feat(database): support for postgres (#3998)

* beginning with postgres statements

* try pgx

* use pgx

* database

* init works for postgres

* arrays working

* init for cockroach

* init

* start tests

* tests

* TESTS

* ch

* ch

* chore: use go 1.18

* read stmts

* fix typo

* tests

* connection string

* add missing error handler

* cleanup

* start all apis

* go mod tidy

* old update

* switch back to minute

* on conflict

* replace string slice with `database.StringArray` in db models

* fix tests and start

* update go version in dockerfile

* setup go

* clean up

* remove notification migration

* update

* docs: add deploy guide for postgres

* fix: revert sonyflake

* use `database.StringArray` for daos

* use `database.StringArray` every where

* new tables

* index naming,
metadata primary key,
project grant role key type

* docs(postgres): change to beta

* chore: correct compose

* fix(defaults): add empty postgres config

* refactor: remove unused code

* docs: add postgres to self hosted

* fix broken link

* so?

* change title

* add mdx to link

* fix stmt

* update goreleaser in test-code

* docs: improve postgres example

* update more projections

* fix: add beta log for postgres

* revert index name change

* prerelease

* fix: add sequence to v1 "reduce paniced"

* log if nil

* add logging

* fix: log output

* fix(import): check if org exists and user

* refactor: imports

* fix(user): ignore malformed events

* refactor: method naming

* fix: test

* refactor: correct errors.Is call

* ci: don't build dev binaries on main

* fix(go releaser): update version to 1.11.0

* fix(user): projection should not break

* fix(user): handle error properly

* docs: correct config example

* Update .releaserc.js

* Update .releaserc.js

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

cmd/defaults.yaml

@@ -45,6 +45,7 @@ HTTP1HostHeader: "host"
 WebAuthNName: ZITADEL
 
 Database:
+  # CockroachDB is the default datbase of ZITADEL
   cockroach:
     Host: localhost
     Port: 26257
@@ -69,6 +70,32 @@ Database:
         RootCert: ""
         Cert: ""
         Key: ""
+  # Postgres is used as soon as a value is set
+  # The values describe the possible fields to set values
+  postgres:
+    Host: 
+    Port:
+    Database:
+    MaxOpenConns:
+    MaxConnLifetime:
+    MaxConnIdleTime:
+    Options:
+    User:
+      Username:
+      Password:
+      SSL:
+        Mode:
+        RootCert:
+        Cert:
+        Key:
+    Admin:
+      Username:
+      Password:
+      SSL:
+        Mode:
+        RootCert:
+        Cert:
+        Key:
 
 Machine:
   # Cloud hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.

cmd/initialise/helper.go

@@ -2,27 +2,20 @@ package initialise
 
 import (
 	"database/sql"
+	"errors"
+
+	"github.com/jackc/pgconn"
 )
 
-func exists(query string, args ...interface{}) func(*sql.DB) (exists bool, err error) {
-	return func(db *sql.DB) (exists bool, err error) {
-		row := db.QueryRow("SELECT EXISTS("+query+")", args...)
-		err = row.Scan(&exists)
-		return exists, err
+func exec(db *sql.DB, stmt string, possibleErrCodes []string, args ...interface{}) error {
+	_, err := db.Exec(stmt, args...)
+	pgErr := new(pgconn.PgError)
+	if errors.As(err, &pgErr) {
+		for _, possibleCode := range possibleErrCodes {
+			if possibleCode == pgErr.Code {
+				return nil
+			}
+		}
 	}
-}
-
-func exec(stmt string, args ...interface{}) func(*sql.DB) error {
-	return func(db *sql.DB) error {
-		_, err := db.Exec(stmt, args...)
-		return err
-	}
-}
-
-func verify(db *sql.DB, checkExists func(*sql.DB) (bool, error), create func(*sql.DB) error) error {
-	exists, err := checkExists(db)
-	if exists || err != nil {
-		return err
-	}
-	return create(db)
+	return err
 }

cmd/initialise/init.go

@@ -2,7 +2,7 @@ package initialise
 
 import (
 	"database/sql"
-	_ "embed"
+	"embed"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -12,6 +12,26 @@ import (
 	"github.com/zitadel/zitadel/internal/id"
 )
 
+var (
+	//go:embed sql/cockroach/*
+	//go:embed sql/postgres/*
+	stmts embed.FS
+
+	createUserStmt           string
+	grantStmt                string
+	databaseStmt             string
+	createEventstoreStmt     string
+	createProjectionsStmt    string
+	createSystemStmt         string
+	createEncryptionKeysStmt string
+	createEventsStmt         string
+	createSystemSequenceStmt string
+	createUniqueConstraints  string
+
+	roleAlreadyExistsCode = "42710"
+	dbAlreadyExistsCode   = "42P04"
+)
+
 func New() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "init",
@@ -39,6 +59,7 @@ The user provided by flags needs privileges to
 
 func InitAll(config *Config) {
 	id.Configure(config.Machine)
+
 	err := initialise(config.Database,
 		VerifyUser(config.Database.Username(), config.Database.Password()),
 		VerifyDatabase(config.Database.Database()),
@@ -53,22 +74,85 @@ func InitAll(config *Config) {
 func initialise(config database.Config, steps ...func(*sql.DB) error) error {
 	logging.Info("initialization started")
 
+	err := ReadStmts(config.Type())
+	if err != nil {
+		return err
+	}
+
 	db, err := database.Connect(config, true)
 	if err != nil {
 		return err
 	}
-	err = Initialise(db, steps...)
-	if err != nil {
-		return err
-	}
-	return db.Close()
+	defer db.Close()
+
+	return Init(db, steps...)
 }
 
-func Initialise(db *sql.DB, steps ...func(*sql.DB) error) error {
+func Init(db *sql.DB, steps ...func(*sql.DB) error) error {
 	for _, step := range steps {
 		if err := step(db); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }
+
+func ReadStmts(typ string) (err error) {
+	createUserStmt, err = readStmt(typ, "01_user")
+	if err != nil {
+		return err
+	}
+
+	databaseStmt, err = readStmt(typ, "02_database")
+	if err != nil {
+		return err
+	}
+
+	grantStmt, err = readStmt(typ, "03_grant_user")
+	if err != nil {
+		return err
+	}
+
+	createEventstoreStmt, err = readStmt(typ, "04_eventstore")
+	if err != nil {
+		return err
+	}
+
+	createProjectionsStmt, err = readStmt(typ, "05_projections")
+	if err != nil {
+		return err
+	}
+
+	createSystemStmt, err = readStmt(typ, "06_system")
+	if err != nil {
+		return err
+	}
+
+	createEncryptionKeysStmt, err = readStmt(typ, "07_encryption_keys_table")
+	if err != nil {
+		return err
+	}
+
+	createEventsStmt, err = readStmt(typ, "08_events_table")
+	if err != nil {
+		return err
+	}
+
+	createSystemSequenceStmt, err = readStmt(typ, "09_system_sequence")
+	if err != nil {
+		return err
+	}
+
+	createUniqueConstraints, err = readStmt(typ, "10_unique_constraints_table")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func readStmt(typ, step string) (string, error) {
+	stmt, err := stmts.ReadFile("sql/" + typ + "/" + step + ".sql")
+	return string(stmt), err
+}

cmd/initialise/init_test.go

@@ -31,18 +31,6 @@ func prepareDB(t *testing.T, expectations ...expectation) db {
 
 type expectation func(m sqlmock.Sqlmock)
 
-func expectExists(query string, value bool, args ...driver.Value) expectation {
-	return func(m sqlmock.Sqlmock) {
-		m.ExpectQuery(regexp.QuoteMeta(query)).WithArgs(args...).WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(value))
-	}
-}
-
-func expectQueryErr(query string, err error, args ...driver.Value) expectation {
-	return func(m sqlmock.Sqlmock) {
-		m.ExpectQuery(regexp.QuoteMeta(query)).WithArgs(args...).WillReturnError(err)
-	}
-}
-
 func expectExec(stmt string, err error, args ...driver.Value) expectation {
 	return func(m sqlmock.Sqlmock) {
 		query := m.ExpectExec(regexp.QuoteMeta(stmt)).WithArgs(args...)

cmd/initialise/sql/04_eventstore.sql

@@ -1 +0,0 @@
-CREATE SCHEMA eventstore

cmd/initialise/sql/05_projections.sql

@@ -1 +0,0 @@
-CREATE SCHEMA projections

cmd/initialise/sql/06_system.sql

@@ -1 +0,0 @@
-CREATE SCHEMA system;

cmd/initialise/sql/08_enable_hash_sharded_indexes.sql

@@ -1 +0,0 @@
-SET experimental_enable_hash_sharded_indexes = on

cmd/initialise/sql/10_system_sequence.sql

@@ -1 +0,0 @@
-CREATE SEQUENCE eventstore.system_seq

cmd/initialise/sql/cockroach/01_user.sql

@@ -1,2 +1,2 @@
 -- replace %[1]s with the name of the user
-CREATE USER %[1]s WITH PASSWORD $1
+CREATE USER IF NOT EXISTS %[1]s

cmd/initialise/sql/cockroach/02_database.sql

@@ -1,2 +1,2 @@
 -- replace %[1]s with the name of the database
-CREATE DATABASE %[1]s
+CREATE DATABASE IF NOT EXISTS %[1]s

cmd/initialise/sql/cockroach/04_eventstore.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS eventstore;
+
+GRANT ALL ON ALL TABLES IN SCHEMA eventstore TO %[1]s;

cmd/initialise/sql/cockroach/05_projections.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS projections;
+
+GRANT ALL ON ALL TABLES IN SCHEMA projections TO %[1]s;

cmd/initialise/sql/cockroach/06_system.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS system;
+
+GRANT ALL ON ALL TABLES IN SCHEMA system TO %[1]s;

cmd/initialise/sql/cockroach/07_encryption_keys_table.sql

@@ -1,4 +1,4 @@
-CREATE TABLE system.encryption_keys (
+CREATE TABLE IF NOT EXISTS system.encryption_keys (
 	id TEXT NOT NULL
 	, key TEXT NOT NULL
 

cmd/initialise/sql/cockroach/08_events_table.sql

@@ -1,4 +1,6 @@
-CREATE TABLE eventstore.events (
+SET experimental_enable_hash_sharded_indexes = on;
+
+CREATE TABLE IF NOT EXISTS eventstore.events (
 	id UUID DEFAULT gen_random_uuid()
 	, event_type TEXT NOT NULL
 	, aggregate_type TEXT NOT NULL
@@ -22,4 +24,4 @@ CREATE TABLE eventstore.events (
 	, INDEX max_sequence (aggregate_type, aggregate_id, event_sequence DESC, instance_id)
 	, CONSTRAINT previous_sequence_unique UNIQUE (previous_aggregate_sequence DESC, instance_id)
 	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence, instance_id)
-)
+);

cmd/initialise/sql/cockroach/09_system_sequence.sql

@@ -0,0 +1 @@
+CREATE SEQUENCE IF NOT EXISTS eventstore.system_seq

cmd/initialise/sql/cockroach/10_unique_constraints_table.sql

@@ -1,4 +1,4 @@
-CREATE TABLE eventstore.unique_constraints (
+CREATE TABLE IF NOT EXISTS eventstore.unique_constraints (
     instance_id TEXT,
     unique_type TEXT,
     unique_field TEXT,

cmd/initialise/sql/postgres/01_user.sql

@@ -0,0 +1 @@
+CREATE USER %[1]s

cmd/initialise/sql/postgres/02_database.sql

@@ -0,0 +1 @@
+CREATE DATABASE %[1]s

cmd/initialise/sql/postgres/03_grant_user.sql

@@ -0,0 +1,3 @@
+-- replace the first %[1]s with the database
+-- replace the second \%[2]s with the user
+GRANT ALL ON DATABASE %[1]s TO %[2]s;

cmd/initialise/sql/postgres/04_eventstore.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS eventstore;
+
+GRANT ALL ON ALL TABLES IN SCHEMA eventstore TO %[1]s;

cmd/initialise/sql/postgres/05_projections.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS projections;
+
+GRANT ALL ON ALL TABLES IN SCHEMA projections TO %[1]s;

cmd/initialise/sql/postgres/06_system.sql

@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS system;
+
+GRANT ALL ON ALL TABLES IN SCHEMA system TO %[1]s;

cmd/initialise/sql/postgres/07_encryption_keys_table.sql

@@ -0,0 +1,6 @@
+CREATE TABLE IF NOT EXISTS system.encryption_keys (
+	id TEXT NOT NULL
+	, key TEXT NOT NULL
+
+	, PRIMARY KEY (id)
+);

cmd/initialise/sql/postgres/08_events_table.sql

@@ -0,0 +1,25 @@
+CREATE TABLE IF NOT EXISTS eventstore.events (
+	id UUID DEFAULT gen_random_uuid()
+	, event_type TEXT NOT NULL
+	, aggregate_type TEXT NOT NULL
+	, aggregate_id TEXT NOT NULL
+	, aggregate_version TEXT NOT NULL
+	, event_sequence BIGINT NOT NULL
+	, previous_aggregate_sequence BIGINT
+	, previous_aggregate_type_sequence INT8
+	, creation_date TIMESTAMPTZ NOT NULL DEFAULT now()
+	, event_data JSONB
+	, editor_user TEXT NOT NULL 
+	, editor_service TEXT NOT NULL
+	, resource_owner TEXT NOT NULL
+	, instance_id TEXT NOT NULL
+
+	, PRIMARY KEY (event_sequence, instance_id)
+	, CONSTRAINT previous_sequence_unique UNIQUE(previous_aggregate_sequence, instance_id)
+	, CONSTRAINT prev_agg_type_seq_unique UNIQUE(previous_aggregate_type_sequence, instance_id)
+);
+
+CREATE INDEX IF NOT EXISTS agg_type_agg_id ON eventstore.events (aggregate_type, aggregate_id, instance_id);
+CREATE INDEX IF NOT EXISTS agg_type ON eventstore.events (aggregate_type, instance_id);
+CREATE INDEX IF NOT EXISTS agg_type_seq ON eventstore.events (aggregate_type, event_sequence DESC, instance_id);
+CREATE INDEX IF NOT EXISTS max_sequence ON eventstore.events (aggregate_type, aggregate_id, event_sequence DESC, instance_id);

cmd/initialise/sql/postgres/09_system_sequence.sql

@@ -0,0 +1 @@
+CREATE SEQUENCE IF NOT EXISTS eventstore.system_seq;

cmd/initialise/sql/postgres/10_unique_constraints_table.sql

@@ -0,0 +1,6 @@
+CREATE TABLE IF NOT EXISTS eventstore.unique_constraints (
+    instance_id TEXT,
+    unique_type TEXT,
+    unique_field TEXT,
+    PRIMARY KEY (instance_id, unique_type, unique_field)
+);

cmd/initialise/verify_database.go

@@ -10,13 +10,6 @@ import (
 	"github.com/zitadel/logging"
 )
 
-var (
-	searchDatabase = "SELECT database_name FROM [show databases] WHERE database_name = $1"
-
-	//go:embed sql/02_database.sql
-	databaseStmt string
-)
-
 func newDatabase() *cobra.Command {
 	return &cobra.Command{
 		Use:   "database",
@@ -40,11 +33,10 @@ The user provided by flags needs priviledge to
 	}
 }
 
-func VerifyDatabase(database string) func(*sql.DB) error {
+func VerifyDatabase(databaseName string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
-		return verify(db,
-			exists(searchDatabase, database),
-			exec(fmt.Sprintf(databaseStmt, database)),
-		)
+		logging.WithFields("database", databaseName).Info("verify database")
+
+		return exec(db, fmt.Sprintf(string(databaseStmt), databaseName), []string{dbAlreadyExistsCode})
 	}
 }

cmd/initialise/verify_database_test.go

@@ -7,6 +7,12 @@ import (
 )
 
 func Test_verifyDB(t *testing.T) {
+	err := ReadStmts("cockroach") //TODO: check all dialects
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
 	type args struct {
 		db       db
 		database string
@@ -16,20 +22,11 @@ func Test_verifyDB(t *testing.T) {
 		args      args
 		targetErr error
 	}{
-		{
-			name: "exists fails",
-			args: args{
-				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", sql.ErrConnDone, "zitadel")),
-				database: "zitadel",
-			},
-			targetErr: sql.ErrConnDone,
-		},
 		{
 			name: "doesn't exists, create fails",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
-					expectExec("CREATE DATABASE zitadel", sql.ErrTxDone),
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE IF NOT EXISTS zitadel", sql.ErrTxDone),
 				),
 				database: "zitadel",
 			},
@@ -39,8 +36,7 @@ func Test_verifyDB(t *testing.T) {
 			name: "doesn't exists, create successful",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", false, "zitadel"),
-					expectExec("CREATE DATABASE zitadel", nil),
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE IF NOT EXISTS zitadel", nil),
 				),
 				database: "zitadel",
 			},
@@ -50,7 +46,7 @@ func Test_verifyDB(t *testing.T) {
 			name: "already exists",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT database_name FROM [show databases] WHERE database_name = $1)", true, "zitadel"),
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE IF NOT EXISTS zitadel", nil),
 				),
 				database: "zitadel",
 			},

cmd/initialise/verify_grant.go

@@ -10,12 +10,6 @@ import (
 	"github.com/zitadel/logging"
 )
 
-var (
-	searchGrant = "SELECT * FROM [SHOW GRANTS ON DATABASE %s] where grantee = $1 AND privilege_type = 'ALL'"
-	//go:embed sql/03_grant_user.sql
-	grantStmt string
-)
-
 func newGrant() *cobra.Command {
 	return &cobra.Command{
 		Use:   "grant",
@@ -34,12 +28,10 @@ Prereqesits:
 	}
 }
 
-func VerifyGrant(database, username string) func(*sql.DB) error {
+func VerifyGrant(databaseName, username string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
-		logging.WithFields("user", username, "database", database).Info("verify grant")
-		return verify(db,
-			exists(fmt.Sprintf(searchGrant, database), username),
-			exec(fmt.Sprintf(grantStmt, database, username)),
-		)
+		logging.WithFields("user", username, "database", databaseName).Info("verify grant")
+
+		return exec(db, fmt.Sprintf(grantStmt, databaseName, username), nil)
 	}
 }

cmd/initialise/verify_grant_test.go

@@ -17,20 +17,10 @@ func Test_verifyGrant(t *testing.T) {
 		args      args
 		targetErr error
 	}{
-		{
-			name: "exists fails",
-			args: args{
-				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", sql.ErrConnDone, "zitadel-user")),
-				database: "zitadel",
-				username: "zitadel-user",
-			},
-			targetErr: sql.ErrConnDone,
-		},
 		{
 			name: "doesn't exists, create fails",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
 					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", sql.ErrTxDone),
 				),
 				database: "zitadel",
@@ -42,7 +32,6 @@ func Test_verifyGrant(t *testing.T) {
 			name: "correct",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", false, "zitadel-user"),
 					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", nil),
 				),
 				database: "zitadel",
@@ -54,7 +43,7 @@ func Test_verifyGrant(t *testing.T) {
 			name: "already exists",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT * FROM [SHOW GRANTS ON DATABASE zitadel] where grantee = $1 AND privilege_type = 'ALL'", true, "zitadel-user"),
+					expectExec("GRANT ALL ON DATABASE zitadel TO zitadel-user", nil),
 				),
 				database: "zitadel",
 				username: "zitadel-user",

cmd/initialise/verify_user.go

@@ -10,12 +10,6 @@ import (
 	"github.com/zitadel/logging"
 )
 
-var (
-	searchUser = "SELECT username FROM [show roles] WHERE username = $1"
-	//go:embed sql/01_user.sql
-	createUserStmt string
-)
-
 func newUser() *cobra.Command {
 	return &cobra.Command{
 		Use:   "user",
@@ -42,9 +36,11 @@ The user provided by flags needs priviledge to
 func VerifyUser(username, password string) func(*sql.DB) error {
 	return func(db *sql.DB) error {
 		logging.WithFields("username", username).Info("verify user")
-		return verify(db,
-			exists(searchUser, username),
-			exec(fmt.Sprintf(createUserStmt, username), &sql.NullString{String: password, Valid: password != ""}),
-		)
+
+		if password != "" {
+			createUserStmt += " WITH PASSWORD '" + password + "'"
+		}
+
+		return exec(db, fmt.Sprintf(createUserStmt, username), []string{roleAlreadyExistsCode})
 	}
 }

cmd/initialise/verify_user_test.go

@@ -7,6 +7,12 @@ import (
 )
 
 func Test_verifyUser(t *testing.T) {
+	err := ReadStmts("cockroach") //TODO: check all dialects
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
 	type args struct {
 		db       db
 		username string
@@ -17,21 +23,11 @@ func Test_verifyUser(t *testing.T) {
 		args      args
 		targetErr error
 	}{
-		{
-			name: "exists fails",
-			args: args{
-				db:       prepareDB(t, expectQueryErr("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", sql.ErrConnDone, "zitadel-user")),
-				username: "zitadel-user",
-				password: "",
-			},
-			targetErr: sql.ErrConnDone,
-		},
 		{
 			name: "doesn't exists, create fails",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
-					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", sql.ErrTxDone, nil),
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER IF NOT EXISTS zitadel-user", sql.ErrTxDone),
 				),
 				username: "zitadel-user",
 				password: "",
@@ -42,8 +38,7 @@ func Test_verifyUser(t *testing.T) {
 			name: "correct without password",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
-					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", nil, nil),
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER IF NOT EXISTS zitadel-user", nil),
 				),
 				username: "zitadel-user",
 				password: "",
@@ -54,8 +49,7 @@ func Test_verifyUser(t *testing.T) {
 			name: "correct with password",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", false, "zitadel-user"),
-					expectExec("CREATE USER zitadel-user WITH PASSWORD $1", nil, "password"),
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER IF NOT EXISTS zitadel-user WITH PASSWORD 'password'", nil),
 				),
 				username: "zitadel-user",
 				password: "password",
@@ -66,7 +60,7 @@ func Test_verifyUser(t *testing.T) {
 			name: "already exists",
 			args: args{
 				db: prepareDB(t,
-					expectExists("SELECT EXISTS(SELECT username FROM [show roles] WHERE username = $1)", true, "zitadel-user"),
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER IF NOT EXISTS zitadel-user WITH PASSWORD 'password'", nil),
 				),
 				username: "zitadel-user",
 				password: "",

cmd/initialise/verify_zitadel.go

@@ -3,11 +3,12 @@ package initialise
 import (
 	"database/sql"
 	_ "embed"
+	"fmt"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"github.com/zitadel/logging"
 
+	"github.com/zitadel/logging"
 	"github.com/zitadel/zitadel/internal/database"
 )
 
@@ -20,29 +21,6 @@ const (
 	encryptionKeysTable    = "encryption_keys"
 )
 
-var (
-	searchSchema         = "SELECT schema_name FROM [SHOW SCHEMAS] WHERE schema_name = $1"
-	searchTable          = "SELECT table_name FROM [SHOW TABLES] WHERE table_name = $1"
-	searchSystemSequence = "SELECT sequence_name FROM [SHOW SEQUENCES] WHERE sequence_name = 'system_seq'"
-
-	//go:embed sql/04_eventstore.sql
-	createEventstoreStmt string
-	//go:embed sql/05_projections.sql
-	createProjectionsStmt string
-	//go:embed sql/06_system.sql
-	createSystemStmt string
-	//go:embed sql/07_encryption_keys_table.sql
-	createEncryptionKeysStmt string
-	//go:embed sql/08_enable_hash_sharded_indexes.sql
-	enableHashShardedIdx string
-	//go:embed sql/09_events_table.sql
-	createEventsStmt string
-	//go:embed sql/10_system_sequence.sql
-	createSystemSequenceStmt string
-	//go:embed sql/11_unique_constraints_table.sql
-	createUniqueConstraints string
-)
-
 func newZitadel() *cobra.Command {
 	return &cobra.Command{
 		Use:   "zitadel",
@@ -62,44 +40,44 @@ Prereqesits:
 	}
 }
 
-func VerifyZitadel(db *sql.DB) error {
-	if err := verify(db, exists(searchSchema, systemSchema), exec(createSystemStmt)); err != nil {
+func VerifyZitadel(db *sql.DB, config database.Config) error {
+	if err := exec(db, fmt.Sprintf(createSystemStmt, config.Username()), nil); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchTable, encryptionKeysTable), createEncryptionKeys); err != nil {
+	if err := createEncryptionKeys(db); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchSchema, projectionsSchema), exec(createProjectionsStmt)); err != nil {
+	if err := exec(db, fmt.Sprintf(createProjectionsStmt, config.Username()), nil); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchSchema, eventstoreSchema), exec(createEventstoreStmt)); err != nil {
+	if err := exec(db, fmt.Sprintf(createEventstoreStmt, config.Username()), nil); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchTable, eventsTable), createEvents); err != nil {
+	if err := createEvents(db); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchSystemSequence), exec(createSystemSequenceStmt)); err != nil {
+	if err := exec(db, createSystemSequenceStmt, nil); err != nil {
 		return err
 	}
 
-	if err := verify(db, exists(searchTable, uniqueConstraintsTable), exec(createUniqueConstraints)); err != nil {
+	if err := exec(db, createUniqueConstraints, nil); err != nil {
 		return err
 	}
 	return nil
 }
 
 func verifyZitadel(config database.Config) error {
-	logging.WithFields("database", config.Database).Info("verify zitadel")
+	logging.WithFields("database", config.Database()).Info("verify zitadel")
 	db, err := database.Connect(config, false)
 	if err != nil {
 		return err
 	}
-	if err := VerifyZitadel(db); err != nil {
+	if err := VerifyZitadel(db, config); err != nil {
 		return nil
 	}
 
@@ -124,10 +102,6 @@ func createEvents(db *sql.DB) error {
 	if err != nil {
 		return err
 	}
-	if _, err = tx.Exec(enableHashShardedIdx); err != nil {
-		tx.Rollback()
-		return err
-	}
 
 	if _, err = tx.Exec(createEventsStmt); err != nil {
 		tx.Rollback()

cmd/initialise/verify_zitadel_test.go

@@ -7,6 +7,12 @@ import (
 )
 
 func Test_verifyEvents(t *testing.T) {
+	err := ReadStmts("cockroach") //TODO: check all dialects
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
 	type args struct {
 		db db
 	}
@@ -24,23 +30,11 @@ func Test_verifyEvents(t *testing.T) {
 			},
 			targetErr: sql.ErrConnDone,
 		},
-		{
-			name: "hash sharded indexes fails",
-			args: args{
-				db: prepareDB(t,
-					expectBegin(nil),
-					expectExec("SET experimental_enable_hash_sharded_indexes = on", sql.ErrNoRows),
-					expectRollback(nil),
-				),
-			},
-			targetErr: sql.ErrNoRows,
-		},
 		{
 			name: "create table fails",
 			args: args{
 				db: prepareDB(t,
 					expectBegin(nil),
-					expectExec("SET experimental_enable_hash_sharded_indexes = on", nil),
 					expectExec(createEventsStmt, sql.ErrNoRows),
 					expectRollback(nil),
 				),
@@ -52,7 +46,6 @@ func Test_verifyEvents(t *testing.T) {
 			args: args{
 				db: prepareDB(t,
 					expectBegin(nil),
-					expectExec("SET experimental_enable_hash_sharded_indexes = on", nil),
 					expectExec(createEventsStmt, nil),
 					expectCommit(nil),
 				),
@@ -60,6 +53,7 @@ func Test_verifyEvents(t *testing.T) {
 			targetErr: nil,
 		},
 	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if err := createEvents(tt.args.db.db); !errors.Is(err, tt.targetErr) {

cmd/setup/01.go

@@ -11,8 +11,6 @@ var (
 	createAdminViews string
 	//go:embed 01_sql/auth.sql
 	createAuthViews string
-	//go:embed 01_sql/notification.sql
-	createNotificationViews string
 	//go:embed 01_sql/projections.sql
 	createProjections string
 )
@@ -22,7 +20,7 @@ type ProjectionTable struct {
 }
 
 func (mig *ProjectionTable) Execute(ctx context.Context) error {
-	stmt := createAdminViews + createAuthViews + createNotificationViews + createProjections
+	stmt := createAdminViews + createAuthViews + createProjections
 	_, err := mig.dbClient.ExecContext(ctx, stmt)
 	return err
 }

cmd/setup/01_sql/adminapi.sql

@@ -30,28 +30,28 @@ CREATE TABLE adminapi.failed_events (
 );
 
 CREATE TABLE adminapi.styling (
-    aggregate_id STRING NOT NULL,
+    aggregate_id TEXT NOT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    label_policy_state INT2 NOT NULL DEFAULT 0:::INT2,
+    label_policy_state INT2 NOT NULL DEFAULT 0::INT2,
     sequence INT8 NULL,
-    primary_color STRING NULL,
-    background_color STRING NULL,
-    warn_color STRING NULL,
-    font_color STRING NULL,
-    primary_color_dark STRING NULL,
-    background_color_dark STRING NULL,
-    warn_color_dark STRING NULL,
-    font_color_dark STRING NULL,
-    logo_url STRING NULL,
-    icon_url STRING NULL,
-    logo_dark_url STRING NULL,
-    icon_dark_url STRING NULL,
-    font_url STRING NULL,
+    primary_color TEXT NULL,
+    background_color TEXT NULL,
+    warn_color TEXT NULL,
+    font_color TEXT NULL,
+    primary_color_dark TEXT NULL,
+    background_color_dark TEXT NULL,
+    warn_color_dark TEXT NULL,
+    font_color_dark TEXT NULL,
+    logo_url TEXT NULL,
+    icon_url TEXT NULL,
+    logo_dark_url TEXT NULL,
+    icon_dark_url TEXT NULL,
+    font_url TEXT NULL,
     err_msg_popup BOOL NULL,
     disable_watermark BOOL NULL,
     hide_login_name_suffix BOOL NULL,
-    instance_id STRING NOT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (aggregate_id, label_policy_state, instance_id)
 );

cmd/setup/01_sql/auth.sql

@@ -30,48 +30,48 @@ CREATE TABLE auth.failed_events (
 );
 
 CREATE TABLE auth.users (
-    id STRING NULL,
+    id TEXT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    resource_owner STRING NULL,
+    resource_owner TEXT NULL,
     user_state INT2 NULL,
     password_set BOOL NULL,
     password_change_required BOOL NULL,
     password_change TIMESTAMPTZ NULL,
     last_login TIMESTAMPTZ NULL,
-    user_name STRING NULL,
-    login_names STRING[] NULL,
-    preferred_login_name STRING NULL,
-    first_name STRING NULL,
-    last_name STRING NULL,
-    nick_name STRING NULL,
-    display_name STRING NULL,
-    preferred_language STRING NULL,
+    user_name TEXT NULL,
+    login_names TEXT[] NULL,
+    preferred_login_name TEXT NULL,
+    first_name TEXT NULL,
+    last_name TEXT NULL,
+    nick_name TEXT NULL,
+    display_name TEXT NULL,
+    preferred_language TEXT NULL,
     gender INT2 NULL,
-    email STRING NULL,
+    email TEXT NULL,
     is_email_verified BOOL NULL,
-    phone STRING NULL,
+    phone TEXT NULL,
     is_phone_verified BOOL NULL,
-    country STRING NULL,
-    locality STRING NULL,
-    postal_code STRING NULL,
-    region STRING NULL,
-    street_address STRING NULL,
+    country TEXT NULL,
+    locality TEXT NULL,
+    postal_code TEXT NULL,
+    region TEXT NULL,
+    street_address TEXT NULL,
     otp_state INT2 NULL,
     mfa_max_set_up INT2 NULL,
     mfa_init_skipped TIMESTAMPTZ NULL,
     sequence INT8 NULL,
     init_required BOOL NULL,
     username_change_required BOOL NULL,
-    machine_name STRING NULL,
-    machine_description STRING NULL,
-    user_type STRING NULL,
-    u2f_tokens BYTES NULL,
-    passwordless_tokens BYTES NULL,
-    avatar_key STRING NULL,
+    machine_name TEXT NULL,
+    machine_description TEXT NULL,
+    user_type TEXT NULL,
+    u2f_tokens BYTEA NULL,
+    passwordless_tokens BYTEA NULL,
+    avatar_key TEXT NULL,
     passwordless_init_required BOOL NULL,
     password_init_required BOOL NULL,
-    instance_id STRING NOT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (id, instance_id)
 );
@@ -79,148 +79,151 @@ CREATE TABLE auth.users (
 CREATE TABLE auth.user_sessions (
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    resource_owner STRING NULL,
+    resource_owner TEXT NULL,
     state INT2 NULL,
-    user_agent_id STRING NULL,
-    user_id STRING NULL,
-    user_name STRING NULL,
+    user_agent_id TEXT NULL,
+    user_id TEXT NULL,
+    user_name TEXT NULL,
     password_verification TIMESTAMPTZ NULL,
     second_factor_verification TIMESTAMPTZ NULL,
     multi_factor_verification TIMESTAMPTZ NULL,
     sequence INT8 NULL,
     second_factor_verification_type INT2 NULL,
     multi_factor_verification_type INT2 NULL,
-    user_display_name STRING NULL,
-    login_name STRING NULL,
+    user_display_name TEXT NULL,
+    login_name TEXT NULL,
     external_login_verification TIMESTAMPTZ NULL,
-    selected_idp_config_id STRING NULL,
+    selected_idp_config_id TEXT NULL,
     passwordless_verification TIMESTAMPTZ NULL,
-    avatar_key STRING NULL,
-    instance_id STRING NOT NULL,
+    avatar_key TEXT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (user_agent_id, user_id, instance_id)
 );
 
 CREATE TABLE auth.user_external_idps (
-    external_user_id STRING NOT NULL,
-    idp_config_id STRING NOT NULL,
-    user_id STRING NULL,
-    idp_name STRING NULL,
-    user_display_name STRING NULL,
+    external_user_id TEXT NOT NULL,
+    idp_config_id TEXT NOT NULL,
+    user_id TEXT NULL,
+    idp_name TEXT NULL,
+    user_display_name TEXT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
     sequence INT8 NULL,
-    resource_owner STRING NULL,
-    instance_id STRING NOT NULL,
+    resource_owner TEXT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (external_user_id, idp_config_id, instance_id)
 );
 
 CREATE TABLE auth.tokens (
-    id STRING NOT NULL,
+    id TEXT NOT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    resource_owner STRING NULL,
-    application_id STRING NULL,
-    user_agent_id STRING NULL,
-    user_id STRING NULL,
+    resource_owner TEXT NULL,
+    application_id TEXT NULL,
+    user_agent_id TEXT NULL,
+    user_id TEXT NULL,
     expiration TIMESTAMPTZ NULL,
     sequence INT8 NULL,
-    scopes STRING[] NULL,
-    audience STRING[] NULL,
-    preferred_language STRING NULL,
-    refresh_token_id STRING NULL,
+    scopes TEXT[] NULL,
+    audience TEXT[] NULL,
+    preferred_language TEXT NULL,
+    refresh_token_id TEXT NULL,
     is_pat BOOL NOT NULL DEFAULT false,
-    instance_id STRING NOT NULL,
+    instance_id TEXT NOT NULL,
 
-    PRIMARY KEY (id, instance_id),
-    INDEX user_user_agent_idx (user_id, user_agent_id)
+    PRIMARY KEY (id, instance_id)
 );
 
+CREATE INDEX user_user_agent_idx ON auth.tokens (user_id, user_agent_id);
+
 CREATE TABLE auth.refresh_tokens (
-    id STRING NOT NULL,
+    id TEXT NOT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    resource_owner STRING NULL,
-    token STRING NULL,
-    client_id STRING NOT NULL,
-    user_agent_id STRING NOT NULL,
-    user_id STRING NOT NULL,
+    resource_owner TEXT NULL,
+    token TEXT NULL,
+    client_id TEXT NOT NULL,
+    user_agent_id TEXT NOT NULL,
+    user_id TEXT NOT NULL,
     auth_time TIMESTAMPTZ NULL,
     idle_expiration TIMESTAMPTZ NULL,
     expiration TIMESTAMPTZ NULL,
     sequence INT8 NULL,
-    scopes STRING[] NULL,
-    audience STRING[] NULL,
-    amr STRING[] NULL,
-    instance_id STRING NOT NULL,
+    scopes TEXT[] NULL,
+    audience TEXT[] NULL,
+    amr TEXT[] NULL,
+    instance_id TEXT NOT NULL,
 
-    PRIMARY KEY (id, instance_id),
-    UNIQUE INDEX unique_client_user_index (client_id, user_agent_id, user_id)
+    PRIMARY KEY (id, instance_id)
 );
 
+CREATE UNIQUE INDEX unique_client_user_index ON auth.refresh_tokens (client_id, user_agent_id, user_id);
+
 CREATE TABLE auth.org_project_mapping (
-    org_id STRING NOT NULL,
-    project_id STRING NOT NULL,
-    project_grant_id STRING NULL,
-    instance_id STRING NOT NULL,
+    org_id TEXT NOT NULL,
+    project_id TEXT NOT NULL,
+    project_grant_id TEXT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (org_id, project_id, instance_id)
 );
 
 CREATE TABLE auth.idp_providers (
-    aggregate_id STRING NOT NULL,
-    idp_config_id STRING NOT NULL,
+    aggregate_id TEXT NOT NULL,
+    idp_config_id TEXT NOT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
     sequence INT8 NULL,
-    name STRING NULL,
+    name TEXT NULL,
     idp_config_type INT2 NULL,
     idp_provider_type INT2 NULL,
     idp_state INT2 NULL,
     styling_type INT2 NULL,
-    instance_id STRING NOT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (aggregate_id, idp_config_id, instance_id)
 );
 
 CREATE TABLE auth.idp_configs (
-    idp_config_id STRING NOT NULL,
+    idp_config_id TEXT NOT NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
     sequence INT8 NULL,
-    aggregate_id STRING NULL,
-    name STRING NULL,
+    aggregate_id TEXT NULL,
+    name TEXT NULL,
     idp_state INT2 NULL,
     idp_provider_type INT2 NULL,
     is_oidc BOOL NULL,
-    oidc_client_id STRING NULL,
+    oidc_client_id TEXT NULL,
     oidc_client_secret JSONB NULL,
-    oidc_issuer STRING NULL,
-    oidc_scopes STRING[] NULL,
+    oidc_issuer TEXT NULL,
+    oidc_scopes TEXT[] NULL,
     oidc_idp_display_name_mapping INT2 NULL,
     oidc_idp_username_mapping INT2 NULL,
     styling_type INT2 NULL,
-    oauth_authorization_endpoint STRING NULL,
-    oauth_token_endpoint STRING NULL,
+    oauth_authorization_endpoint TEXT NULL,
+    oauth_token_endpoint TEXT NULL,
     auto_register BOOL NULL,
-    jwt_endpoint STRING NULL,
-    jwt_keys_endpoint STRING NULL,
-    jwt_header_name STRING NULL,
-    instance_id STRING NOT NULL,
+    jwt_endpoint TEXT NULL,
+    jwt_keys_endpoint TEXT NULL,
+    jwt_header_name TEXT NULL,
+    instance_id TEXT NOT NULL,
 
     PRIMARY KEY (idp_config_id, instance_id)
 );
 
 CREATE TABLE auth.auth_requests (
-    id STRING NOT NULL,
+    id TEXT NOT NULL,
     request JSONB NULL,
-    code STRING NULL,
+    code TEXT NULL,
     request_type INT2 NULL,
     creation_date TIMESTAMPTZ NULL,
     change_date TIMESTAMPTZ NULL,
-    instance_id STRING NOT NULL,
+    instance_id TEXT NOT NULL,
 
-    PRIMARY KEY (id, instance_id),
-    INDEX auth_code_idx (code)
+    PRIMARY KEY (id, instance_id)
 );
+
+CREATE INDEX auth_code_idx ON auth.auth_requests (code);

cmd/setup/01_sql/notification.sql

@@ -1,55 +0,0 @@
-CREATE SCHEMA notification;
-
-CREATE TABLE notification.locks (
-    locker_id TEXT,
-    locked_until TIMESTAMPTZ(3),
-    view_name TEXT,
-    instance_id TEXT NOT NULL,
-
-    PRIMARY KEY (view_name, instance_id)
-);
-
-CREATE TABLE notification.current_sequences (
-    view_name TEXT,
-    current_sequence BIGINT,
-    event_timestamp TIMESTAMPTZ,
-    last_successful_spooler_run TIMESTAMPTZ,
-    instance_id TEXT NOT NULL,
-
-    PRIMARY KEY (view_name, instance_id)
-);
-
-CREATE TABLE notification.failed_events (
-    view_name TEXT,
-    failed_sequence BIGINT,
-    failure_count SMALLINT,
-    err_msg TEXT,
-    instance_id TEXT NOT NULL,
-
-    PRIMARY KEY (view_name, failed_sequence, instance_id)
-);
-
-CREATE TABLE notification.notify_users (
-    id STRING NOT NULL,
-    creation_date TIMESTAMPTZ NULL,
-    change_date TIMESTAMPTZ NULL,
-    resource_owner STRING NULL,
-    user_name STRING NULL,
-    first_name STRING NULL,
-    last_name STRING NULL,
-    nick_name STRING NULL,
-    display_name STRING NULL,
-    preferred_language STRING NULL,
-    gender INT2 NULL,
-    last_email STRING NULL,
-    verified_email STRING NULL,
-    last_phone STRING NULL,
-    verified_phone STRING NULL,
-    sequence INT8 NULL,
-    password_set BOOL NULL,
-    login_names STRING NULL,
-    preferred_login_name STRING NULL,
-    instance_id STRING NULL,
-
-    PRIMARY KEY (id)
-);

cmd/setup/02.go

@@ -13,8 +13,8 @@ CREATE TABLE system.assets (
     resource_owner TEXT,
     name TEXT,
     content_type TEXT,
-    hash TEXT AS (md5(data)) STORED,
-    data BYTES,
+    hash TEXT GENERATED ALWAYS AS (md5(data)) STORED,
+    data BYTEA,
     updated_at TIMESTAMPTZ,
 
     PRIMARY KEY (instance_id, resource_owner, name)

cmd/start/start_from_setup.go

@@ -0,0 +1,47 @@
+package start
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/cmd/key"
+	"github.com/zitadel/zitadel/cmd/setup"
+	"github.com/zitadel/zitadel/cmd/tls"
+)
+
+func NewStartFromSetup() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "start-from-setup",
+		Short: "cold starts zitadel",
+		Long: `cold starts ZITADEL.
+First the initial events are created.
+Last ZITADEL starts.
+
+Requirements:
+- database
+- database is initialized
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			err := tls.ModeFromFlag(cmd)
+			logging.OnError(err).Fatal("invalid tlsMode")
+
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Panic("No master key provided")
+
+			setupConfig := setup.MustNewConfig(viper.GetViper())
+			setupSteps := setup.MustNewSteps(viper.New())
+			setup.Setup(setupConfig, setupSteps, masterKey)
+
+			startConfig := MustNewConfig(viper.GetViper())
+
+			err = startZitadel(startConfig, masterKey)
+			logging.OnError(err).Fatal("unable to start zitadel")
+		},
+	}
+
+	startFlags(cmd)
+	setup.Flags(cmd)
+
+	return cmd
+}

cmd/zitadel.go

@@ -51,6 +51,7 @@ func New(out io.Writer, in io.Reader, args []string) *cobra.Command {
 		setup.New(),
 		start.New(),
 		start.NewStartFromInit(),
+		start.NewStartFromSetup(),
 		key.New(),
 	)