feat: initial admin PAT has IAM_LOGIN_CLIENT (#10143)

# Which Problems Are Solved

We provide a seamless way to initialize Zitadel and the login together.

# How the Problems Are Solved

Additionally to the `IAM_OWNER` role, a set up admin user also gets the
`IAM_LOGIN_CLIENT` role if it is a machine user with a PAT.

# Additional Changes

- Simplifies the load balancing example, as the intermediate
configuration step is not needed anymore.

# Additional Context

- Depends on #10116 
- Contributes to https://github.com/zitadel/zitadel-charts/issues/332
- Contributes to https://github.com/zitadel/zitadel/issues/10016

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

docs/docs/self-hosting/deploy/loadbalancing-example/.gitignore

@@ -1 +1 @@
-.env-file
+.env-file

docs/docs/self-hosting/deploy/loadbalancing-example/docker-compose.yaml

@@ -41,17 +41,17 @@ services:
     user: root
     entrypoint: '/bin/sh'
     command:
-    - -c
-    - >
-      /app/zitadel setup
-      --config /example-zitadel-config.yaml
-      --config /example-zitadel-secrets.yaml
-      --steps /example-zitadel-init-steps.yaml
-      --masterkey ${ZITADEL_MASTERKEY} &&
-      mv /pat /.env-file/pat || exit 0 &&
-      echo ZITADEL_SERVICE_USER_TOKEN=$(cat /.env-file/pat) > /.env-file/.env &&
-      chown -R 1001:${GID} /.env-file &&
-      chmod -R 770 /.env-file
+      - -c
+      - >
+        /app/zitadel setup
+        --config /example-zitadel-config.yaml
+        --config /example-zitadel-secrets.yaml
+        --steps /example-zitadel-init-steps.yaml
+        --masterkey ${ZITADEL_MASTERKEY} &&
+        mv /pat /.env-file/pat || exit 0 &&
+        echo ZITADEL_SERVICE_USER_TOKEN=$(cat /.env-file/pat) > /.env-file/.env &&
+        chown -R 1001:${GID} /.env-file &&
+        chmod -R 770 /.env-file
     environment:
       - GID
     depends_on:
@@ -154,4 +154,4 @@ networks:
   backend:
 
 volumes:
-  data:
+  data:

docs/docs/self-hosting/deploy/loadbalancing-example/example-zitadel-config.yaml

@@ -26,4 +26,4 @@ SAML.DefaultLoginURLV2: "/ui/v2/login/login?authRequest=" # ZITADEL_SAML_DEFAULT
 LogStore.Access.Stdout.Enabled: true
 
 # Skipping the MFA init step allows us to immediately authenticate at the console
-DefaultInstance.LoginPolicy.MfaInitSkipLifetime: "0s"
+DefaultInstance.LoginPolicy.MfaInitSkipLifetime: "0s"

docs/docs/self-hosting/deploy/loadbalancing-example/example-zitadel-init-steps.yaml

@@ -9,4 +9,4 @@ FirstInstance:
       Machine:
         Username: 'login-container'
         Name: 'Login Container'
-      Pat.ExpirationDate: '2029-01-01T00:00:00Z'
+      Pat.ExpirationDate: '2029-01-01T00:00:00Z'

docs/docs/self-hosting/deploy/loadbalancing-example/loadbalancing-example.mdx

@@ -71,4 +71,4 @@ Open your favorite internet browser at https://127.0.0.1.sslip.io/ui/console?log
 Your browser warns you about the insecure self-signed TLS certificate. As 127.0.0.1.sslip.io resolves to your localhost, you can safely proceed.
 Use the password *Password1!* to log in.
 
-Read more about [the login process](/guides/integrate/login/oidc/login-users).
+Read more about [the login process](/guides/integrate/login/oidc/login-users).

docs/docs/self-hosting/deploy/macos.mdx

@@ -64,4 +64,4 @@ mv /tmp/zitadel-admin-sa.json $HOME/zitadel-admin-sa.json
 This key can be used to provision resources with for example [Terraform](/docs/guides/manage/terraform-provider).
 
 <Next components={props.components} />
-<Disclaimer components={props.components} />
+<Disclaimer components={props.components} />