perf(actionsv2): execution target router (#10564)

# Which Problems Are Solved

The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.

# How the Problems Are Solved

Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.

- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15

# Additional Changes

- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)

internal/query/execution.go

@@ -8,17 +8,13 @@ import (
 	"encoding/json"
 	"errors"
 	"slices"
-	"time"
 
 	sq "github.com/Masterminds/squirrel"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
-	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	exec "github.com/zitadel/zitadel/internal/repository/execution"
-	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -65,10 +61,6 @@ var (
 var (
 	//go:embed execution_targets.sql
 	executionTargetsQuery string
-	//go:embed targets_by_execution_id.sql
-	TargetsByExecutionIDQuery string
-	//go:embed targets_by_execution_ids.sql
-	TargetsByExecutionIDsQuery string
 )
 
 type Executions struct {
@@ -156,71 +148,6 @@ func targetItemJSONB(t domain.ExecutionTargetType, targetItem string) ([]byte, e
 	return json.Marshal([]*executionTarget{target})
 }
 
-// TargetsByExecutionID query list of targets for best match of a list of IDs,  for example:
-// [ "request/zitadel.action.v3alpha.ActionService/GetTargetByID",
-// "request/zitadel.action.v3alpha.ActionService",
-// "request" ]
-func (q *Queries) TargetsByExecutionID(ctx context.Context, ids []string) (execution []*ExecutionTarget, err error) {
-	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.End() }()
-
-	instanceID := authz.GetInstance(ctx).InstanceID()
-	if instanceID == "" {
-		return nil, nil
-	}
-
-	err = q.client.QueryContext(ctx,
-		func(rows *sql.Rows) error {
-			execution, err = scanExecutionTargets(rows)
-			return err
-		},
-		TargetsByExecutionIDQuery,
-		instanceID,
-		database.TextArray[string](ids),
-	)
-	for i := range execution {
-		if err := execution[i].decryptSigningKey(q.targetEncryptionAlgorithm); err != nil {
-			return nil, err
-		}
-	}
-	return execution, err
-}
-
-// TargetsByExecutionIDs query list of targets for best matches of 2 separate lists of IDs, combined for performance, for example:
-// [ "request/zitadel.action.v3alpha.ActionService/GetTargetByID",
-// "request/zitadel.action.v3alpha.ActionService",
-// "request" ]
-// and
-// [ "response/zitadel.action.v3alpha.ActionService/GetTargetByID",
-// "response/zitadel.action.v3alpha.ActionService",
-// "response" ]
-func (q *Queries) TargetsByExecutionIDs(ctx context.Context, ids1, ids2 []string) (execution []*ExecutionTarget, err error) {
-	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.End() }()
-
-	instanceID := authz.GetInstance(ctx).InstanceID()
-	if instanceID == "" {
-		return nil, nil
-	}
-
-	err = q.client.QueryContext(ctx,
-		func(rows *sql.Rows) error {
-			execution, err = scanExecutionTargets(rows)
-			return err
-		},
-		TargetsByExecutionIDsQuery,
-		instanceID,
-		database.TextArray[string](ids1),
-		database.TextArray[string](ids2),
-	)
-	for i := range execution {
-		if err := execution[i].decryptSigningKey(q.targetEncryptionAlgorithm); err != nil {
-			return nil, err
-		}
-	}
-	return execution, err
-}
-
 func prepareExecutionQuery() (sq.SelectBuilder, func(row *sql.Row) (*Execution, error)) {
 	return sq.Select(
 			ExecutionColumnInstanceID.identifier(),
@@ -358,99 +285,3 @@ func scanExecutions(rows *sql.Rows) (*Executions, error) {
 		},
 	}, nil
 }
-
-type ExecutionTarget struct {
-	InstanceID       string
-	ExecutionID      string
-	TargetID         string
-	TargetType       domain.TargetType
-	Endpoint         string
-	Timeout          time.Duration
-	InterruptOnError bool
-	signingKey       *crypto.CryptoValue
-	SigningKey       string
-}
-
-func (e *ExecutionTarget) GetExecutionID() string {
-	return e.ExecutionID
-}
-func (e *ExecutionTarget) GetTargetID() string {
-	return e.TargetID
-}
-func (e *ExecutionTarget) IsInterruptOnError() bool {
-	return e.InterruptOnError
-}
-func (e *ExecutionTarget) GetEndpoint() string {
-	return e.Endpoint
-}
-func (e *ExecutionTarget) GetTargetType() domain.TargetType {
-	return e.TargetType
-}
-func (e *ExecutionTarget) GetTimeout() time.Duration {
-	return e.Timeout
-}
-func (e *ExecutionTarget) GetSigningKey() string {
-	return e.SigningKey
-}
-
-func (t *ExecutionTarget) decryptSigningKey(alg crypto.EncryptionAlgorithm) error {
-	if t.signingKey == nil {
-		return nil
-	}
-	keyValue, err := crypto.DecryptString(t.signingKey, alg)
-	if err != nil {
-		return zerrors.ThrowInternal(err, "QUERY-bxevy3YXwy", "Errors.Internal")
-	}
-	t.SigningKey = keyValue
-	return nil
-}
-
-func scanExecutionTargets(rows *sql.Rows) ([]*ExecutionTarget, error) {
-	targets := make([]*ExecutionTarget, 0)
-	for rows.Next() {
-		target := new(ExecutionTarget)
-
-		var (
-			instanceID       = &sql.NullString{}
-			executionID      = &sql.NullString{}
-			targetID         = &sql.NullString{}
-			targetType       = &sql.NullInt32{}
-			endpoint         = &sql.NullString{}
-			timeout          = &sql.NullInt64{}
-			interruptOnError = &sql.NullBool{}
-			signingKey       = &crypto.CryptoValue{}
-		)
-
-		err := rows.Scan(
-			executionID,
-			instanceID,
-			targetID,
-			targetType,
-			endpoint,
-			timeout,
-			interruptOnError,
-			signingKey,
-		)
-
-		if err != nil {
-			return nil, err
-		}
-
-		target.InstanceID = instanceID.String
-		target.ExecutionID = executionID.String
-		target.TargetID = targetID.String
-		target.TargetType = domain.TargetType(targetType.Int32)
-		target.Endpoint = endpoint.String
-		target.Timeout = time.Duration(timeout.Int64)
-		target.InterruptOnError = interruptOnError.Bool
-		target.signingKey = signingKey
-
-		targets = append(targets, target)
-	}
-
-	if err := rows.Close(); err != nil {
-		return nil, zerrors.ThrowInternal(err, "QUERY-37ardr0pki", "Errors.Query.CloseRows")
-	}
-
-	return targets, nil
-}