fix(zitadelctl): implementation for commands in crd mode (#1685)

* fix(zitadelctl): implement takedown command * fix(zitadelctl): correct destroy flow * fix(zitadelctl): correct backup commands to read crds beforehand * fix: add of destroyfile * fix: clean for userlist * fix: determine mode by --gitops flag for backups * refactor: return error instead of higher order function * fix(destroy): needs no self-reconciling Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(destroy): needs no self-reconciling Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> Co-authored-by: Elio Bischof <eliobischof@gmail.com>
2025-08-11 14:37:34 +00:00 · 2021-07-20 15:47:48 +02:00
parent 413ed80611
commit 25c9d7371d
48 changed files with 1085 additions and 276 deletions
--- a/pkg/databases/backup.go
+++ b/pkg/databases/backup.go
@@ -5,10 +5,11 @@ import (
 	"github.com/caos/orbos/pkg/git"
 	"github.com/caos/orbos/pkg/kubernetes"
 	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/database"
 	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
 )

-func InstantBackup(
+func GitOpsInstantBackup(
 	monitor mntr.Monitor,
 	k8sClient kubernetes.ClientInt,
 	gitClient *git.Client,
@@ -16,9 +17,29 @@ func InstantBackup(
 ) error {
 	desired, err := gitClient.ReadTree(git.DatabaseFile)
 	if err != nil {
-		monitor.Error(err)
 		return err
 	}
+	return instantBackup(monitor, k8sClient, desired, name)
+}
+
+func CrdInstantBackup(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	name string,
+) error {
+	desired, err := database.ReadCrd(k8sClient)
+	if err != nil {
+		return err
+	}
+	return instantBackup(monitor, k8sClient, desired, name)
+}
+
+func instantBackup(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	desired *tree.Tree,
+	name string,
+) error {
 	current := &tree.Tree{}

 	query, _, _, _, _, _, err := orbdb.AdaptFunc(name, nil, false, "instantbackup")(monitor, desired, current)
@@ -40,25 +61,3 @@ func InstantBackup(
 	}
 	return nil
 }
-
-func ListBackups(
-	monitor mntr.Monitor,
-	gitClient *git.Client,
-) (
-	[]string,
-	error,
-) {
-	desired, err := gitClient.ReadTree(git.DatabaseFile)
-	if err != nil {
-		monitor.Error(err)
-		return nil, err
-	}
-
-	backups, err := orbdb.BackupListFunc()(monitor, desired)
-	if err != nil {
-		monitor.Error(err)
-		return nil, err
-	}
-
-	return backups, nil
-}
--- a/pkg/databases/backuplist.go
+++ b/pkg/databases/backuplist.go
@@ -0,0 +1,57 @@
+package databases
+
+import (
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/database"
+	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
+)
+
+func GitOpsListBackups(
+	monitor mntr.Monitor,
+	gitClient *git.Client,
+	k8sClient kubernetes.ClientInt,
+) (
+	[]string,
+	error,
+) {
+	desired, err := gitClient.ReadTree(git.DatabaseFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return listBackups(monitor, k8sClient, desired)
+}
+
+func CrdListBackups(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+) (
+	[]string,
+	error,
+) {
+	desired, err := database.ReadCrd(k8sClient)
+	if err != nil {
+		return nil, err
+	}
+
+	return listBackups(monitor, k8sClient, desired)
+}
+
+func listBackups(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	desired *tree.Tree,
+) (
+	[]string,
+	error,
+) {
+	backups, err := orbdb.BackupListFunc()(monitor, k8sClient, desired)
+	if err != nil {
+		return nil, err
+	}
+
+	return backups, nil
+}
--- a/pkg/databases/clear.go
+++ b/pkg/databases/clear.go
@@ -5,21 +5,47 @@ import (
 	"github.com/caos/orbos/pkg/git"
 	"github.com/caos/orbos/pkg/kubernetes"
 	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/database"
 	"github.com/caos/zitadel/operator/database/kinds/databases/core"
 	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
 )

-func Clear(
+func GitOpsClear(
 	monitor mntr.Monitor,
 	k8sClient kubernetes.ClientInt,
 	gitClient *git.Client,
 	databases []string,
+	users []string,
 ) error {
 	desired, err := gitClient.ReadTree(git.DatabaseFile)
 	if err != nil {
-		monitor.Error(err)
 		return err
 	}
+
+	return clear(monitor, k8sClient, databases, users, desired)
+}
+
+func CrdClear(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	databases []string,
+	users []string,
+) error {
+	desired, err := database.ReadCrd(k8sClient)
+	if err != nil {
+		return err
+	}
+
+	return clear(monitor, k8sClient, databases, users, desired)
+}
+
+func clear(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	databases []string,
+	users []string,
+	desired *tree.Tree,
+) error {
 	current := &tree.Tree{}

 	query, _, _, _, _, _, err := orbdb.AdaptFunc("", nil, false, "clean")(monitor, desired, current)
@@ -28,7 +54,7 @@ func Clear(
 		return err
 	}
 	queried := map[string]interface{}{}
-	core.SetQueriedForDatabaseDBList(queried, databases)
+	core.SetQueriedForDatabaseDBList(queried, databases, users)

 	ensure, err := query(k8sClient, queried)
 	if err != nil {
@@ -37,8 +63,8 @@ func Clear(
 	}

 	if err := ensure(k8sClient); err != nil {
-		monitor.Error(err)
 		return err
 	}
+
 	return nil
 }
--- a/pkg/databases/connection.go
+++ b/pkg/databases/connection.go
@@ -19,7 +19,7 @@ func CrdGetConnectionInfo(
 		return "", "", err
 	}

-	return getConnectionInfo(monitor, k8sClient, desired)
+	return getConnectionInfo(monitor, k8sClient, desired, false)
 }

 func GitOpsGetConnectionInfo(
@@ -33,17 +33,18 @@ func GitOpsGetConnectionInfo(
 		return "", "", err
 	}

-	return getConnectionInfo(monitor, k8sClient, desired)
+	return getConnectionInfo(monitor, k8sClient, desired, true)
 }

 func getConnectionInfo(
 	monitor mntr.Monitor,
 	k8sClient kubernetes.ClientInt,
 	desired *tree.Tree,
+	gitOps bool,
 ) (string, string, error) {
 	current := &tree.Tree{}

-	query, _, _, _, _, _, err := orbdb.AdaptFunc("", nil, false, "database")(monitor, desired, current)
+	query, _, _, _, _, _, err := orbdb.AdaptFunc("", nil, gitOps, "database")(monitor, desired, current)
 	if err != nil {
 		return "", "", err
 	}
--- a/pkg/databases/restore.go
+++ b/pkg/databases/restore.go
@@ -5,11 +5,12 @@ import (
 	"github.com/caos/orbos/pkg/git"
 	"github.com/caos/orbos/pkg/kubernetes"
 	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/database"
 	"github.com/caos/zitadel/operator/database/kinds/databases/core"
 	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
 )

-func Restore(
+func GitOpsRestore(
 	monitor mntr.Monitor,
 	k8sClient kubernetes.ClientInt,
 	gitClient *git.Client,
@@ -18,9 +19,31 @@ func Restore(
 ) error {
 	desired, err := gitClient.ReadTree(git.DatabaseFile)
 	if err != nil {
-		monitor.Error(err)
 		return err
 	}
+	return restore(monitor, k8sClient, desired, name, databases)
+}
+
+func CrdRestore(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	name string,
+	databases []string,
+) error {
+	desired, err := database.ReadCrd(k8sClient)
+	if err != nil {
+		return err
+	}
+	return restore(monitor, k8sClient, desired, name, databases)
+}
+
+func restore(
+	monitor mntr.Monitor,
+	k8sClient kubernetes.ClientInt,
+	desired *tree.Tree,
+	name string,
+	databases []string,
+) error {
 	current := &tree.Tree{}

 	query, _, _, _, _, _, err := orbdb.AdaptFunc(name, nil, false, "restore")(monitor, desired, current)
@@ -29,7 +52,7 @@ func Restore(
 		return err
 	}
 	queried := map[string]interface{}{}
-	core.SetQueriedForDatabaseDBList(queried, databases)
+	core.SetQueriedForDatabaseDBList(queried, databases, []string{})

 	ensure, err := query(k8sClient, queried)
 	if err != nil {
--- a/pkg/kubernetes/artifacts.go
+++ b/pkg/kubernetes/artifacts.go
@@ -16,6 +16,14 @@ import (
 	mach "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

+const (
+	namespace = "caos-system"
+)
+
+func getZitadelOperatorNameLabels(apiLabels *labels.API) *labels.Name {
+	return toNameLabels(apiLabels, "zitadel-operator")
+}
+
 func EnsureZitadelOperatorArtifacts(
 	monitor mntr.Monitor,
 	apiLabels *labels.API,
@@ -31,7 +39,7 @@ func EnsureZitadelOperatorArtifacts(
 		"zitadel": version,
 	}).Debug("Ensuring zitadel artifacts")

-	nameLabels := labels.MustForName(labels.MustForComponent(apiLabels, "operator"), "zitadel-operator")
+	nameLabels := getZitadelOperatorNameLabels(apiLabels)
 	k8sNameLabels := labels.MustK8sMap(nameLabels)
 	k8sPodSelector := labels.MustK8sMap(labels.DeriveNameSelector(nameLabels, false))

@@ -42,7 +50,7 @@ func EnsureZitadelOperatorArtifacts(
 	if err := client.ApplyServiceAccount(&core.ServiceAccount{
 		ObjectMeta: mach.ObjectMeta{
 			Name:      nameLabels.Name(),
-			Namespace: "caos-system",
+			Namespace: namespace,
 		},
 	}); err != nil {
 		return err
@@ -76,7 +84,7 @@ func EnsureZitadelOperatorArtifacts(
 		Subjects: []rbac.Subject{{
 			Kind:      "ServiceAccount",
 			Name:      nameLabels.Name(),
-			Namespace: "caos-system",
+			Namespace: namespace,
 		}},
 	}); err != nil {
 		return err
@@ -251,7 +259,7 @@ status:
 	deployment := &apps.Deployment{
 		ObjectMeta: mach.ObjectMeta{
 			Name:      nameLabels.Name(),
-			Namespace: "caos-system",
+			Namespace: namespace,
 			Labels:    k8sNameLabels,
 		},
 		Spec: apps.DeploymentSpec{
@@ -305,6 +313,40 @@ status:

 	return nil
 }
+func DestroyZitadelOperator(
+	monitor mntr.Monitor,
+	apiLabels *labels.API,
+	client kubernetes.ClientInt,
+	gitops bool,
+) error {
+	nameLabels := getZitadelOperatorNameLabels(apiLabels)
+
+	monitor.WithFields(map[string]interface{}{}).Debug("Destroying zitadel artifacts")
+
+	if err := client.DeleteServiceAccount(namespace, nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if err := client.DeleteClusterRole(nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if err := client.DeleteClusterRoleBinding(nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if !gitops {
+		if err := client.DeleteCRDResource("apiextensions.k8s.io", "v1beta1", "CustomResourceDefinition", "zitadels.caos.ch"); err != nil {
+			return err
+		}
+	}
+
+	if err := client.DeleteDeployment(namespace, nameLabels.Name()); err != nil {
+		return err
+	}
+
+	return nil
+}

 func ScaleZitadelOperator(
 	monitor mntr.Monitor,
@@ -312,7 +354,16 @@ func ScaleZitadelOperator(
 	replicaCount int,
 ) error {
 	monitor.Debug("Scaling zitadel-operator")
-	return client.ScaleDeployment("caos-system", "zitadel-operator", replicaCount)
+	return client.ScaleDeployment(namespace, "zitadel-operator", replicaCount)
+}
+
+func ScaleDatabaseOperator(
+	monitor mntr.Monitor,
+	client *kubernetes.Client,
+	replicaCount int,
+) error {
+	monitor.Debug("Scaling database-operator")
+	return client.ScaleDeployment(namespace, "database-operator", replicaCount)
 }

 func int32Ptr(i int32) *int32 { return &i }
@@ -322,6 +373,10 @@ func toNameLabels(apiLabels *labels.API, operatorName string) *labels.Name {
 	return labels.MustForName(labels.MustForComponent(apiLabels, "operator"), operatorName)
 }

+func getDatabaseOperatorNameLabels(apiLabels *labels.API) *labels.Name {
+	return toNameLabels(apiLabels, "database-operator")
+}
+
 func EnsureDatabaseArtifacts(
 	monitor mntr.Monitor,
 	apiLabels *labels.API,
@@ -345,8 +400,8 @@ func EnsureDatabaseArtifacts(

 	if err := client.ApplyServiceAccount(&core.ServiceAccount{
 		ObjectMeta: mach.ObjectMeta{
-			Name:      "database-operator",
-			Namespace: "caos-system",
+			Name:      nameLabels.Name(),
+			Namespace: namespace,
 			Labels:    k8sNameLabels,
 		},
 	}); err != nil {
@@ -355,7 +410,7 @@ func EnsureDatabaseArtifacts(

 	if err := client.ApplyClusterRole(&rbac.ClusterRole{
 		ObjectMeta: mach.ObjectMeta{
-			Name:   "database-operator-clusterrole",
+			Name:   nameLabels.Name(),
 			Labels: k8sNameLabels,
 		},
 		Rules: []rbac.PolicyRule{{
@@ -369,19 +424,19 @@ func EnsureDatabaseArtifacts(

 	if err := client.ApplyClusterRoleBinding(&rbac.ClusterRoleBinding{
 		ObjectMeta: mach.ObjectMeta{
-			Name:   "database-operator-clusterrolebinding",
+			Name:   nameLabels.Name(),
 			Labels: k8sNameLabels,
 		},

 		RoleRef: rbac.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "database-operator-clusterrole",
+			Name:     nameLabels.Name(),
 		},
 		Subjects: []rbac.Subject{{
 			Kind:      "ServiceAccount",
-			Name:      "database-operator",
-			Namespace: "caos-system",
+			Name:      nameLabels.Name(),
+			Namespace: namespace,
 		}},
 	}); err != nil {
 		return err
@@ -548,8 +603,8 @@ status:

 	deployment := &apps.Deployment{
 		ObjectMeta: mach.ObjectMeta{
-			Name:      "database-operator",
-			Namespace: "caos-system",
+			Name:      nameLabels.Name(),
+			Namespace: namespace,
 			Labels:    k8sNameLabels,
 		},
 		Spec: apps.DeploymentSpec{
@@ -562,7 +617,7 @@ status:
 					Labels: labels.MustK8sMap(labels.AsSelectable(nameLabels)),
 				},
 				Spec: core.PodSpec{
-					ServiceAccountName: "database-operator",
+					ServiceAccountName: nameLabels.Name(),
 					Containers: []core.Container{{
 						Name:            "database",
 						ImagePullPolicy: core.PullIfNotPresent,
@@ -604,3 +659,38 @@ status:

 	return nil
 }
+
+func DestroyDatabaseOperator(
+	monitor mntr.Monitor,
+	apiLabels *labels.API,
+	client kubernetes.ClientInt,
+	gitops bool,
+) error {
+	nameLabels := getDatabaseOperatorNameLabels(apiLabels)
+
+	monitor.WithFields(map[string]interface{}{}).Debug("Destroying database artifacts")
+
+	if err := client.DeleteServiceAccount(namespace, nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if err := client.DeleteClusterRole(nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if err := client.DeleteClusterRoleBinding(nameLabels.Name()); err != nil {
+		return err
+	}
+
+	if !gitops {
+		if err := client.DeleteCRDResource("apiextensions.k8s.io", "v1beta1", "CustomResourceDefinition", "databases.caos.ch"); err != nil {
+			return err
+		}
+	}
+
+	if err := client.DeleteDeployment(namespace, nameLabels.Name()); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/zitadel/clearmigraterestore.go
+++ b/pkg/zitadel/clearmigraterestore.go
@@ -0,0 +1,103 @@
+package zitadel
+
+import (
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/kubernetes"
+	orbconfig "github.com/caos/orbos/pkg/orb"
+	"github.com/caos/zitadel/pkg/databases"
+	kubernetes2 "github.com/caos/zitadel/pkg/kubernetes"
+	"time"
+)
+
+var (
+	databasesList = []string{
+		"notification",
+		"adminapi",
+		"auth",
+		"authz",
+		"eventstore",
+		"management",
+	}
+	userList = []string{
+		"notification",
+		"adminapi",
+		"auth",
+		"authz",
+		"eventstore",
+		"management",
+		"queries",
+	}
+)
+
+func GitOpsClearMigrateRestore(
+	monitor mntr.Monitor,
+	gitClient *git.Client,
+	orbCfg *orbconfig.Orb,
+	k8sClient *kubernetes.Client,
+	backup string,
+	version *string,
+) error {
+
+	if err := kubernetes2.ScaleZitadelOperator(monitor, k8sClient, 0); err != nil {
+		return err
+	}
+	time.Sleep(5 * time.Second)
+
+	if err := GitOpsScaleDown(monitor, orbCfg, gitClient, k8sClient, version); err != nil {
+		return err
+	}
+
+	if err := databases.GitOpsClear(monitor, k8sClient, gitClient, databasesList, userList); err != nil {
+		return err
+	}
+
+	if err := GitOpsMigrations(monitor, orbCfg, gitClient, k8sClient, version); err != nil {
+		return err
+	}
+
+	if err := databases.GitOpsRestore(monitor, k8sClient, gitClient, backup, databasesList); err != nil {
+		return err
+	}
+
+	if err := kubernetes2.ScaleZitadelOperator(monitor, k8sClient, 1); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func CrdClearMigrateRestore(
+	monitor mntr.Monitor,
+	k8sClient *kubernetes.Client,
+	backup string,
+	version *string,
+) error {
+
+	if err := kubernetes2.ScaleZitadelOperator(monitor, k8sClient, 0); err != nil {
+		return err
+	}
+	time.Sleep(5 * time.Second)
+
+	if err := CrdScaleDown(monitor, k8sClient, version); err != nil {
+		return err
+	}
+
+	if err := databases.CrdClear(monitor, k8sClient, databasesList, userList); err != nil {
+		return err
+	}
+
+	if err := CrdMigrations(monitor, k8sClient, version); err != nil {
+		return err
+	}
+
+	if err := databases.CrdRestore(monitor, k8sClient, backup, databasesList); err != nil {
+		return err
+	}
+
+	if err := kubernetes2.ScaleZitadelOperator(monitor, k8sClient, 1); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/zitadel/migration.go
+++ b/pkg/zitadel/migration.go
@@ -0,0 +1,67 @@
+package zitadel
+
+import (
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/kubernetes"
+	orbconfig "github.com/caos/orbos/pkg/orb"
+	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/zitadel"
+	"github.com/caos/zitadel/operator/zitadel/kinds/orb"
+)
+
+//Take care! to use this function you have to include migration files into the binary
+func CrdMigrations(
+	monitor mntr.Monitor,
+	k8sClient *kubernetes.Client,
+	version *string,
+) error {
+	desired, err := zitadel.ReadCrd(k8sClient)
+	if err != nil {
+		return err
+	}
+
+	return migrations(monitor, nil, k8sClient, false, version, desired)
+}
+
+//Take care! to use this function you have to include migration files into the binary
+func GitOpsMigrations(
+	monitor mntr.Monitor,
+	orbCfg *orbconfig.Orb,
+	gitClient *git.Client,
+	k8sClient *kubernetes.Client,
+	version *string,
+) error {
+	desired, err := gitClient.ReadTree(git.ZitadelFile)
+	if err != nil {
+		return err
+	}
+
+	return migrations(monitor, orbCfg, k8sClient, true, version, desired)
+}
+
+//Take care! to use this function you have to include migration files into the binary
+func migrations(
+	monitor mntr.Monitor,
+	orbCfg *orbconfig.Orb,
+	k8sClient *kubernetes.Client,
+	gitops bool,
+	version *string,
+	desired *tree.Tree,
+) error {
+	current := &tree.Tree{}
+	query, _, _, _, _, _, err := orb.AdaptFunc(orbCfg, "migration", version, gitops, []string{"migration"})(monitor, desired, current)
+	if err != nil {
+		return err
+	}
+
+	ensure, err := query(k8sClient, map[string]interface{}{})
+	if err != nil {
+		return err
+	}
+
+	if err := ensure(k8sClient); err != nil {
+		return err
+	}
+	return nil
+}
--- a/pkg/zitadel/zitadel.go
+++ b/pkg/zitadel/zitadel.go
@@ -0,0 +1,65 @@
+package zitadel
+
+import (
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/kubernetes"
+	orbconfig "github.com/caos/orbos/pkg/orb"
+	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator/api/zitadel"
+	"github.com/caos/zitadel/operator/zitadel/kinds/orb"
+)
+
+func CrdScaleDown(
+	monitor mntr.Monitor,
+	k8sClient *kubernetes.Client,
+	version *string,
+) error {
+	desired, err := zitadel.ReadCrd(k8sClient)
+	if err != nil {
+		return err
+	}
+
+	return scaleDown(monitor, nil, k8sClient, false, version, desired)
+}
+
+func GitOpsScaleDown(
+	monitor mntr.Monitor,
+	orbCfg *orbconfig.Orb,
+	gitClient *git.Client,
+	k8sClient *kubernetes.Client,
+	version *string,
+) error {
+	desired, err := gitClient.ReadTree(git.ZitadelFile)
+	if err != nil {
+		return err
+	}
+
+	return scaleDown(monitor, orbCfg, k8sClient, true, version, desired)
+}
+
+//Take care! to use this function you have to include migration files into the binary
+func scaleDown(
+	monitor mntr.Monitor,
+	orbCfg *orbconfig.Orb,
+	k8sClient *kubernetes.Client,
+	gitops bool,
+	version *string,
+	desired *tree.Tree,
+) error {
+	current := &tree.Tree{}
+	query, _, _, _, _, _, err := orb.AdaptFunc(orbCfg, "scaledown", version, gitops, []string{"scaledown"})(monitor, desired, current)
+	if err != nil {
+		return err
+	}
+
+	ensure, err := query(k8sClient, map[string]interface{}{})
+	if err != nil {
+		return err
+	}
+
+	if err := ensure(k8sClient); err != nil {
+		return err
+	}
+	return nil
+}