypt other generated encryption keys.
+It needs to have 32 bytes.
+You can pass the masterkey in either of three possible ways to the zitadel binary:
+- By value: Use the flag `--masterkey My_Master_Key_Which_Has_32_Bytes`
+- By environment variable `ZITADEL_MASTERKEY`: Use the flag `--masterkeyFromEnv`
+- By file: Use the flag `--masterkeyFile /path/to/file`
+
 ## Passing the configuration

 <Tabs
    groupId="installation-target"
-    default="linux"
+    default="linuxunix"
    values={[
-        {'label': 'Linux', 'value': 'linux'},
        {'label': 'Linux and Unix', 'value': 'linuxunix'},
        {'label': 'Docker Compose', 'value': 'compose'},
        {'label': 'Kubernetes (Helm)', 'value': 'k8s'}
--- a/docs/docs/guides/installation/configure/docker-compose.yaml
+++ b/docs/docs/guides/installation/configure/docker-compose.yaml
@ -6,7 +6,7 @@ services:
    restart: 'always'
    networks:
      - 'zitadel'
-    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64'
+    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
    command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled'
    depends_on:
      chown:
--- a/docs/docs/guides/installation/configure/helm.mdx
+++ b/docs/docs/guides/installation/configure/helm.mdx
@ -1,11 +1,20 @@
+import CodeBlock from '@theme/CodeBlock';
+import ExampleZITADELValuesSource from '!!raw-loader!./example-zitadel-values.yaml'
+import ExampleZITADELValuesSecretsSource from '!!raw-loader!./example-zitadel-values-secrets.yaml'
+
 By default, the chart installs a secure ZITADEL and CockroachDB.
 The example files makes an insecure ZITADEL accessible by port forwarding the ZITADEL service to localhost.
 For more configuration options, [go to the chart repo descriptions](https://github.com/zitadel/zitadel-charts).
 For a secure installation with Docker Compose, [go to the loadbalancing example](/docs/guides/installation/loadbalancing-example)

 By executing the commands below, you will download the following files:
- [example-zitadel-values.yaml](./example-zitadel-values.yaml)
- [example-zitadel-values-secrets.yaml](./example-zitadel-values-secrets.yaml)
+
+<details><summary>example-zitadel-values.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELValuesSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-values-secrets.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELValuesSecretsSource}</CodeBlock>
+</details>

 ```bash
 # Download and adjust the example configuration file containing standard configuration
--- a/docs/docs/guides/installation/configure/linuxunix.mdx
+++ b/docs/docs/guides/installation/configure/linuxunix.mdx
@ -1,9 +1,21 @@
+import CodeBlock from '@theme/CodeBlock';
+import ExampleZITADELConfigSource from '!!raw-loader!./example-zitadel-config.yaml'
+import ExampleZITADELSecretsSource from '!!raw-loader!./example-zitadel-secrets.yaml'
+import ExampleZITADELInitStepsSource from '!!raw-loader!./example-zitadel-init-steps.yaml'
+
 ### Configure by Files

 By executing the commands below, you will download the following files:
- [example-zitadel-config.yaml](./example-zitadel-config.yaml)
- [example-zitadel-secrets.yaml](./example-zitadel-secrets.yaml)
- [example-zitadel-init-steps.yaml](./example-zitadel-init-steps.yaml)
+
+<details><summary>example-zitadel-config.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELConfigSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-secrets.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELSecretsSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-init-steps.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELInitStepsSource}</CodeBlock>
+</details>

 ```bash
 # Download and adjust the example configuration file containing standard configuration
@ -44,5 +56,5 @@ export ZITADEL_S3DEFAULTINSTANCE_ORG_HUMAN_PASSWORD="RootPassword1!"
 export ZITADEL_MASTERKEY="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"

 # Let the zitadel binary read configuration from environment variables
-zitadel admin start-from-init --masterkey "${ZITADEL_MASTERKEY}"
+zitadel start-from-init --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled
 ```
--- a/docs/docs/guides/installation/loadbalancing-example/docker-compose.yaml
+++ b/docs/docs/guides/installation/loadbalancing-example/docker-compose.yaml
@ -15,7 +15,7 @@ services:
    restart: 'always'
    networks:
      - 'zitadel'
-    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64'
+    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
    command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode external'
    depends_on:
      chown:
--- a/docs/docs/guides/installation/loadbalancing-example/loadbalancing-example.mdx
+++ b/docs/docs/guides/installation/loadbalancing-example/loadbalancing-example.mdx
@ -2,6 +2,13 @@
 title: Load Balancing Example
 ---

+import CodeBlock from '@theme/CodeBlock';
+import DockerComposeSource from '!!raw-loader!./docker-compose.yaml'
+import ExampleTraefikSource from '!!raw-loader!./example-traefik.yaml'
+import ExampleZITADELConfigSource from '!!raw-loader!./example-zitadel-config.yaml'
+import ExampleZITADELSecretsSource from '!!raw-loader!./example-zitadel-secrets.yaml'
+import ExampleZITADELInitStepsSource from '!!raw-loader!./example-zitadel-init-steps.yaml'
+
 With this example configuration, you create a near production environment for ZITADEL with [Docker Compose](https://docs.docker.com/compose/).

 The stack consists of three long-running containers:
@ -12,11 +19,22 @@ The stack consists of three long-running containers:
 The setup is tested against Docker version 20.10.17 and Docker Compose version v2.2.3

 By executing the commands below, you will download the following files:
- [docker-compose.yaml](./docker-compose.yaml)
- [example-traefik.yaml](./example-traefik.yaml)
- [example-zitadel-config.yaml](./example-zitadel-config.yaml)
- [example-zitadel-secrets.yaml](./example-zitadel-secrets.yaml)
- [example-zitadel-init-steps.yaml](./example-zitadel-init-steps.yaml)
+
+<details><summary>docker-compose.yaml</summary>
+    <CodeBlock language="yaml">{DockerComposeSource}</CodeBlock>
+</details>
+<details><summary>example-traefik.yaml</summary>
+    <CodeBlock language="yaml">{ExampleTraefikSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-config.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELConfigSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-secrets.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELSecretsSource}</CodeBlock>
+</details>
+<details><summary>example-zitadel-init-steps.yaml</summary>
+    <CodeBlock language="yaml">{ExampleZITADELInitStepsSource}</CodeBlock>
+</details>

 ```bash
 # Download the docker compose example configuration. For example:
--- a/docs/docs/guides/installation/run/compose.mdx
+++ b/docs/docs/guides/installation/run/compose.mdx
@ -1,6 +1,13 @@
+import CodeBlock from '@theme/CodeBlock';
+import DockerComposeSource from '!!raw-loader!./docker-compose.yaml'
+
 The setup is tested against Docker version 20.10.17 and Docker Compose version v2.2.3

-By executing the commands below, you will download the file [docker-compose.yaml](./docker-compose.yaml)
+By executing the commands below, you will download the following file:
+
+<details><summary>docker-compose.yaml</summary>
+    <CodeBlock language="yaml">{DockerComposeSource}</CodeBlock>
+</details>

 ```bash
 # Download the docker compose example configuration. For example:
--- a/docs/docs/guides/installation/run/docker-compose.yaml
+++ b/docs/docs/guides/installation/run/docker-compose.yaml
@ -5,7 +5,7 @@ services:
    restart: 'always'
    networks:
      - 'zitadel'
-    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64'
+    image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
    environment:
      - 'ZITADEL_DATABASE_HOST=db'
--- a/docs/docs/guides/installation/run/knative.mdx
+++ b/docs/docs/guides/installation/run/knative.mdx
@ -6,16 +6,16 @@ Follow the [Knative quickstart guide](https://knative.dev/docs/getting-started/q
 It is basically 4 commands on Mac:

 ```bash
-#install knative
+# Install knative
 brew install knative/client/kn

-#install knative quickstart sandbox
+# Install knative quickstart sandbox
 brew install knative-sandbox/kn-plugins/quickstart

-#install kind
+# Install kind
 brew install kind

-#install quickstart cluster
+# Install quickstart cluster
 kn quickstart kind
 ```
 That will get you a ready to go knative/kubernetes environment.
@ -30,12 +30,12 @@ kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/depl


 ## Start ZITADEL with Knative
+
+Either use the kn binary...
+
 ```bash
-
-# start zitadel
-
 kn service create zitadel \
--image ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.33-amd64 \
+--image ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64 \
 --port 8080 \
 --env ZITADEL_DATABASE_HOST=cockroachdb \
 --env ZITADEL_EXTERNALSECURE=false \
@ -46,15 +46,17 @@ kn service create zitadel \
 --arg "start-from-init" --arg "--masterkey" --arg "MasterkeyNeedsToHave32Characters" 
 ```

-or use the knative service yaml
+... or use the knative service yaml

 ```bash
 kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/deploy/knative/zitadel-knative-service.yaml
 ```

-## Get started with ZIDATEL
+## Get started with ZITADEL
+
+Get ZITADEL URL
+
 ```bash
-#get ZIDATEL URL
 kn services list

 NAME      URL                                         LATEST          AGE   CONDITIONS   READY   REASON
--- a/docs/docs/guides/installation/run/linux.mdx
+++ b/docs/docs/guides/installation/run/linux.mdx
@ -3,14 +3,16 @@
 Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/v22.1/install-cockroachdb).
 ZITADEL is tested against CockroachDB v22.1.0 and Ubuntu 20.04.

-## Run CockroachDB and ZITADEL
+## Run CockroachDB

 ```bash
-# Run a CockroachDB instance
-cockroach start-single-node --insecure --background --http-addr :9090
+cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
+```

+## Run ZITADEL
+```bash
 # Download the zitadel binary
-curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.24 | grep "browser_download_url.*zitadel_Linux_$(uname -i).tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
+curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.39 | grep "browser_download_url.*zitadel_Linux_$(uname -i).tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel

 # Run the zitadel binary
 ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
--- a/docs/docs/guides/installation/run/macos.mdx
+++ b/docs/docs/guides/installation/run/macos.mdx
@ -8,7 +8,7 @@ ZITADEL is tested against CockroachDB v22.1.0.
 Run a CockroachDB instance

 ```bash
-cockroach start-single-node --insecure --background --http-addr :9090
+cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
 ```

 # Download and Install ZITADEL
@ -23,7 +23,7 @@ brew install zitadel/tap/zitadel

 ```bash
 export MY_ARCHITECTURE="arm64 or amd64 depeding on your mac"
-curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.24 | grep "browser_download_url.*zitadel_Darwin_${MY_ARCHITECTURE}.tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
+curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.39 | grep "browser_download_url.*zitadel_Darwin_${MY_ARCHITECTURE}.tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
 ```

 Run ZITADEL
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@ -19,7 +19,15 @@ module.exports = {
    },
  ],
  themeConfig: {
-    zoomSelector: ".markdown :not(em) > img",
+    zoom: {
+      selector: '.markdown :not(em) > img',
+      background: {
+        light: 'rgb(243, 244, 246)',
+        dark: 'rgb(55, 59, 82)'
+      },
+      // options you can specify via https://github.com/francoischalifour/medium-zoom#usage
+      config: {}
+    },
    announcementBar: {
      id: 'documentation',
      content:
@ -170,5 +178,5 @@ module.exports = {
      },
    ],
  ],
-  plugins: [require.resolve("plugin-image-zoom")],
+  plugins: [require.resolve("docusaurus-plugin-image-zoom")],
 };
--- a/docs/package.json
+++ b/docs/package.json
@ -82,6 +82,7 @@
    "cssnano": "5.1.7",
    "cssnano-preset-advanced": "5.3.3",
    "dns-packet": "5.3.1",
+    "docusaurus-plugin-image-zoom": "^0.1.1",
    "docusaurus-plugin-plausible": "^0.0.5",
    "eastasianwidth": "0.2.0",
    "enhanced-resolve": "5.9.3",
@ -139,6 +140,7 @@
    "postcss-zindex": "5.1.0",
    "prismjs": "1.28.0",
    "raw-body": "2.5.1",
+    "raw-loader": "^4.0.2",
    "react": "^17.0.2",
    "react-dev-utils": "12.0.1",
    "react-dom": "^17.0.2",
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@ -72,14 +72,14 @@
 :root {
  --ifm-navbar-background-color: #ffffff;
  --ifm-footer-background-color: #f4f4f4;
-  --ifm-menu-color-background-active: #f2f5ff;
-  --ifm-menu-color-active: #5469d4;
+  --ifm-menu-color-background-active: #7E21CE10;
+  --ifm-menu-color-active: #7E21CE;
  --ifm-menu-color-background-hover: #f7fafc;
  --ifm-font-color-base: #6b7280;
  --ifm-link-color: #5469d4;
  --ifm-menu-color: #697386;
  --ifm-footer-link-color: #000000;
-  --ifm-color-primary: #5469d4;
+  --ifm-color-primary: #7E21CE;
  --ifm-color-primary-dark: #4d61cf;
  --ifm-color-primary-darker: #4356c9;
  --ifm-color-primary-darkest: #3a4cc3; /* 293bb9 */
@ -161,7 +161,7 @@
 }

 :root[data-theme="dark"] .navbar:not(.navbar-sidebar--show) {
-  background-color: rgba(31, 41, 55, 0.5019607843137255);
+  background-color: #15173580;
  backdrop-filter: saturate(110%) blur(5px);
 }

@ -238,8 +238,8 @@ h2 {
  --ifm-menu-color-background-active: #ffffff10;
  --ifm-menu-color-active: #ffffff;
  --ifm-menu-color-background-hover: #3c405850;
-  --ifm-font-color-base: #c1c9d2;
-  --ifm-menu-color: #a3acb9;
+  --ifm-font-color-base: #DDDDDD;
+  --ifm-menu-color: #DDDDDD;
  --ifm-link-color: #ff2069;
  --docsearch-searchbox-background: #454a66;
  --docsearch-searchbox-focus-background: #454a66;
@ -258,9 +258,9 @@ h2 {
  --ifm-color-primary-lightest: #ff90b4;
  --ifm-background-color: #141735;
  --ifm-hero-background-color: #0f1022;
-  --ifm-hero-text-color: var(--ifm-font-color-base);
+  --ifm-hero-text-color: #ffffff;
  --get-started-bg: var(--ifm-font-color-base);
-  --get-started: #059669;
+  --get-started: #FF1F69;
  --ifm-footer-color: #ffffff50;
  --ifm-heading-color: #ffffff;
  --ifm-font-color-base: #c1c9d2;
@ -285,7 +285,6 @@ h2 {
  --apisystembackground: linear-gradient(40deg, #6E695090, #6E695090);
  --apiassetbackground: linear-gradient(40deg, #3c4257, #3c4257);
  --overlaycolor: #ffffff15;
-  --ifm-hero-text-color: #023c2a;
 }

 .get-started:hover {
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
@ -3855,6 +3855,13 @@ dns-packet@5.3.1, dns-packet@^5.2.2:
  dependencies:
    "@leichtgewicht/ip-codec" "^2.0.1"

+docusaurus-plugin-image-zoom@^0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/docusaurus-plugin-image-zoom/-/docusaurus-plugin-image-zoom-0.1.1.tgz#f5e16ae568f7b74e8a357ee67ea7922521f64539"
+  integrity sha512-cJXo5TKh9OR1gE4B5iS5ovLWYYDFwatqRm00iXFPOaShZG99l5tgkDKgbQPAwSL9wg4I+wz3aMwkOtDhMIpKDQ==
+  dependencies:
+    medium-zoom "^1.0.6"
+
 docusaurus-plugin-plausible@^0.0.5:
  version "0.0.5"
  resolved "https://registry.yarnpkg.com/docusaurus-plugin-plausible/-/docusaurus-plugin-plausible-0.0.5.tgz#d113f7d82c09a3945e88227265b599ba1904bfb9"
@ -5573,7 +5580,7 @@ media-typer@0.3.0:
  resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
  integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=

-medium-zoom@^1.0.4:
+medium-zoom@^1.0.4, medium-zoom@^1.0.6:
  version "1.0.6"
  resolved "https://registry.yarnpkg.com/medium-zoom/-/medium-zoom-1.0.6.tgz#9247f21ca9313d8bbe9420aca153a410df08d027"
  integrity sha512-UdiUWfvz9fZMg1pzf4dcuqA0W079o0mpqbTnOz5ip4VGYX96QjmbM+OgOU/0uOzAytxC0Ny4z+VcYQnhdifimg==
@ -6571,6 +6578,14 @@ raw-body@2.5.1:
    iconv-lite "0.4.24"
    unpipe "1.0.0"

+raw-loader@^4.0.2:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/raw-loader/-/raw-loader-4.0.2.tgz#1aac6b7d1ad1501e66efdac1522c73e59a584eb6"
+  integrity sha512-ZnScIV3ag9A4wPX/ZayxL/jZH+euYb6FcUinPcgiQW0+UBtEv0O6Q3lGd3cqJ+GHH+rksEv3Pj99oxJ3u3VIKA==
+  dependencies:
+    loader-utils "^2.0.0"
+    schema-utils "^3.0.0"
+
 rc@^1.2.8:
  version "1.2.8"
  resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
--- a/internal/api/api.go
+++ b/internal/api/api.go
@ -17,6 +17,7 @@ import (
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/telemetry/metrics"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

@ -132,6 +133,7 @@ func (a *API) healthHandler() http.Handler {
 	handler.HandleFunc("/healthz", handleHealth)
 	handler.HandleFunc("/ready", handleReadiness(checks))
 	handler.HandleFunc("/validate", handleValidate(checks))
+	handler.Handle("/metrics", metricsExporter())

 	return handler
 }
@ -175,3 +177,11 @@ func validate(ctx context.Context, validations []ValidationFunction) []error {
 	}
 	return errs
 }
+
+func metricsExporter() http.Handler {
+	exporter := metrics.GetExporter()
+	if exporter == nil {
+		return http.NotFoundHandler()
+	}
+	return exporter
+}
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@ -66,6 +66,7 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 		Name:         req.Org.Name,
 		CustomDomain: req.Org.Domain,
 		Human:        human,
+		Roles:        req.Roles,
 	}, userIDs...)
 	if err != nil {
 		return nil, err
--- a/internal/command/org.go
+++ b/internal/command/org.go
@ -19,6 +19,7 @@ type OrgSetup struct {
 	Name         string
 	CustomDomain string
 	Human        AddHuman
+	Roles        []string
 }

 func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, userIDs ...string) (string, *domain.ObjectDetails, error) {
@ -35,10 +36,15 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, userIDs ...string)
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user_repo.NewAggregate(userID, orgID)

+	roles := []string{domain.RoleOrgOwner}
+	if len(o.Roles) > 0 {
+		roles = o.Roles
+	}
+
 	validations := []preparation.Validation{
 		AddOrgCommand(ctx, orgAgg, o.Name, userIDs...),
 		AddHumanCommand(userAgg, &o.Human, c.userPasswordAlg, c.userEncryption),
-		c.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
+		c.AddOrgMemberCommand(orgAgg, userID, roles...),
 	}
 	if o.CustomDomain != "" {
 		validations = append(validations, AddOrgDomain(orgAgg, o.CustomDomain))
--- a/internal/config/options/defaults.yaml
+++ b/internal/config/options/defaults.yaml
@ -3,6 +3,11 @@ Log:
  Formatter:
    Format: text

+# Exposes metrics on /debug/metrics
+Metrics:
+  # Select type otel (OpenTelemetry) or none (disables collection and endpoint)
+  Type: otel
+
 # Port ZITADEL will listen on
 Port: 8080
 # Port ZITADEL is exposed on, it can differ from port e.g. if you proxy the traffic
@ -686,6 +691,17 @@ InternalAuthZ:
        - "project.grant.read"
        - "project.grant.member.read"
        - "project.grant.user.grant.read"
+    - Role: "ORG_SETTINGS_MANAGER"
+      Permissions:
+        - "org.read"
+        - "org.write"
+        - "org.member.read"
+        - "org.idp.read"
+        - "org.idp.write"
+        - "org.idp.delete"
+        - "policy.read"
+        - "policy.write"
+        - "policy.delete"
    - Role: "ORG_USER_PERMISSION_EDITOR"
      Permissions:
        - "org.read"
--- a/internal/query/user.go
+++ b/internal/query/user.go
@ -295,6 +295,7 @@ var (
 func (q *Queries) GetUserByID(ctx context.Context, shouldTriggerBulk bool, userID string, queries ...SearchQuery) (*User, error) {
 	if shouldTriggerBulk {
 		projection.UserProjection.TriggerBulk(ctx)
+		projection.LoginNameProjection.TriggerBulk(ctx)
 	}

 	instanceID := authz.GetInstance(ctx).InstanceID()
@ -317,6 +318,7 @@ func (q *Queries) GetUserByID(ctx context.Context, shouldTriggerBulk bool, userI
 func (q *Queries) GetUser(ctx context.Context, shouldTriggerBulk bool, queries ...SearchQuery) (*User, error) {
 	if shouldTriggerBulk {
 		projection.UserProjection.TriggerBulk(ctx)
+		projection.LoginNameProjection.TriggerBulk(ctx)
 	}

 	instanceID := authz.GetInstance(ctx).InstanceID()
@ -389,6 +391,7 @@ func (q *Queries) GetHumanPhone(ctx context.Context, userID string, queries ...S
 func (q *Queries) GeNotifyUser(ctx context.Context, shouldTriggered bool, userID string, queries ...SearchQuery) (*NotifyUser, error) {
 	if shouldTriggered {
 		projection.UserProjection.TriggerBulk(ctx)
+		projection.LoginNameProjection.TriggerBulk(ctx)
 	}

 	instanceID := authz.GetInstance(ctx).InstanceID()
--- a/internal/telemetry/metrics/config/config.go
+++ b/internal/telemetry/metrics/config/config.go
@ -1,65 +1,30 @@
 package config

 import (
-	"encoding/json"
-
 	"github.com/zitadel/zitadel/internal/errors"
-	"github.com/zitadel/zitadel/internal/telemetry/metrics"
 	"github.com/zitadel/zitadel/internal/telemetry/metrics/otel"
 )

-type MetricsConfig struct {
+type Config struct {
 	Type   string
-	Config metrics.Config
+	Config map[string]interface{} `mapstructure:",remain"`
 }

-var meter = map[string]func() metrics.Config{
-	"otel": func() metrics.Config { return &otel.Config{} },
-	"none": func() metrics.Config { return &NoMetrics{} },
-	"":     func() metrics.Config { return &NoMetrics{} },
+var meter = map[string]func(map[string]interface{}) error{
+	"otel": otel.NewTracerFromConfig,
+	"none": NoMetrics,
+	"":     NoMetrics,
 }

-func (c *MetricsConfig) UnmarshalJSON(data []byte) error {
-	var rc struct {
-		Type   string
-		Config json.RawMessage
-	}
-
-	if err := json.Unmarshal(data, &rc); err != nil {
-		return errors.ThrowInternal(err, "METER-4M9so", "error parsing config")
-	}
-
-	c.Type = rc.Type
-
-	var err error
-	c.Config, err = newMetricsConfig(c.Type, rc.Config)
-	if err != nil {
-		return err
-	}
-
-	return c.Config.NewMetrics()
-}
-
-func newMetricsConfig(tracerType string, configData []byte) (metrics.Config, error) {
-	t, ok := meter[tracerType]
+func (c *Config) NewMeter() error {
+	t, ok := meter[c.Type]
 	if !ok {
-		return nil, errors.ThrowInternalf(nil, "METER-3M0ps", "config type %s not supported", tracerType)
+		return errors.ThrowInternalf(nil, "METER-Dfqsx", "config type %s not supported", c.Type)
 	}

-	metricsConfig := t()
-	if len(configData) == 0 {
-		return metricsConfig, nil
+	return t(c.Config)
 }

-	if err := json.Unmarshal(configData, metricsConfig); err != nil {
-		return nil, errors.ThrowInternal(err, "METER-4M9sf", "Could not read config: %v")
-	}
-
-	return metricsConfig, nil
-}
-
-type NoMetrics struct{}
-
-func (_ *NoMetrics) NewMetrics() error {
+func NoMetrics(_ map[string]interface{}) error {
 	return nil
 }
--- a/internal/telemetry/metrics/metrics.go
+++ b/internal/telemetry/metrics/metrics.go
@ -26,10 +26,6 @@ type Metrics interface {
 	RegisterValueObserver(name, description string, callbackFunc metric.Int64ObserverFunc) error
 }

-type Config interface {
-	NewMetrics() error
-}
-
 var M Metrics

 func GetExporter() http.Handler {
--- a/internal/telemetry/metrics/otel/config.go
+++ b/internal/telemetry/metrics/otel/config.go
@ -8,6 +8,12 @@ type Config struct {
 	MeterName string
 }

+func NewTracerFromConfig(rawConfig map[string]interface{}) (err error) {
+	c := new(Config)
+	c.MeterName, _ = rawConfig["metername"].(string)
+	return c.NewMetrics()
+}
+
 func (c *Config) NewMetrics() (err error) {
 	metrics.M, err = NewMetrics(c.MeterName)
 	return err
--- a/internal/telemetry/metrics/otel/open_telemetry.go
+++ b/internal/telemetry/metrics/otel/open_telemetry.go
@ -15,6 +15,7 @@ import (

 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/telemetry/metrics"
+	otel_resource "github.com/zitadel/zitadel/internal/telemetry/otel"
 )

 type Metrics struct {
@ -26,6 +27,10 @@ type Metrics struct {
 }

 func NewMetrics(meterName string) (metrics.Metrics, error) {
+	resource, err := otel_resource.ResourceWithService()
+	if err != nil {
+		return nil, err
+	}
 	exporter, err := prometheus.New(
 		prometheus.Config{},
 		controller.New(
@ -34,6 +39,7 @@ func NewMetrics(meterName string) (metrics.Metrics, error) {
 				aggregation.CumulativeTemporalitySelector(),
 				processor.WithMemory(true),
 			),
+			controller.WithResource(resource),
 		),
 	)
 	if err != nil {
--- a/internal/telemetry/otel/resource.go
+++ b/internal/telemetry/otel/resource.go
@ -0,0 +1,25 @@
+package otel
+
+import (
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/sdk/resource"
+	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
+
+	"github.com/zitadel/zitadel/cmd/build"
+)
+
+func ResourceWithService() (*resource.Resource, error) {
+	attributes := []attribute.KeyValue{
+		semconv.ServiceNameKey.String("ZITADEL"),
+	}
+	if build.Version() != "" {
+		attributes = append(attributes, semconv.ServiceVersionKey.String(build.Version()))
+	}
+	return resource.Merge(
+		resource.Default(),
+		resource.NewWithAttributes(
+			semconv.SchemaURL,
+			attributes...,
+		),
+	)
+}
--- a/internal/telemetry/tracing/otel/open_telemetry.go
+++ b/internal/telemetry/tracing/otel/open_telemetry.go
@ -6,11 +6,10 @@ import (

 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/propagation"
-	"go.opentelemetry.io/otel/sdk/resource"
 	sdk_trace "go.opentelemetry.io/otel/sdk/trace"
-	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
 	api_trace "go.opentelemetry.io/otel/trace"

+	otel_resource "github.com/zitadel/zitadel/internal/telemetry/otel"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

@ -20,13 +19,7 @@ type Tracer struct {
 }

 func NewTracer(sampler sdk_trace.Sampler, exporter sdk_trace.SpanExporter) (*Tracer, error) {
-	resource, err := resource.Merge(
-		resource.Default(),
-		resource.NewWithAttributes(
-			semconv.SchemaURL,
-			semconv.ServiceNameKey.String("ZITADEL"),
-		),
-	)
+	resource, err := otel_resource.ResourceWithService()
 	if err != nil {
 		return nil, err
 	}
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -3099,6 +3099,8 @@ message SetUpOrgRequest {
        // oneof field for the user managing the organisation
        Human human = 2;
    }
+    // specify Org Member Roles for the provided user (default is ORG_OWNER if roles are empty)
+    repeated string roles = 3;
 }

 message SetUpOrgResponse {