perf(actionsv2): execution target router (#10564)

# Which Problems Are Solved The event execution system currently uses a projection handler that subscribes to and processes all events for all instances. This creates a high static cost because the system over-fetches event data, handling many events that are not needed by most instances. This inefficiency is also reflected in high "rows returned" metrics in the database. # How the Problems Are Solved Eliminate the use of a project handler. Instead, events for which "execution targets" are defined, are directly pushed to the queue by the eventstore. A Router is populated in the Instance object in the authz middleware. - By joining the execution targets to the instance, no additional queries are needed anymore. - As part of the instance object, execution targets are now cached as well. - Events are queued within the same transaction, giving transactional guarantees on delivery. - Uses the "insert many fast` variant of River. Multiple jobs are queued in a single round-trip to the database. - Fix compatibility with PostgreSQL 15 # Additional Changes - The signing key was stored as plain-text in the river job payload in the DB. This violated our [Secrets Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage) principle. This change removed the field and only uses the encrypted version of the signing key. - Fixed the target ordering from descending to ascending. - Some minor linter warnings on the use of `io.WriteString()`. # Additional Context - Introduced in https://github.com/zitadel/zitadel/pull/9249 - Closes https://github.com/zitadel/zitadel/issues/10553 - Closes https://github.com/zitadel/zitadel/issues/9832 - Closes https://github.com/zitadel/zitadel/issues/10372 - Closes https://github.com/zitadel/zitadel/issues/10492 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> (cherry picked from commit a9ebc06c77)
2025-12-06 19:36:41 +00:00 · 2025-09-01 08:21:10 +03:00
parent d0d8e904c4
commit 2727fa719d
76 changed files with 1316 additions and 1815 deletions
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -22,6 +22,7 @@ import (
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/metrics"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -48,6 +49,8 @@ type API struct {
 	authConfig        authz.Config
 	systemAuthZ       authz.Config
 	connectServices   map[string][]string
+
+	targetEncryptionAlgorithm crypto.EncryptionAlgorithm
 }

 func (a *API) ListGrpcServices() []string {
@@ -99,22 +102,24 @@ func New(
 	externalDomain string,
 	hostHeaders []string,
 	accessInterceptor *http_mw.AccessInterceptor,
+	targetEncryptionAlgorithm crypto.EncryptionAlgorithm,
 ) (_ *API, err error) {
 	api := &API{
-		port:              port,
-		externalDomain:    externalDomain,
-		verifier:          verifier,
-		health:            queries,
-		router:            router,
-		queries:           queries,
-		accessInterceptor: accessInterceptor,
-		hostHeaders:       hostHeaders,
-		authConfig:        authZ,
-		systemAuthZ:       systemAuthz,
-		connectServices:   make(map[string][]string),
+		port:                      port,
+		externalDomain:            externalDomain,
+		verifier:                  verifier,
+		health:                    queries,
+		router:                    router,
+		queries:                   queries,
+		accessInterceptor:         accessInterceptor,
+		hostHeaders:               hostHeaders,
+		authConfig:                authZ,
+		systemAuthZ:               systemAuthz,
+		connectServices:           make(map[string][]string),
+		targetEncryptionAlgorithm: targetEncryptionAlgorithm,
 	}

-	api.grpcServer = server.CreateServer(api.verifier, systemAuthz, authZ, queries, externalDomain, tlsConfig, accessInterceptor.AccessService())
+	api.grpcServer = server.CreateServer(api.verifier, systemAuthz, authZ, queries, externalDomain, tlsConfig, accessInterceptor.AccessService(), targetEncryptionAlgorithm)
 	api.grpcGateway, err = server.CreateGateway(ctx, port, hostHeaders, accessInterceptor, tlsConfig)
 	if err != nil {
 		return nil, err
@@ -190,7 +195,7 @@ func (a *API) registerConnectServer(service server.ConnectServer) {
 		connect_middleware.AuthorizationInterceptor(a.verifier, a.systemAuthZ, a.authConfig),
 		connect_middleware.TranslationHandler(),
 		connect_middleware.QuotaExhaustedInterceptor(a.accessInterceptor.AccessService(), system_pb.SystemService_ServiceDesc.ServiceName),
-		connect_middleware.ExecutionHandler(a.queries),
+		connect_middleware.ExecutionHandler(a.targetEncryptionAlgorithm),
 		connect_middleware.ValidationHandler(),
 		connect_middleware.ServiceHandler(),
 		connect_middleware.ActivityInterceptor(),