feat: initial admin PAT has IAM_LOGIN_CLIENT (#10143)

# Which Problems Are Solved

We provide a seamless way to initialize Zitadel and the login together.

# How the Problems Are Solved

Additionally to the `IAM_OWNER` role, a set up admin user also gets the
`IAM_LOGIN_CLIENT` role if it is a machine user with a PAT.

# Additional Changes

- Simplifies the load balancing example, as the intermediate
configuration step is not needed anymore.

# Additional Context

- Depends on #10116 
- Contributes to https://github.com/zitadel/zitadel-charts/issues/332
- Contributes to https://github.com/zitadel/zitadel/issues/10016

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

cmd/setup/03.go

@@ -20,12 +20,13 @@ import (
 )
 
 type FirstInstance struct {
-	InstanceName    string
-	DefaultLanguage language.Tag
-	Org             command.InstanceOrgSetup
-	MachineKeyPath  string
-	PatPath         string
-	Features        *command.InstanceFeatures
+	InstanceName       string
+	DefaultLanguage    language.Tag
+	Org                command.InstanceOrgSetup
+	MachineKeyPath     string
+	PatPath            string
+	LoginClientPatPath string
+	Features           *command.InstanceFeatures
 
 	Skip bool
 
@@ -121,16 +122,18 @@ func (mig *FirstInstance) Execute(ctx context.Context, _ eventstore.Event) error
 		}
 	}
 
-	_, token, key, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
+	_, token, key, loginClientToken, _, err := cmd.SetUpInstance(ctx, &mig.instanceSetup)
 	if err != nil {
 		return err
 	}
-	if mig.instanceSetup.Org.Machine != nil &&
+	if (mig.instanceSetup.Org.Machine != nil &&
 		((mig.instanceSetup.Org.Machine.Pat != nil && token == "") ||
-			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil)) {
+			(mig.instanceSetup.Org.Machine.MachineKey != nil && key == nil))) ||
+		(mig.instanceSetup.Org.LoginClient != nil &&
+			(mig.instanceSetup.Org.LoginClient.Pat != nil && loginClientToken == "")) {
 		return err
 	}
-	return mig.outputMachineAuthentication(key, token)
+	return mig.outputMachineAuthentication(key, token, loginClientToken)
 }
 
 func (mig *FirstInstance) verifyEncryptionKeys(ctx context.Context) (*crypto_db.Database, error) {
@@ -150,7 +153,7 @@ func (mig *FirstInstance) verifyEncryptionKeys(ctx context.Context) (*crypto_db.
 	return keyStorage, nil
 }
 
-func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, token string) error {
+func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, token, loginClientToken string) error {
 	if key != nil {
 		keyDetails, err := key.Detail()
 		if err != nil {
@@ -165,6 +168,11 @@ func (mig *FirstInstance) outputMachineAuthentication(key *command.MachineKey, t
 			return err
 		}
 	}
+	if loginClientToken != "" {
+		if err := outputStdoutOrPath(mig.LoginClientPatPath, loginClientToken); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 

cmd/setup/steps.yaml

@@ -6,6 +6,7 @@ FirstInstance:
   MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
   # The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.
   PatPath: # ZITADEL_FIRSTINSTANCE_PATPATH
+  LoginClientPatPath: # ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH
   InstanceName: ZITADEL # ZITADEL_FIRSTINSTANCE_INSTANCENAME
   DefaultLanguage: en # ZITADEL_FIRSTINSTANCE_DEFAULTLANGUAGE
   Org:
@@ -46,6 +47,13 @@ FirstInstance:
       Pat:
         # date format: 2023-01-01T00:00:00Z
         ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE
+    LoginClient:
+      Machine:
+        Username: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME
+        Name: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME
+      Pat:
+        # date format: 2023-01-01T00:00:00Z
+        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE
 
 CorrectCreationDate:
   FailAfter: 5m # ZITADEL_CORRECTCREATIONDATE_FAILAFTER