chore: move the go code into a subfolder

2025-08-12 00:57:33 +00:00 · 2025-08-05 15:20:32 -07:00
parent 4ad22ba456
commit cd2921de26
2978 changed files with 373 additions and 300 deletions
--- a/apps/api/cmd/initialise/config.go
+++ b/apps/api/cmd/initialise/config.go
@@ -0,0 +1,34 @@
+package initialise
+
+import (
+	"github.com/mitchellh/mapstructure"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/id"
+)
+
+type Config struct {
+	Database database.Config
+	Machine  *id.Config
+	Log      *logging.Config
+}
+
+func MustNewConfig(v *viper.Viper) *Config {
+	config := new(Config)
+	err := v.Unmarshal(config,
+		viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
+			database.DecodeHook(false),
+			mapstructure.TextUnmarshallerHookFunc(),
+		)),
+	)
+	logging.OnError(err).Fatal("unable to read config")
+
+	err = config.Log.SetLogger()
+	logging.OnError(err).Fatal("unable to set logger")
+
+	id.Configure(config.Machine)
+
+	return config
+}
--- a/apps/api/cmd/initialise/helper.go
+++ b/apps/api/cmd/initialise/helper.go
@@ -0,0 +1,23 @@
+package initialise
+
+import (
+	"context"
+	"errors"
+
+	"github.com/jackc/pgx/v5/pgconn"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func exec(ctx context.Context, db database.ContextExecuter, stmt string, possibleErrCodes []string, args ...interface{}) error {
+	_, err := db.ExecContext(ctx, stmt, args...)
+	pgErr := new(pgconn.PgError)
+	if errors.As(err, &pgErr) {
+		for _, possibleCode := range possibleErrCodes {
+			if possibleCode == pgErr.Code {
+				return nil
+			}
+		}
+	}
+	return err
+}
--- a/apps/api/cmd/initialise/init.go
+++ b/apps/api/cmd/initialise/init.go
@@ -0,0 +1,148 @@
+package initialise
+
+import (
+	"context"
+	"embed"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+var (
+	//go:embed sql/*.sql
+	stmts embed.FS
+
+	createUserStmt           string
+	grantStmt                string
+	databaseStmt             string
+	createEventstoreStmt     string
+	createProjectionsStmt    string
+	createSystemStmt         string
+	createEncryptionKeysStmt string
+	createEventsStmt         string
+	createUniqueConstraints  string
+
+	roleAlreadyExistsCode = "42710"
+	dbAlreadyExistsCode   = "42P04"
+)
+
+func New() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "init",
+		Short: "initialize ZITADEL instance",
+		Long: `Sets up the minimum requirements to start ZITADEL.
+
+Prerequisites:
+- PostgreSql database
+
+The user provided by flags needs privileges to
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			InitAll(cmd.Context(), config)
+		},
+	}
+
+	cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant())
+	return cmd
+}
+
+func InitAll(ctx context.Context, config *Config) {
+	err := initialise(ctx, config.Database,
+		VerifyUser(config.Database.Username(), config.Database.Password()),
+		VerifyDatabase(config.Database.DatabaseName()),
+		VerifyGrant(config.Database.DatabaseName(), config.Database.Username()),
+	)
+	logging.OnError(err).Fatal("unable to initialize the database")
+
+	err = verifyZitadel(ctx, config.Database)
+	logging.OnError(err).Fatal("unable to initialize ZITADEL")
+}
+
+func initialise(ctx context.Context, config database.Config, steps ...func(context.Context, *database.DB) error) error {
+	logging.Info("initialization started")
+
+	err := ReadStmts()
+	if err != nil {
+		return err
+	}
+
+	db, err := database.Connect(config, true)
+	if err != nil {
+		return err
+	}
+	defer db.Close()
+
+	return Init(ctx, db, steps...)
+}
+
+func Init(ctx context.Context, db *database.DB, steps ...func(context.Context, *database.DB) error) error {
+	for _, step := range steps {
+		if err := step(ctx, db); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func ReadStmts() (err error) {
+	createUserStmt, err = readStmt("01_user")
+	if err != nil {
+		return err
+	}
+
+	databaseStmt, err = readStmt("02_database")
+	if err != nil {
+		return err
+	}
+
+	grantStmt, err = readStmt("03_grant_user")
+	if err != nil {
+		return err
+	}
+
+	createEventstoreStmt, err = readStmt("04_eventstore")
+	if err != nil {
+		return err
+	}
+
+	createProjectionsStmt, err = readStmt("05_projections")
+	if err != nil {
+		return err
+	}
+
+	createSystemStmt, err = readStmt("06_system")
+	if err != nil {
+		return err
+	}
+
+	createEncryptionKeysStmt, err = readStmt("07_encryption_keys_table")
+	if err != nil {
+		return err
+	}
+
+	createEventsStmt, err = readStmt("08_events_table")
+	if err != nil {
+		return err
+	}
+
+	createUniqueConstraints, err = readStmt("10_unique_constraints_table")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func readStmt(step string) (string, error) {
+	stmt, err := stmts.ReadFile("sql/" + step + ".sql")
+	return string(stmt), err
+}
--- a/apps/api/cmd/initialise/init_test.go
+++ b/apps/api/cmd/initialise/init_test.go
@@ -0,0 +1,86 @@
+package initialise
+
+import (
+	"database/sql/driver"
+	"regexp"
+	"testing"
+
+	"github.com/DATA-DOG/go-sqlmock"
+
+	"github.com/zitadel/zitadel/internal/database"
+	db_mock "github.com/zitadel/zitadel/internal/database/mock"
+)
+
+type db struct {
+	mock sqlmock.Sqlmock
+	db   *database.DB
+}
+
+func prepareDB(t *testing.T, expectations ...expectation) db {
+	t.Helper()
+	client, mock, err := sqlmock.New(sqlmock.ValueConverterOption(new(db_mock.TypeConverter)))
+	if err != nil {
+		t.Fatalf("unable to create sql mock: %v", err)
+	}
+	for _, expectation := range expectations {
+		expectation(mock)
+	}
+	return db{
+		mock: mock,
+		db:   &database.DB{DB: client},
+	}
+}
+
+type expectation func(m sqlmock.Sqlmock)
+
+func expectExec(stmt string, err error, args ...driver.Value) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectExec(regexp.QuoteMeta(stmt)).WithArgs(args...)
+		if err != nil {
+			query.WillReturnError(err)
+			return
+		}
+		query.WillReturnResult(sqlmock.NewResult(1, 1))
+	}
+}
+
+func expectQuery(stmt string, err error, columns []string, rows [][]driver.Value, args ...driver.Value) expectation {
+	return func(m sqlmock.Sqlmock) {
+		res := m.NewRows(columns)
+		for _, row := range rows {
+			res.AddRow(row...)
+		}
+		query := m.ExpectQuery(regexp.QuoteMeta(stmt)).WithArgs(args...).WillReturnRows(res)
+		if err != nil {
+			query.WillReturnError(err)
+			return
+		}
+	}
+}
+
+func expectBegin(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectBegin()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
+
+func expectCommit(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectCommit()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
+
+func expectRollback(err error) expectation {
+	return func(m sqlmock.Sqlmock) {
+		query := m.ExpectRollback()
+		if err != nil {
+			query.WillReturnError(err)
+		}
+	}
+}
--- a/apps/api/cmd/initialise/sql/01_user.sql
+++ b/apps/api/cmd/initialise/sql/01_user.sql
@@ -0,0 +1,2 @@
+-- replace %[1]s with the name of the user
+CREATE USER "%[1]s"
--- a/apps/api/cmd/initialise/sql/02_database.sql
+++ b/apps/api/cmd/initialise/sql/02_database.sql
@@ -0,0 +1,2 @@
+-- replace %[1]s with the name of the database
+CREATE DATABASE "%[1]s"
--- a/apps/api/cmd/initialise/sql/03_grant_user.sql
+++ b/apps/api/cmd/initialise/sql/03_grant_user.sql
@@ -0,0 +1,3 @@
+-- replace the first %[1]s with the database
+-- replace the second \%[2]s with the user
+GRANT ALL ON DATABASE "%[1]s" TO "%[2]s";
--- a/apps/api/cmd/initialise/sql/04_eventstore.sql
+++ b/apps/api/cmd/initialise/sql/04_eventstore.sql
@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS eventstore;
+
+GRANT ALL ON ALL TABLES IN SCHEMA eventstore TO "%[1]s";
--- a/apps/api/cmd/initialise/sql/05_projections.sql
+++ b/apps/api/cmd/initialise/sql/05_projections.sql
@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS projections;
+
+GRANT ALL ON ALL TABLES IN SCHEMA projections TO "%[1]s";
--- a/apps/api/cmd/initialise/sql/06_system.sql
+++ b/apps/api/cmd/initialise/sql/06_system.sql
@@ -0,0 +1,3 @@
+CREATE SCHEMA IF NOT EXISTS system;
+
+GRANT ALL ON ALL TABLES IN SCHEMA system TO "%[1]s";
--- a/apps/api/cmd/initialise/sql/07_encryption_keys_table.sql
+++ b/apps/api/cmd/initialise/sql/07_encryption_keys_table.sql
@@ -0,0 +1,6 @@
+CREATE TABLE IF NOT EXISTS system.encryption_keys (
+	id TEXT NOT NULL
+	, key TEXT NOT NULL
+
+	, PRIMARY KEY (id)
+);
--- a/apps/api/cmd/initialise/sql/08_events_table.sql
+++ b/apps/api/cmd/initialise/sql/08_events_table.sql
@@ -0,0 +1,121 @@
+CREATE TABLE IF NOT EXISTS eventstore.events2 (
+    instance_id TEXT NOT NULL
+    , aggregate_type TEXT NOT NULL
+    , aggregate_id TEXT NOT NULL
+    
+    , event_type TEXT NOT NULL
+    , "sequence" BIGINT NOT NULL
+    , revision SMALLINT NOT NULL
+    , created_at TIMESTAMPTZ NOT NULL
+    , payload JSONB
+    , creator TEXT NOT NULL
+    , "owner" TEXT NOT NULL
+    
+    , "position" DECIMAL NOT NULL
+    , in_tx_order INTEGER NOT NULL
+
+    , PRIMARY KEY (instance_id, aggregate_type, aggregate_id, "sequence")
+);
+
+CREATE INDEX IF NOT EXISTS es_active_instances ON eventstore.events2 (created_at DESC, instance_id);
+CREATE INDEX IF NOT EXISTS es_wm ON eventstore.events2 (aggregate_id, instance_id, aggregate_type, event_type);
+CREATE INDEX IF NOT EXISTS es_projection ON eventstore.events2 (instance_id, aggregate_type, event_type, "position");
+
+-- represents an event to be created.
+DO $$ BEGIN
+    CREATE TYPE eventstore.command AS (
+        instance_id TEXT
+        , aggregate_type TEXT
+        , aggregate_id TEXT
+        , command_type TEXT
+        , revision INT2
+        , payload JSONB
+        , creator TEXT
+        , owner TEXT
+    );
+EXCEPTION
+    WHEN duplicate_object THEN null;
+END $$;
+
+CREATE OR REPLACE FUNCTION eventstore.commands_to_events(commands eventstore.command[]) RETURNS SETOF eventstore.events2 VOLATILE AS $$
+SELECT
+    c.instance_id
+    , c.aggregate_type
+    , c.aggregate_id
+    , c.command_type AS event_type
+    , cs.sequence + ROW_NUMBER() OVER (PARTITION BY c.instance_id, c.aggregate_type, c.aggregate_id ORDER BY c.in_tx_order) AS sequence
+    , c.revision
+    , NOW() AS created_at
+    , c.payload
+    , c.creator
+    , cs.owner
+    , EXTRACT(EPOCH FROM NOW()) AS position
+    , c.in_tx_order
+FROM (
+    SELECT
+        c.instance_id
+        , c.aggregate_type
+        , c.aggregate_id
+        , c.command_type
+        , c.revision
+        , c.payload
+        , c.creator
+        , c.owner
+        , ROW_NUMBER() OVER () AS in_tx_order
+    FROM
+        UNNEST(commands) AS c
+) AS c
+JOIN (
+    SELECT
+        cmds.instance_id
+        , cmds.aggregate_type
+        , cmds.aggregate_id
+        , CASE WHEN (e.owner IS NOT NULL OR e.owner <> '') THEN e.owner ELSE command_owners.owner END AS owner
+        , COALESCE(MAX(e.sequence), 0) AS sequence
+    FROM (
+        SELECT DISTINCT
+            instance_id
+            , aggregate_type
+            , aggregate_id
+            , owner
+        FROM UNNEST(commands)
+    ) AS cmds
+    LEFT JOIN eventstore.events2 AS e
+        ON cmds.instance_id = e.instance_id
+        AND cmds.aggregate_type = e.aggregate_type
+        AND cmds.aggregate_id = e.aggregate_id
+    JOIN (
+        SELECT
+            DISTINCT ON (
+                instance_id
+                , aggregate_type
+                , aggregate_id
+            )
+            instance_id
+            , aggregate_type
+            , aggregate_id
+            , owner
+        FROM
+            UNNEST(commands)
+    ) AS command_owners ON
+        cmds.instance_id = command_owners.instance_id
+        AND cmds.aggregate_type = command_owners.aggregate_type
+        AND cmds.aggregate_id = command_owners.aggregate_id
+    GROUP BY
+        cmds.instance_id
+        , cmds.aggregate_type
+        , cmds.aggregate_id
+        , 4 -- owner
+) AS cs
+    ON c.instance_id = cs.instance_id
+    AND c.aggregate_type = cs.aggregate_type
+    AND c.aggregate_id = cs.aggregate_id
+ORDER BY
+    in_tx_order;
+$$ LANGUAGE SQL;
+
+CREATE OR REPLACE FUNCTION eventstore.push(commands eventstore.command[]) RETURNS SETOF eventstore.events2 VOLATILE AS $$
+INSERT INTO eventstore.events2
+SELECT * FROM eventstore.commands_to_events(commands)
+RETURNING *
+$$ LANGUAGE SQL;
--- a/apps/api/cmd/initialise/sql/10_unique_constraints_table.sql
+++ b/apps/api/cmd/initialise/sql/10_unique_constraints_table.sql
@@ -0,0 +1,6 @@
+CREATE TABLE IF NOT EXISTS eventstore.unique_constraints (
+    instance_id TEXT,
+    unique_type TEXT,
+    unique_field TEXT,
+    PRIMARY KEY (instance_id, unique_type, unique_field)
+);
--- a/apps/api/cmd/initialise/sql/README.md
+++ b/apps/api/cmd/initialise/sql/README.md
@@ -0,0 +1,15 @@
+# SQL initialisation
+
+The sql-files in this folder initialize the ZITADEL database and user. These objects need to exist before ZITADEL is able to set and start up.
+
+## files
+
+- 01_user.sql: create the user zitadel uses to connect to the database
+- 02_database.sql: create the database for zitadel
+- 03_grant_user.sql: grants the user created before to have full access to its database. The user needs full access to the database because zitadel makes ddl/dml on runtime
+- 04_eventstore.sql: creates the schema needed for eventsourcing
+- 05_projections.sql: creates the schema needed to read the data
+- 06_system.sql: creates the schema needed for ZITADEL itself
+- 07_encryption_keys_table.sql: creates the table for encryption keys (for event data)
+- 08_events_table.sql creates the table for eventsourcing
+- 10_unique_constraints_table.sql creates the table to check unique constraints for events
--- a/apps/api/cmd/initialise/verify_database.go
+++ b/apps/api/cmd/initialise/verify_database.go
@@ -0,0 +1,44 @@
+package initialise
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func newDatabase() *cobra.Command {
+	return &cobra.Command{
+		Use:   "database",
+		Short: "initialize only the database",
+		Long: `Sets up the ZITADEL database.
+
+Prerequisites:
+- postgreSQL
+
+The user provided by flags needs privileges to 
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			err := initialise(cmd.Context(), config.Database, VerifyDatabase(config.Database.DatabaseName()))
+			logging.OnError(err).Fatal("unable to initialize the database")
+		},
+	}
+}
+
+func VerifyDatabase(databaseName string) func(context.Context, *database.DB) error {
+	return func(ctx context.Context, db *database.DB) error {
+		logging.WithFields("database", databaseName).Info("verify database")
+
+		return exec(ctx, db, fmt.Sprintf(databaseStmt, databaseName), []string{dbAlreadyExistsCode})
+	}
+}
--- a/apps/api/cmd/initialise/verify_database_test.go
+++ b/apps/api/cmd/initialise/verify_database_test.go
@@ -0,0 +1,67 @@
+package initialise
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyDB(t *testing.T) {
+	err := ReadStmts()
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
+	type args struct {
+		db       db
+		database string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE \"zitadel\"", sql.ErrTxDone),
+				),
+				database: "zitadel",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "doesn't exists, create successful",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE \"zitadel\"", nil),
+				),
+				database: "zitadel",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel with the name of the database\nCREATE DATABASE \"zitadel\"", nil),
+				),
+				database: "zitadel",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyDatabase(tt.args.database)(context.Background(), tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("verifyDB() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/apps/api/cmd/initialise/verify_grant.go
+++ b/apps/api/cmd/initialise/verify_grant.go
@@ -0,0 +1,39 @@
+package initialise
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func newGrant() *cobra.Command {
+	return &cobra.Command{
+		Use:   "grant",
+		Short: "set ALL grant to user",
+		Long: `Sets ALL grant to the database user.
+
+Prerequisites:
+- postgreSQL
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			err := initialise(cmd.Context(), config.Database, VerifyGrant(config.Database.DatabaseName(), config.Database.Username()))
+			logging.OnError(err).Fatal("unable to set grant")
+		},
+	}
+}
+
+func VerifyGrant(databaseName, username string) func(context.Context, *database.DB) error {
+	return func(ctx context.Context, db *database.DB) error {
+		logging.WithFields("user", username, "database", databaseName).Info("verify grant")
+
+		return exec(ctx, db, fmt.Sprintf(grantStmt, databaseName, username), nil)
+	}
+}
--- a/apps/api/cmd/initialise/verify_grant_test.go
+++ b/apps/api/cmd/initialise/verify_grant_test.go
@@ -0,0 +1,65 @@
+package initialise
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyGrant(t *testing.T) {
+	type args struct {
+		db       db
+		database string
+		username string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExec("GRANT ALL ON DATABASE \"zitadel\" TO \"zitadel-user\"", sql.ErrTxDone),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectExec("GRANT ALL ON DATABASE \"zitadel\" TO \"zitadel-user\"", nil),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExec("GRANT ALL ON DATABASE \"zitadel\" TO \"zitadel-user\"", nil),
+				),
+				database: "zitadel",
+				username: "zitadel-user",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyGrant(tt.args.database, tt.args.username)(context.Background(), tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/apps/api/cmd/initialise/verify_user.go
+++ b/apps/api/cmd/initialise/verify_user.go
@@ -0,0 +1,48 @@
+package initialise
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func newUser() *cobra.Command {
+	return &cobra.Command{
+		Use:   "user",
+		Short: "initialize only the database user",
+		Long: `Sets up the ZITADEL database user.
+
+Prerequisites:
+- postgreSQL
+
+The user provided by flags needs privileges to 
+- create the database if it does not exist
+- see other users and create a new one if the user does not exist
+- grant all rights of the ZITADEL database to the user created if not yet set
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			err := initialise(cmd.Context(), config.Database, VerifyUser(config.Database.Username(), config.Database.Password()))
+			logging.OnError(err).Fatal("unable to init user")
+		},
+	}
+}
+
+func VerifyUser(username, password string) func(context.Context, *database.DB) error {
+	return func(ctx context.Context, db *database.DB) error {
+		logging.WithFields("username", username).Info("verify user")
+
+		if password != "" {
+			createUserStmt += " WITH PASSWORD '" + password + "'"
+		}
+
+		return exec(ctx, db, fmt.Sprintf(createUserStmt, username), []string{roleAlreadyExistsCode})
+	}
+}
--- a/apps/api/cmd/initialise/verify_user_test.go
+++ b/apps/api/cmd/initialise/verify_user_test.go
@@ -0,0 +1,82 @@
+package initialise
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"testing"
+)
+
+func Test_verifyUser(t *testing.T) {
+	err := ReadStmts()
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
+	type args struct {
+		db       db
+		username string
+		password string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "doesn't exists, create fails",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER \"zitadel-user\"", sql.ErrTxDone),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: sql.ErrTxDone,
+		},
+		{
+			name: "correct without password",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER \"zitadel-user\"", nil),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "correct with password",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER \"zitadel-user\" WITH PASSWORD 'password'", nil),
+				),
+				username: "zitadel-user",
+				password: "password",
+			},
+			targetErr: nil,
+		},
+		{
+			name: "already exists",
+			args: args{
+				db: prepareDB(t,
+					expectExec("-- replace zitadel-user with the name of the user\nCREATE USER \"zitadel-user\" WITH PASSWORD 'password'", nil),
+				),
+				username: "zitadel-user",
+				password: "",
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := VerifyUser(tt.args.username, tt.args.password)(context.Background(), tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("VerifyGrant() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/apps/api/cmd/initialise/verify_zitadel.go
+++ b/apps/api/cmd/initialise/verify_zitadel.go
@@ -0,0 +1,136 @@
+package initialise
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	es_v3 "github.com/zitadel/zitadel/internal/eventstore/v3"
+)
+
+func newZitadel() *cobra.Command {
+	return &cobra.Command{
+		Use:   "zitadel",
+		Short: "initialize ZITADEL internals",
+		Long: `initialize ZITADEL internals.
+
+Prerequisites:
+- postgreSQL with user and database
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+			err := verifyZitadel(cmd.Context(), config.Database)
+			logging.OnError(err).Fatal("unable to init zitadel")
+		},
+	}
+}
+
+func VerifyZitadel(ctx context.Context, db *database.DB, config database.Config) error {
+	err := ReadStmts()
+	if err != nil {
+		return err
+	}
+
+	conn, err := db.Conn(ctx)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	logging.WithFields().Info("verify system")
+	if err := exec(ctx, conn, fmt.Sprintf(createSystemStmt, config.Username()), nil); err != nil {
+		return err
+	}
+
+	logging.WithFields().Info("verify encryption keys")
+	if err := createEncryptionKeys(ctx, conn); err != nil {
+		return err
+	}
+
+	logging.WithFields().Info("verify projections")
+	if err := exec(ctx, conn, fmt.Sprintf(createProjectionsStmt, config.Username()), nil); err != nil {
+		return err
+	}
+
+	logging.WithFields().Info("verify eventstore")
+	if err := exec(ctx, conn, fmt.Sprintf(createEventstoreStmt, config.Username()), nil); err != nil {
+		return err
+	}
+
+	logging.WithFields().Info("verify events tables")
+	if err := createEvents(ctx, conn); err != nil {
+		return err
+	}
+
+	logging.WithFields().Info("verify unique constraints")
+	if err := exec(ctx, conn, createUniqueConstraints, nil); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func verifyZitadel(ctx context.Context, config database.Config) error {
+	logging.WithFields("database", config.DatabaseName()).Info("verify zitadel")
+
+	db, err := database.Connect(config, false)
+	if err != nil {
+		return err
+	}
+
+	if err := VerifyZitadel(ctx, db, config); err != nil {
+		return err
+	}
+
+	return db.Close()
+}
+
+func createEncryptionKeys(ctx context.Context, db database.Beginner) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	if _, err = tx.Exec(createEncryptionKeysStmt); err != nil {
+		rollbackErr := tx.Rollback()
+		logging.OnError(rollbackErr).Error("rollback failed")
+		return err
+	}
+
+	return tx.Commit()
+}
+
+func createEvents(ctx context.Context, conn *sql.Conn) (err error) {
+	tx, err := conn.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			rollbackErr := tx.Rollback()
+			logging.OnError(rollbackErr).Error("rollback failed")
+			return
+		}
+		err = tx.Commit()
+	}()
+
+	// if events already exists events2 is created during a setup job
+	var count int
+	row := tx.QueryRow("SELECT count(*) FROM information_schema.tables WHERE table_schema = 'eventstore' AND table_name like 'events%'")
+	if err = row.Scan(&count); err != nil {
+		return err
+	}
+	if row.Err() != nil || count >= 1 {
+		return row.Err()
+	}
+	_, err = tx.Exec(createEventsStmt)
+	if err != nil {
+		return err
+	}
+	return es_v3.CheckExecutionPlan(ctx, conn)
+}
--- a/apps/api/cmd/initialise/verify_zitadel_test.go
+++ b/apps/api/cmd/initialise/verify_zitadel_test.go
@@ -0,0 +1,177 @@
+package initialise
+
+import (
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"testing"
+)
+
+func Test_verifyEvents(t *testing.T) {
+	err := ReadStmts()
+	if err != nil {
+		t.Errorf("unable to read stmts: %v", err)
+		t.FailNow()
+	}
+
+	type args struct {
+		db db
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "unable to begin",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(sql.ErrConnDone),
+				),
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "events already exists",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectQuery(
+						"SELECT count(*) FROM information_schema.tables WHERE table_schema = 'eventstore' AND table_name like 'events%'",
+						nil,
+						[]string{"count"},
+						[][]driver.Value{
+							{1},
+						},
+					),
+					expectCommit(nil),
+				),
+			},
+		},
+		{
+			name: "events and events2 already exists",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectQuery(
+						"SELECT count(*) FROM information_schema.tables WHERE table_schema = 'eventstore' AND table_name like 'events%'",
+						nil,
+						[]string{"count"},
+						[][]driver.Value{
+							{2},
+						},
+					),
+					expectCommit(nil),
+				),
+			},
+		},
+		{
+			name: "create table fails",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectQuery(
+						"SELECT count(*) FROM information_schema.tables WHERE table_schema = 'eventstore' AND table_name like 'events%'",
+						nil,
+						[]string{"count"},
+						[][]driver.Value{
+							{0},
+						},
+					),
+					expectExec(createEventsStmt, sql.ErrNoRows),
+					expectRollback(nil),
+				),
+			},
+			targetErr: sql.ErrNoRows,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectQuery(
+						"SELECT count(*) FROM information_schema.tables WHERE table_schema = 'eventstore' AND table_name like 'events%'",
+						nil,
+						[]string{"count"},
+						[][]driver.Value{
+							{0},
+						},
+					),
+					expectExec(createEventsStmt, nil),
+					expectCommit(nil),
+				),
+			},
+			targetErr: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			conn, err := tt.args.db.db.Conn(context.Background())
+			if err != nil {
+				t.Error(err)
+				return
+			}
+			if err := createEvents(context.Background(), conn); !errors.Is(err, tt.targetErr) {
+				t.Errorf("createEvents() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
+
+func Test_verifyEncryptionKeys(t *testing.T) {
+	type args struct {
+		db db
+	}
+	tests := []struct {
+		name      string
+		args      args
+		targetErr error
+	}{
+		{
+			name: "unable to begin",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(sql.ErrConnDone),
+				),
+			},
+			targetErr: sql.ErrConnDone,
+		},
+		{
+			name: "create table fails",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec(createEncryptionKeysStmt, sql.ErrNoRows),
+					expectRollback(nil),
+				),
+			},
+			targetErr: sql.ErrNoRows,
+		},
+		{
+			name: "correct",
+			args: args{
+				db: prepareDB(t,
+					expectBegin(nil),
+					expectExec(createEncryptionKeysStmt, nil),
+					expectCommit(nil),
+				),
+			},
+			targetErr: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := createEncryptionKeys(context.Background(), tt.args.db.db); !errors.Is(err, tt.targetErr) {
+				t.Errorf("createEvents() error = %v, want: %v", err, tt.targetErr)
+			}
+			if err := tt.args.db.mock.ExpectationsWereMet(); err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}