feat: Merge master (#1260)

* chore(site): dependabot deps (#1148)

* chore(deps): bump highlight.js from 10.4.1 to 10.5.0 in /site (#1143)

Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 10.4.1 to 10.5.0.
- [Release notes](https://github.com/highlightjs/highlight.js/releases)
- [Changelog](https://github.com/highlightjs/highlight.js/blob/master/CHANGES.md)
- [Commits](https://github.com/highlightjs/highlight.js/compare/10.4.1...10.5.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/plugin-transform-runtime in /site (#1144)

Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime) from 7.12.1 to 7.12.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.10/packages/babel-plugin-transform-runtime)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump sirv from 1.0.7 to 1.0.10 in /site (#1145)

Bumps [sirv](https://github.com/lukeed/sirv) from 1.0.7 to 1.0.10.
- [Release notes](https://github.com/lukeed/sirv/releases)
- [Commits](https://github.com/lukeed/sirv/compare/v1.0.7...v1.0.10)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup from 2.34.0 to 2.35.1 in /site (#1142)

Bumps [rollup](https://github.com/rollup/rollup) from 2.34.0 to 2.35.1.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v2.34.0...v2.35.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-node-resolve in /site (#1141)

Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins) from 10.0.0 to 11.0.1.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/node-resolve-v10.0.0...commonjs-v11.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump marked from 1.2.5 to 1.2.7 in /site (#1140)

Bumps [marked](https://github.com/markedjs/marked) from 1.2.5 to 1.2.7.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Changelog](https://github.com/markedjs/marked/blob/master/release.config.js)
- [Commits](https://github.com/markedjs/marked/compare/v1.2.5...v1.2.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/core from 7.12.9 to 7.12.10 in /site (#1139)

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.12.9 to 7.12.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.10/packages/babel-core)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup-plugin-svelte from 6.1.1 to 7.0.0 in /site (#1138)

Bumps [rollup-plugin-svelte](https://github.com/sveltejs/rollup-plugin-svelte) from 6.1.1 to 7.0.0.
- [Release notes](https://github.com/sveltejs/rollup-plugin-svelte/releases)
- [Changelog](https://github.com/sveltejs/rollup-plugin-svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/rollup-plugin-svelte/compare/v6.1.1...v7.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/preset-env from 7.12.1 to 7.12.11 in /site (#1137)

Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.12.1 to 7.12.11.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.11/packages/babel-preset-env)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* downgrade svelte plugin

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(console): dependabot deps (#1147)

* chore(deps-dev): bump @types/node from 14.14.13 to 14.14.19 in /console (#1146)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.13 to 14.14.19.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump ts-protoc-gen from 0.13.0 to 0.14.0 in /console (#1129)

Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.13.0...0.14.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1128)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.4 to 11.0.5.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.0.5/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.4 to 11.0.5 in /console (#1127)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.4 to 11.0.5.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.4...v11.0.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1126)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.4 to 0.1100.5.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* audit

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: e-mail templates (#1158)

* View definition added

* Get templates and texts from the database.

* Fill in texts in templates

* Fill in texts in templates

* Client API added

* Weekly backup

* Weekly backup

* Daily backup

* Weekly backup

* Tests added

* Corrections from merge branch

* Fixes from pull request review

* chore(console): dependencies (#1189)

* chore(deps-dev): bump @angular/language-service in /console (#1187)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.5 to 11.0.9.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.0.9/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump google-proto-files from 2.3.0 to 2.4.0 in /console (#1186)

Bumps [google-proto-files](https://github.com/googleapis/nodejs-proto-files) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/googleapis/nodejs-proto-files/releases)
- [Changelog](https://github.com/googleapis/nodejs-proto-files/blob/master/CHANGELOG.md)
- [Commits](https://github.com/googleapis/nodejs-proto-files/compare/v2.3.0...v2.4.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/node from 14.14.19 to 14.14.21 in /console (#1185)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.19 to 14.14.21.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.5 to 11.0.7 in /console (#1184)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.5 to 11.0.7.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.5...v11.0.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 5.2.3 to 6.0.0 in /console (#1183)

Bumps [karma](https://github.com/karma-runner/karma) from 5.2.3 to 6.0.0.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v5.2.3...v6.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1182)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.5 to 0.1100.7.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(console): trigger unauthenticated dialog only once (#1170)

* fix: trigger dialog once

* remove log

* typed trigger

* chore(console): dependencies (#1205)

* chore(deps-dev): bump stylelint from 13.8.0 to 13.9.0 in /console (#1204)

Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.8.0 to 13.9.0.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.8.0...13.9.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1203)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.0.9 to 11.1.0.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.1.0/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 6.0.0 to 6.0.1 in /console (#1202)

Bumps [karma](https://github.com/karma-runner/karma) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v6.0.0...v6.0.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.0.7 to 11.1.1 in /console (#1201)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.0.7 to 11.1.1.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.0.7...v11.1.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/jasmine from 3.6.2 to 3.6.3 in /console (#1200)

Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.2 to 3.6.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps-dev): bump @types/node from 14.14.21 to 14.14.22 in /console (#1199)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.21 to 14.14.22.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1198)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1100.7 to 0.1101.1.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* chore(deps): bump angularx-qrcode from 10.0.11 to 11.0.0 in /console (#1197)

Bumps [angularx-qrcode](https://github.com/cordobo/angularx-qrcode) from 10.0.11 to 11.0.0.
- [Release notes](https://github.com/cordobo/angularx-qrcode/releases)
- [Commits](https://github.com/cordobo/angularx-qrcode/compare/10.0.11...11.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix pack lock

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: handle sequence correctly in subscription (#1209)

* fix: correct master after merges again (#1230)

* chore(docs): correct `iss` claim of jwt profile (#1229)

* core(docs): correct `iss` claim of jwt profile

* fix: correct master after merges again (#1230)

* feat(login): new palette based styles (#1149)

* chore(deps-dev): bump rollup from 2.33.2 to 2.34.0 in /site (#1040)

Bumps [rollup](https://github.com/rollup/rollup) from 2.33.2 to 2.34.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v2.33.2...v2.34.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump svelte-i18n from 3.2.5 to 3.3.0 in /site (#1039)

Bumps [svelte-i18n](https://github.com/kaisermann/svelte-i18n) from 3.2.5 to 3.3.0.
- [Release notes](https://github.com/kaisermann/svelte-i18n/releases)
- [Changelog](https://github.com/kaisermann/svelte-i18n/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kaisermann/svelte-i18n/compare/v3.2.5...v3.3.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-url from 5.0.1 to 6.0.0 in /site (#1038)

Bumps [@rollup/plugin-url](https://github.com/rollup/plugins) from 5.0.1 to 6.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/url-v5.0.1...url-v6.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump svelte from 3.29.7 to 3.30.1 in /site (#1037)

Bumps [svelte](https://github.com/sveltejs/svelte) from 3.29.7 to 3.30.1.
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/compare/v3.29.7...v3.30.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump marked from 1.2.4 to 1.2.5 in /site (#1036)

Bumps [marked](https://github.com/markedjs/marked) from 1.2.4 to 1.2.5.
- [Release notes](https://github.com/markedjs/marked/releases)
- [Changelog](https://github.com/markedjs/marked/blob/master/release.config.js)
- [Commits](https://github.com/markedjs/marked/compare/v1.2.4...v1.2.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/core from 7.12.3 to 7.12.9 in /site (#1035)

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.12.3 to 7.12.9.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.9/packages/babel-core)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump rollup-plugin-svelte from 6.1.1 to 7.0.0 in /site (#1034)

Bumps [rollup-plugin-svelte](https://github.com/sveltejs/rollup-plugin-svelte) from 6.1.1 to 7.0.0.
- [Release notes](https://github.com/sveltejs/rollup-plugin-svelte/releases)
- [Changelog](https://github.com/sveltejs/rollup-plugin-svelte/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/rollup-plugin-svelte/compare/v6.1.1...v7.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-commonjs in /site (#1033)

Bumps [@rollup/plugin-commonjs](https://github.com/rollup/plugins) from 15.1.0 to 17.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/commonjs-v15.1.0...commonjs-v17.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @rollup/plugin-node-resolve in /site (#1032)

Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins) from 10.0.0 to 11.0.0.
- [Release notes](https://github.com/rollup/plugins/releases)
- [Commits](https://github.com/rollup/plugins/compare/node-resolve-v10.0.0...commonjs-v11.0.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @babel/preset-env from 7.12.1 to 7.12.7 in /site (#1031)

Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.12.1 to 7.12.7.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.12.7/packages/babel-preset-env)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* go

* bundle files, lgn-color, legacy theme

* remove old references

* light dark context, button styles, zitadel brand

* button theme, edit templates

* typography theme mixins

* input styles, container, extend light dark palette

* footer, palette, container

* container, label, assets, header

* action container, input, typography label, adapt button theme

* a and footer styles, adapt palette

* user log profile, resourcetempurl

* postinstall againnn

* wrochage

* rm local grpc

* button elevation, helper for components

* radio

* radio button mixins, bundle

* qr code styles, secret clipboard, icon pack

* stroked buttons, icon buttons, header action, typography

* fix password policy styles

* account selection

* account selection, lgn avatar

* mocks

* template fixes, animations scss

* checkbox, register temp

* checkbox appr

* fix checkbox, remove input interference

* select theme

* avatar script, user selection, password policy validation fix

* fix formfield state for register and change pwd

* footer, main style, qr code fix, mfa type fix, account sel, checkbox

* fotter tos, user select

* reverse buttons for intial submit action

* theme script, themed error messages, header img source

* content wrapper, i18n, mobile

* emptyline

* idp mixins, fix unstyled html

* register container

* register layout, list themes, policy theme, register org

* massive asset cleanup

* fix source path, add missing icon, fix complexity refs, prefix

* remove material icons, unused assets, fix icon font

* move icon pack

* avatar, contrast theme, error fix

* zitadel css map

* revert go mod

* fix mfa verify actions

* add idp styles

* fix google colors, idp styles

* fix: bugs

* fix register options, google

* fix script, mobile layout

* precompile font selection

* go mod tidy

* assets and cleanup

* input suffix, fix alignment, actions, add progress bar themes

* progress bar mixins, layout fixes

* remove test from loginname

* cleanup comments, scripts

* clear comments

* fix external back button

* fix mfa alignment

* fix actions layout, on dom change listener for suffix

* free tier change, success label

* fix: button font line-height

* remove tabindex

* remove comment

* remove comment

* Update internal/ui/login/handler/password_handler.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Maximilian Peintner <csaq7175@uibk.ac.at>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* chore(console): dependencies (#1233)

* chore(deps-dev): bump @angular-devkit/build-angular in /console (#1214)

Bumps [@angular-devkit/build-angular](https://github.com/angular/angular-cli) from 0.1101.1 to 0.1101.2.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump karma from 6.0.1 to 6.0.3 in /console (#1215)

Bumps [karma](https://github.com/karma-runner/karma) from 6.0.1 to 6.0.3.
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v6.0.1...v6.0.3)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/language-service in /console (#1216)

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.1.0 to 11.1.1.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.1.1/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @angular/cli from 11.1.1 to 11.1.2 in /console (#1217)

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.1.1 to 11.1.2.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.1.1...v11.1.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>

* lock

* site deps

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: get email texts with default language (#1238)

* fix(login): mail verification (#1237)

* fix: mail verification

* not block, stroked

* fix: issues of new login ui (#1241)

* fix: i18n of register

* fix: autofocus

* feat(operator): zitadel and database operator (#1208)

* feat(operator): add base for zitadel operator

* fix(operator): changed pipeline to release operator

* fix(operator): fmt with only one parameter

* fix(operator): corrected workflow job name

* fix(zitadelctl): added restore and backuplist command

* fix(zitadelctl): scale for restore

* chore(container): use scratch for deploy container

* fix(zitadelctl): limit image to scratch

* fix(migration): added migration scripts for newer version

* fix(operator): changed handling of kubeconfig in operator logic

* fix(operator): changed handling of secrets in operator logic

* fix(operator): use new version of zitadel

* fix(operator): added path for migrations

* fix(operator): delete doublets of migration scripts

* fix(operator): delete subpaths and integrate logic into init container

* fix(operator): corrected path in dockerfile for local migrations

* fix(operator): added migrations for cockroachdb-secure

* fix(operator): delete logic for ambassador module

* fix(operator): added read and write secret commands

* fix(operator): correct and align operator pipeline with zitadel pipeline

* fix(operator): correct yaml error in operator pipeline

* fix(operator): correct action name in operator pipeline

* fix(operator): correct case-sensitive filename in operator pipeline

* fix(operator): upload artifacts from buildx output

* fix(operator): corrected attribute spelling error

* fix(operator): combined jobs for operator binary and image

* fix(operator): added missing comma in operator pipeline

* fix(operator): added codecov for operator image

* fix(operator): added codecov for operator image

* fix(testing): code changes for testing and several unit-tests (#1009)

* fix(operator): usage of interface of kubernetes client for testing and several unit-tests

* fix(operator): several unit-tests

* fix(operator): several unit-tests

* fix(operator): changed order for the operator logic

* fix(operator): added version of zitadelctl from semantic release

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): add check output to operator release pipeline

* fix(operator): set --short length everywhere to 12

* fix(operator): zitadel setup in job instead of exec with several unit tests

* fix(operator): fixes to combine newest zitadel and testing branch

* fix(operator): corrected path in Dockerfile

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): corrected Dockerfile to correctly use env variable

* fix(operator): quickfix takeoff deployment

* fix(operator): corrected the clusterrolename in the applied artifacts

* fix: update secure migrations

* fix(operator): migrations (#1057)

* fix(operator): copied migrations from orbos repository

* fix(operator): newest migrations

* chore: use cockroach-secure

* fix: rename migration

* fix: remove insecure cockroach migrations

Co-authored-by: Stefan Benz <stefan@caos.ch>

* fix: finalize labels

* fix(operator): cli logging concurrent and fixe deployment of operator during restore

* fix: finalize labels and cli commands

* fix: restore

* chore: cockroachdb is always secure

* chore: use orbos consistent-labels latest commit

* test: make tests compatible with new labels

* fix: default to sa token for start command

* fix: use cockroachdb v12.02

* fix: don't delete flyway user

* test: fix migration test

* fix: use correct table qualifiers

* fix: don't alter sequence ownership

* fix: upgrade flyway

* fix: change ownership of all dbs and tables to admin user

* fix: change defaultdb user

* fix: treat clientid status codes >= 400 as errors

* fix: reconcile specified ZITADEL version, not binary version

* fix: add ca-certs

* fix: use latest orbos code

* fix: use orbos with fixed race condition

* fix: use latest ORBOS code

* fix: use latest ORBOS code

* fix: make migration and scaling around restoring work

* fix(operator): move zitadel operator

* chore(migrations): include owner change migration

* feat(db): add code base for database operator

* fix(db): change used image registry for database operator

* fix(db): generated mock

* fix(db): add accidentally ignored file

* fix(db): add cockroachdb backup image to pipeline

* fix(db): correct pipeline and image versions

* fix(db): correct version of used orbos

* fix(db): correct database import

* fix(db): go mod tidy

* fix(db): use new version for orbos

* fix(migrations): include migrations into zitadelctl binary (#1211)

* fix(db): use statik to integrate migrations into binary

* fix(migrations): corrections unit tests and pipeline for integrated migrations into zitadelctl binary

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations):  dockerfile changes for cache optimization

* fix(database): correct used part-of label in database operator

* fix(database): correct used selectable label in zitadel operator

* fix(operator): correct lables for user secrets in zitadel operator

* fix(operator): correct lables for service test in zitadel operator

* fix: don't enable database features for user operations (#1227)

* fix: don't enable database features for user operations

* fix: omit database feature for connection info adapter

* fix: use latest orbos version

* fix: update ORBOS (#1240)

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* Merge branch 'new-eventstore' into cascades

# Conflicts:
#	internal/auth/repository/auth_request.go
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go
#	internal/management/repository/eventsourcing/eventstore/user_grant.go
#	internal/management/repository/user_grant.go
#	internal/ui/login/handler/external_login_handler.go
#	internal/ui/login/handler/external_register_handler.go
#	internal/ui/login/handler/init_password_handler.go
#	internal/ui/login/handler/register_handler.go
#	internal/user/repository/view/model/notify_user.go
#	internal/v2/command/org_policy_login.go
#	internal/v2/command/project.go
#	internal/v2/command/user.go
#	internal/v2/command/user_human.go
#	internal/v2/command/user_human_externalidp.go
#	internal/v2/command/user_human_init.go
#	internal/v2/command/user_human_password.go
#	internal/v2/command/user_human_webauthn.go
#	internal/v2/domain/next_step.go
#	internal/v2/domain/policy_login.go
#	internal/v2/domain/request.go

* chore: add local migrate_local.go again (#1261)

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Waeger <49439088+michaelulrichwaeger@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Maximilian Peintner <csaq7175@uibk.ac.at>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

.github/dependabot.yml

@@ -17,7 +17,15 @@ updates:
     prefix: chore
     include: scope
 - package-ecosystem: "docker"
-  directory: "/build/"
+  directory: "/build"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 10
+  commit-message:
+    prefix: chore
+    include: scope
+- package-ecosystem: "docker"
+  directory: "/build/operator"
   schedule:
     interval: "weekly"
   open-pull-requests-limit: 10

.github/workflows/codecov.yml

@@ -19,6 +19,13 @@ jobs:
         key: ${{ runner.os }}-buildx-${{ github.sha }}
         restore-keys: |
           ${{ runner.os }}-buildx-
+    - name: Cache Docker layers
+      uses: actions/cache@v2
+      with:
+        path: /tmp/.buildx-cache-op
+        key: ${{ runner.os }}-buildx-op-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-buildx-op-
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
     - name: Set up Docker Buildx
@@ -32,8 +39,18 @@ jobs:
         push: false
         cache-from: type=local,src=/tmp/.buildx-cache
         target: go-codecov
-        outputs: type=local,dest=.
+        outputs: type=local,dest=/tmp/zitadel
+    - uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./build/operator/Dockerfile
+        platforms: linux/amd64
+        tags: ${{ env.REGISTRY }}/${{ github.repository }}:coverage
+        push: false
+        cache-from: type=local,src=/tmp/.buildx-cache-op
+        target: go-codecov
+        outputs: type=local,dest=/tmp/operator
     - uses: codecov/codecov-action@v1
       with:
-        file: ./profile.cov
+        files: /tmp/zitadel/profile.cov,/tmp/operator/profile.cov
         name: codecov-go

.github/workflows/operator.yml

@@ -0,0 +1,165 @@
+name: Operator Release
+on: push
+
+env:
+  GITHUB_TOKEN: ${{ secrets.CR_PAT }}
+  REGISTRY: ghcr.io
+  GO_VERSION: '1.15'
+  DOCKER_IMAGE_NAME: ${{ github.repository }}-operator
+  BACKUP_IMAGE_NAME: ${{ github.repository }}-crbackup
+
+jobs:
+  container:
+    runs-on: ubuntu-18.04
+    name: Build ${{ matrix.goos }}-${{ matrix.goarch }}
+    strategy:
+      matrix:
+        goos: [ 'linux', 'darwin', 'windows' ]
+        goarch: [ 'amd64' ]
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v2
+      - name: Set output
+        id: branch
+        run: echo ::set-output name=short_ref::${GITHUB_REF#refs/*/}
+      - name: Semantic Release
+        id: semantic
+        uses: cycjimmy/semantic-release-action@v2
+        with:
+          dry_run: true
+          semantic_version: 17.0.4
+      - name: Set version
+        id: version
+        run: |
+          if ${{ steps.semantic.outputs.new_release_published == 'true' }}; then
+            echo ::set-output name=version::${{ steps.semantic.outputs.new_release_version }}
+          else
+            echo ::set-output name=version::${{ steps.branch.outputs.short_ref }}
+          fi
+      - name: Check outputs
+        run: |
+          echo ${{ steps.branch.outputs.short_ref }}
+          echo ${{ steps.version.outputs.version }}
+      - name: Generate Short SHA Container Tag
+        id: vars
+        run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short=12 HEAD)"
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-op-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-op-
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.CR_PAT }}
+          registry: ${{ env.REGISTRY }}
+      - uses: docker/build-push-action@v2
+        name: onlybuild
+        with:
+          context: .
+          file: ./build/operator/Dockerfile
+          platforms: linux/amd64
+          tags: ${{ env.REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.vars.outputs.sha_short }},${{ env.REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.branch.outputs.short_ref }}
+          push: false
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache
+          outputs: type=local,dest=/tmp/operator
+          build-args: |
+            OS=${{ matrix.goos }}
+            ARCH=${{ matrix.goarch }}
+            VERSION=${{ steps.version.outputs.version }}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: zitadelctl-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: /tmp/operator/zitadelctl
+      - uses: docker/build-push-action@v2
+        if: ${{ matrix.goos == 'linux' && matrix.goarch == 'amd64' }}
+        name: buildandpush
+        with:
+          context: .
+          file: ./build/operator/Dockerfile
+          platforms: linux/amd64
+          tags: ${{ env.REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.vars.outputs.sha_short }},${{ env.REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.branch.outputs.short_ref }}
+          push: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache
+          build-args: |
+            OS=${{ matrix.goos }}
+            ARCH=${{ matrix.goarch }}
+            VERSION=${{ steps.version.outputs.version }}
+      - uses: docker/build-push-action@v2
+        if: ${{ matrix.goos == 'linux' && matrix.goarch == 'amd64' }}
+        name: buildandpushcrbackup
+        with:
+          context: .
+          file: ./build/cr-backup/Dockerfile
+          platforms: linux/amd64
+          tags: ${{ env.REGISTRY }}/${{ env.BACKUP_IMAGE_NAME }}:${{ steps.vars.outputs.sha_short }},${{ env.REGISTRY }}/${{ env.BACKUP_IMAGE_NAME }}:${{ steps.branch.outputs.short_ref }}
+          push: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache
+
+  release:
+    runs-on: ubuntu-18.04
+    needs: [ container ]
+    env:
+      DOCKER_USERNAME: ${{ github.actor }}
+      DOCKER_PASSWORD: ${{ secrets.CR_PAT }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v2
+      - name: Generate Short SHA Container Tag
+        id: vars
+        run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short=12 HEAD)"
+      - name: Check output
+        run: echo ${{ steps.vars.outputs.sha_short }}
+      - name: Docker Login
+        run: docker login $REGISTRY -u $GITHUB_ACTOR -p $GITHUB_TOKEN
+      - name: Docker Pull short-sha
+        run: docker pull $REGISTRY/$DOCKER_IMAGE_NAME:${{ steps.vars.outputs.sha_short }}
+      - name: Docker Pull short-sha
+        run: docker pull $REGISTRY/$BACKUP_IMAGE_NAME:${{ steps.vars.outputs.sha_short }}
+      - name: Download binaries
+        uses: actions/download-artifact@v2
+        with:
+          path: .artifacts
+      - name: Semantic Release
+        id: semantic
+        uses: cycjimmy/semantic-release-action@v2
+        with:
+          dry_run: false
+          semantic_version: 17.0.4
+      - name: Do something when a new release published
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: |
+          echo ${{ steps.semantic.outputs.new_release_version }}
+          echo ${{ steps.semantic.outputs.new_release_major_version }}
+          echo ${{ steps.semantic.outputs.new_release_minor_version }}
+          echo ${{ steps.semantic.outputs.new_release_patch_version }}
+      - name: Docker Tag Version
+        run: |
+          docker tag $REGISTRY/$DOCKER_IMAGE_NAME:${{ steps.vars.outputs.sha_short }} $REGISTRY/$DOCKER_IMAGE_NAME:${{ steps.semantic.outputs.new_release_version }}
+          docker tag $REGISTRY/$BACKUP_IMAGE_NAME:${{ steps.vars.outputs.sha_short }} $REGISTRY/$BACKUP_IMAGE_NAME:${{ steps.semantic.outputs.new_release_version }}
+        if: steps.semantic.outputs.new_release_published == 'true'
+      - name: Docker Tag Latest
+        run: |
+          docker tag $REGISTRY/$DOCKER_IMAGE_NAME:${{ steps.vars.outputs.sha_short }} $REGISTRY/$DOCKER_IMAGE_NAME:latest
+          docker tag $REGISTRY/$BACKUP_IMAGE_NAME:${{ steps.vars.outputs.sha_short }} $REGISTRY/$BACKUP_IMAGE_NAME:latest
+        if: steps.semantic.outputs.new_release_published == 'true'
+      - name: Docker Push Version
+        run: |
+          docker push $REGISTRY/$DOCKER_IMAGE_NAME:${{ steps.semantic.outputs.new_release_version }}
+          docker push $REGISTRY/$BACKUP_IMAGE_NAME:${{ steps.semantic.outputs.new_release_version }}
+        if: steps.semantic.outputs.new_release_published == 'true'
+      - name: Docker Push Latest
+        run: |
+          docker push $REGISTRY/$DOCKER_IMAGE_NAME:latest
+          docker push $REGISTRY/$BACKUP_IMAGE_NAME:latest
+        if: steps.semantic.outputs.new_release_published == 'true'

.github/workflows/zitadel.yml

@@ -1,4 +1,4 @@
-name: Release
+name: Zitadel Release
 on: push
 
 env:
@@ -20,7 +20,7 @@ jobs:
       run: echo ${{ steps.branch.outputs.short_ref }}
     - name: Generate Short SHA Container Tag
       id: vars
-      run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short HEAD)"
+      run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short=12 HEAD)"
     - name: Cache Docker layers
       uses: actions/cache@v2
       with:
@@ -33,7 +33,7 @@ jobs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
     - name: Login to DockerHub
-      uses: docker/login-action@v1 
+      uses: docker/login-action@v1
       with:
         username: ${{ github.actor }}
         password: ${{ secrets.CR_PAT }}
@@ -59,7 +59,7 @@ jobs:
       uses: actions/checkout@v2
     - name: Generate Short SHA Container Tag
       id: vars
-      run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short HEAD)"
+      run: echo "::set-output name=sha_short::SHA-$(git rev-parse --short=12 HEAD)"
     - name: Docker Login
       run: docker login $REGISTRY -u $GITHUB_ACTOR -p $GITHUB_TOKEN
     - name: Docker Pull short-sha

.gitignore

@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+zitadelctl
 
 # Test binary, build with `go test -c`
 *.test
@@ -17,6 +18,7 @@ coverage.txt
 #Debug
 __debug_bin
 debug
+sandbox.go
 
 # IDE
 .idea
@@ -38,11 +40,12 @@ cockroach-data/*
 #binaries
 cmd/zitadel/zitadel
 **/statik/statik.go
+zitadelctl
 
 # buildfolders and generated js
 tmp/
 console/src/app/proto/generated/
 
 pkg/grpc/*/*.pb.*
+pkg/grpc/*/*.swagger.json
 pkg/grpc/*/mock/*.mock.go
-pkg/grpc/*/*.swagger.json

.releaserc.js

@@ -3,6 +3,21 @@ module.exports = {
     plugins: [
         "@semantic-release/commit-analyzer",
         "@semantic-release/release-notes-generator",
-        "@semantic-release/github"
+        ["@semantic-release/github", {
+            "assets": [
+                {
+                    "path": ".artifacts/zitadel-darwin-amd64/zitadelctl",
+                    "label": "Zitadelctl Darwin x86_64"
+                },
+                {
+                    "path": ".artifacts/zitadel-linux-amd64/zitadelctl",
+                    "label": "Zitadelctl Linux x86_64"
+                },
+                {
+                    "path": ".artifacts/zitadel-windows-amd64/zitadelctl",
+                    "label": "Zitadelctl Windows x86_64"
+                }
+            ]
+        }],
     ]
 };

build/console/package-lock.json

@@ -0,0 +1,3 @@
+{
+  "lockfileVersion": 1
+}

build/cr-backup/Dockerfile

@@ -0,0 +1,22 @@
+FROM cockroachdb/cockroach:v20.2.3
+
+RUN microdnf install curl wget tar gzip
+
+RUN wget https://storage.googleapis.com/oauth2l/latest/linux_amd64.tgz
+RUN tar zxvf linux_amd64.tgz
+RUN mv linux_amd64/oauth2l /usr/local/bin/oauth2l && rm -rf linux_amd64
+
+COPY build/cr-backup/scripts/backup-cockroach.sh /scripts/backup.sh
+RUN chmod +x /scripts/backup.sh
+
+COPY build/cr-backup/scripts/restore-cockroach.sh /scripts/restore.sh
+RUN chmod +x /scripts/restore.sh
+
+COPY build/cr-backup/scripts/clean-db-cockroach.sh /scripts/clean-db.sh
+RUN chmod +x /scripts/clean-db.sh
+COPY build/cr-backup/scripts/clean-migration-cockroach.sh /scripts/clean-migration.sh
+RUN chmod +x /scripts/clean-migration.sh
+COPY build/cr-backup/scripts/clean-user-cockroach.sh /scripts/clean-user.sh
+RUN chmod +x /scripts/clean-user.sh
+
+ENTRYPOINT [ "/cockroach" ]

build/cr-backup/scripts/backup-cockroach.sh

@@ -0,0 +1,17 @@
+env=$1
+bucket=$2
+db=$3
+folder=$4
+safile=$5
+certs=$6
+name=$7
+
+filenamelocal=zitadel-${db}.sql
+filenamebucket=zitadel-${db}-${name}.sql
+
+/cockroach/cockroach.sh dump --dump-mode=data --certs-dir=${certs} --host=cockroachdb-public:26257 ${db} > ${folder}/${filenamelocal}
+curl -X POST \
+    -H "$(oauth2l header --json ${safile} cloud-platform)" \
+    -H "Content-Type: application/json" \
+    --data-binary @${folder}/${filenamelocal} \
+    "https://storage.googleapis.com/upload/storage/v1/b/${bucket}/o?uploadType=media&name=${env}/${name}/${filenamebucket}"

build/cr-backup/scripts/clean-db-cockroach.sh

@@ -0,0 +1,4 @@
+certs=$1
+db=$2
+
+/cockroach/cockroach.sh sql --certs-dir=${certs} --host=cockroachdb-public:26257 -e "DROP DATABASE IF EXISTS ${db} CASCADE;"

build/cr-backup/scripts/clean-migration-cockroach.sh

@@ -0,0 +1,3 @@
+certs=$1
+
+/cockroach/cockroach.sh sql --certs-dir=${certs} --host=cockroachdb-public:26257 -e "TRUNCATE defaultdb.flyway_schema_history;"

build/cr-backup/scripts/clean-user-cockroach.sh

@@ -0,0 +1,4 @@
+certs=$1
+db=$2
+
+/cockroach/cockroach.sh sql --certs-dir=${certs} --host=cockroachdb-public:26257 -e "DROP USER IF EXISTS ${db};"

build/cr-backup/scripts/restore-cockroach.sh

@@ -0,0 +1,33 @@
+bucket=$1
+env=$2
+name=$3
+db=$4
+safile=$5
+certs=$6
+
+urlencode() {
+    # urlencode <string>
+    old_lc_collate=$LC_COLLATE
+    LC_COLLATE=C
+
+    local length="${#1}"
+    for (( i = 0; i < length; i++ )); do
+        local c="${1:i:1}"
+        case $c in
+            [a-zA-Z0-9.~_-]) printf "$c" ;;
+            *) printf '%%%02X' "'$c" ;;
+        esac
+    done
+
+    LC_COLLATE=$old_lc_collate
+}
+
+filenamelocal=zitadel-${db}.sql
+filenamebucket=zitadel-${db}-${name}.sql
+
+curl -X GET \
+  -H "$(oauth2l header --json ${safile} cloud-platform)" \
+  -o "${filenamelocal}" \
+  "https://storage.googleapis.com/storage/v1/b/${bucket}/o/$(urlencode ${env}/${name}/${filenamebucket})?alt=media"
+
+/cockroach/cockroach.sh sql --certs-dir=${certs} --host=cockroachdb-public:26257 --database=${db} < ${filenamelocal}

build/docker-compose-debug.yml

@@ -4,7 +4,7 @@ services:
   angular:
     build:
       context: ..
-      dockerfile: build/dockerfile
+      dockerfile: dockerfile
       target: dev-angular-build
       args:
         ENV: dev
@@ -14,7 +14,7 @@ services:
   go:
     build:
       context: ..
-      dockerfile: build/dockerfile
+      dockerfile: dockerfile
       target: dev-go-build
       args:
         ENV: dev

build/docker-compose-dev.yml

@@ -4,7 +4,7 @@ services:
   angular:
     build:
       context: ..
-      dockerfile: build/dockerfile
+      dockerfile: dockerfile
       target: dev-angular-build
       args:
         ENV: dev
@@ -14,7 +14,7 @@ services:
   go:
     build:
       context: ..
-      dockerfile: build/dockerfile
+      dockerfile: dockerfile
       target: dev-go-build
       args:
         ENV: dev

build/dockerfile

@@ -89,7 +89,11 @@ COPY --from=go-base /go/src/github.com/caos/zitadel/pkg/ .
 ## Go test
 FROM go-base as go-test
 COPY . .
-RUN go test -race -v -coverprofile=profile.cov ./...
+#Migrations for cockroach-secure
+RUN go install github.com/rakyll/statik
+RUN ./build/operator/prebuild.sh ./migrations
+
+RUN go test -race -v -coverprofile=profile.cov $(go list ./... | grep -v /operator/)
 
 ## Go test
 FROM scratch as go-codecov
@@ -114,16 +118,16 @@ RUN go get github.com/go-delve/delve/cmd/dlv
 #######################
 FROM alpine:latest as artifact
 RUN adduser -D zitadel
-COPY cmd/zitadel/*.yaml /
-COPY --from=prod-go-build /go/src/github.com/caos/zitadel/zitadel-linux-amd64 /zitadel
-RUN chmod a+x zitadel
+COPY cmd/zitadel/*.yaml /app/
+COPY --from=prod-go-build /go/src/github.com/caos/zitadel/zitadel-linux-amd64 /app/zitadel
+RUN chmod a+x /app/zitadel
 RUN ls -la /
 
 ## Scratch Image
 FROM  scratch as final
 COPY --from=artifact /etc/passwd /etc/passwd
-## TODO copy should be removed once the operator branch is merged
-COPY --from=artifact / /
+COPY --from=artifact /etc/ssl/certs /etc/ssl/certs
+COPY --from=artifact /app /
 USER zitadel
 HEALTHCHECK NONE
-ENTRYPOINT ["/zitadel"]
+ENTRYPOINT ["/zitadel"]

build/operator/.dockerignore

@@ -0,0 +1 @@
+**/statik/statik.go

build/operator/Dockerfile

@@ -0,0 +1,59 @@
+#######################
+## By default we build the prod enviroment
+ARG ENV=prod
+
+#######################
+## Go base build
+## Speed up this step by mounting your local go mod pkg directory
+#######################
+FROM golang:1.15 as go-base
+
+WORKDIR src/github.com/caos/zitadel/
+COPY go.mod go.sum ./
+RUN go mod download
+
+
+## Go test
+FROM go-base as go-test
+COPY . .
+#Migrations for cockroach-secure
+RUN go install github.com/rakyll/statik
+RUN ./build/operator/prebuild.sh ./migrations
+
+RUN go test -race -v -coverprofile=profile.cov ./operator/...
+
+## Go test
+FROM scratch as go-codecov
+COPY --from=go-test /go/src/github.com/caos/zitadel/profile.cov profile.cov
+
+## Go prod build
+FROM go-test as prod-go-build
+
+
+ARG ARCH=amd64
+ARG OS=linux
+ARG VERSION=none
+RUN CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -a -installsuffix cgo -ldflags "-extldflags '-static' -X main.Version=${VERSION}" -o zitadelctl cmd/zitadelctl/main.go
+
+## Go dev build
+FROM go-base as dev-go-build
+RUN go get github.com/go-delve/delve/cmd/dlv
+
+#######################
+## Final Production Image
+#######################
+FROM alpine:latest as artifact
+RUN adduser -D zitadel
+
+ARG ARCH=amd64
+ARG OS=linux
+COPY --from=prod-go-build /go/src/github.com/caos/zitadel/zitadelctl /app/zitadelctl
+RUN chmod a+x /app/zitadelctl
+
+## Scratch Image
+FROM scratch as final
+COPY --from=artifact /etc/passwd /etc/passwd
+COPY --from=artifact /app /
+USER zitadel
+HEALTHCHECK NONE
+ENTRYPOINT ["/zitadelctl"]

build/operator/prebuild.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+statik -src=$1

changelog.config.js

@@ -0,0 +1,3 @@
+module.exports = {
+  "disableEmoji": true
+};

cmd/database-debug/main.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"flag"
+	"io/ioutil"
+
+	"github.com/caos/orbos/pkg/kubernetes"
+
+	"github.com/caos/zitadel/operator/start"
+
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/zitadel/operator/helpers"
+)
+
+func main() {
+
+	orbconfig := flag.String("orbconfig", "~/.orb/config", "The orbconfig file to use")
+	kubeconfig := flag.String("kubeconfig", "~/.kube/config", "The kubeconfig file to use")
+	verbose := flag.Bool("verbose", false, "Print debug levelled logs")
+
+	flag.Parse()
+
+	monitor := mntr.Monitor{
+		OnInfo:   mntr.LogMessage,
+		OnChange: mntr.LogMessage,
+		OnError:  mntr.LogError,
+	}
+
+	if *verbose {
+		monitor = monitor.Verbose()
+	}
+
+	kc, err := ioutil.ReadFile(helpers.PruneHome(*kubeconfig))
+	if err != nil {
+		panic(err)
+	}
+
+	if err := start.Database(
+		monitor,
+		helpers.PruneHome(*orbconfig),
+		kubernetes.NewK8sClient(monitor, strPtr(string(kc))),
+		strPtr("database-development"),
+	); err != nil {
+		panic(err)
+	}
+}
+
+func strPtr(str string) *string {
+	return &str
+}

cmd/operator-debug/main.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"flag"
+	"io/ioutil"
+
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/zitadel/operator/helpers"
+	"github.com/caos/zitadel/operator/start"
+)
+
+func main() {
+	orbconfig := flag.String("orbconfig", "~/.orb/config", "The orbconfig file to use")
+	kubeconfig := flag.String("kubeconfig", "~/.kube/config", "The kubeconfig file to use")
+	verbose := flag.Bool("verbose", false, "Print debug levelled logs")
+
+	flag.Parse()
+
+	monitor := mntr.Monitor{
+		OnInfo:   mntr.LogMessage,
+		OnChange: mntr.LogMessage,
+		OnError:  mntr.LogError,
+	}
+
+	if *verbose {
+		monitor = monitor.Verbose()
+	}
+
+	kc, err := ioutil.ReadFile(helpers.PruneHome(*kubeconfig))
+	if err != nil {
+		panic(err)
+	}
+
+	if err := start.Operator(
+		monitor,
+		helpers.PruneHome(*orbconfig),
+		kubernetes.NewK8sClient(monitor, strPtr(string(kc))),
+		strPtr("local-debugging"),
+	); err != nil {
+		panic(err)
+	}
+}
+
+func strPtr(str string) *string {
+	return &str
+}

cmd/zitadel/system-defaults.yaml

@@ -1,5 +1,5 @@
 SystemDefaults:
-  DefaultLanguage: 'de'
+  DefaultLanguage: 'en'
   Domain: $ZITADEL_DEFAULT_DOMAIN
   ZitadelDocs:
     Issuer: $ZITADEL_ISSUER

cmd/zitadelctl/cmds/backup.go

@@ -0,0 +1,73 @@
+package cmds
+
+import (
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/zitadel/operator/api"
+	"github.com/caos/zitadel/operator/start"
+	"github.com/spf13/cobra"
+	"io/ioutil"
+)
+
+func BackupCommand(rv RootValues) *cobra.Command {
+	var (
+		kubeconfig string
+		backup     string
+		cmd        = &cobra.Command{
+			Use:   "backup",
+			Short: "Instant backup",
+			Long:  "Instant backup",
+		}
+	)
+
+	flags := cmd.Flags()
+	flags.StringVar(&kubeconfig, "kubeconfig", "~/.kube/config", "Kubeconfig of cluster where the backup should be done")
+	flags.StringVar(&backup, "backup", "", "Name used for backup folder")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) (err error) {
+		_, monitor, orbConfig, gitClient, version, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+			return err
+		}
+
+		if err := gitClient.Clone(); err != nil {
+			return err
+		}
+
+		found, err := api.ExistsDatabaseYml(gitClient)
+		if err != nil {
+			return err
+		}
+		if found {
+
+			value, err := ioutil.ReadFile(kubeconfig)
+			if err != nil {
+				monitor.Error(err)
+				return nil
+			}
+			kubeconfigStr := string(value)
+
+			k8sClient := kubernetes.NewK8sClient(monitor, &kubeconfigStr)
+			if k8sClient.Available() {
+				if err := start.Backup(
+					monitor,
+					orbConfig.Path,
+					k8sClient,
+					backup,
+					&version,
+				); err != nil {
+					return err
+				}
+			}
+
+		}
+		return nil
+	}
+	return cmd
+}

cmd/zitadelctl/cmds/backuplist.go

@@ -0,0 +1,54 @@
+package cmds
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/caos/zitadel/pkg/databases"
+	"github.com/spf13/cobra"
+)
+
+func BackupListCommand(rv RootValues) *cobra.Command {
+	var (
+		cmd = &cobra.Command{
+			Use:   "backuplist",
+			Short: "Get a list of all backups",
+			Long:  "Get a list of all backups",
+		}
+	)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		_, monitor, orbConfig, gitClient, _, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if err := gitClient.Clone(); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		backups, err := databases.ListBackups(monitor, gitClient)
+		if err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		sort.Slice(backups, func(i, j int) bool {
+			return backups[i] > backups[j]
+		})
+		for _, backup := range backups {
+			fmt.Println(backup)
+		}
+		return nil
+	}
+	return cmd
+}

cmd/zitadelctl/cmds/readsecret.go

@@ -0,0 +1,57 @@
+package cmds
+
+import (
+	"os"
+
+	"github.com/caos/orbos/pkg/secret"
+	"github.com/caos/zitadel/operator/secrets"
+	"github.com/spf13/cobra"
+)
+
+func ReadSecretCommand(rv RootValues) *cobra.Command {
+	return &cobra.Command{
+		Use:     "readsecret [path]",
+		Short:   "Print a secrets decrypted value to stdout",
+		Long:    "Print a secrets decrypted value to stdout.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
+		Args:    cobra.MaximumNArgs(1),
+		Example: `zitadelctl readsecret zitadel.emailappkey > ~/emailappkey`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+
+			_, monitor, orbConfig, gitClient, _, errFunc, err := rv()
+			if err != nil {
+				return err
+			}
+			defer func() {
+				err = errFunc(err)
+			}()
+			if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+				return err
+			}
+
+			if err := gitClient.Clone(); err != nil {
+				return err
+			}
+
+			path := ""
+			if len(args) > 0 {
+				path = args[0]
+			}
+
+			value, err := secret.Read(
+				monitor,
+				gitClient,
+				path,
+				secrets.GetAllSecretsFunc(orbConfig))
+			if err != nil {
+				monitor.Error(err)
+				return nil
+			}
+
+			if _, err := os.Stdout.Write([]byte(value)); err != nil {
+				monitor.Error(err)
+				return nil
+			}
+			return nil
+		},
+	}
+}

cmd/zitadelctl/cmds/restore.go

@@ -0,0 +1,100 @@
+package cmds
+
+import (
+	"errors"
+	"io/ioutil"
+
+	"github.com/caos/zitadel/operator/helpers"
+
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/zitadel/operator/start"
+	"github.com/caos/zitadel/pkg/databases"
+	"github.com/manifoldco/promptui"
+	"github.com/spf13/cobra"
+)
+
+func RestoreCommand(rv RootValues) *cobra.Command {
+	var (
+		backup     string
+		kubeconfig string
+		cmd        = &cobra.Command{
+			Use:   "restore",
+			Short: "Restore from backup",
+			Long:  "Restore from backup",
+		}
+	)
+
+	flags := cmd.Flags()
+	flags.StringVar(&backup, "backup", "", "Backup used for db restore")
+	flags.StringVar(&kubeconfig, "kubeconfig", "~/.kube/config", "Kubeconfig for ZITADEL operator deployment")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		_, monitor, orbConfig, gitClient, version, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		kubeconfig = helpers.PruneHome(kubeconfig)
+
+		if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if err := gitClient.Clone(); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		value, err := ioutil.ReadFile(kubeconfig)
+		if err != nil {
+			monitor.Error(err)
+			return nil
+		}
+		kubeconfigStr := string(value)
+
+		k8sClient := kubernetes.NewK8sClient(monitor, &kubeconfigStr)
+		if k8sClient.Available() {
+			list, err := databases.ListBackups(monitor, gitClient)
+			if err != nil {
+				monitor.Error(err)
+				return nil
+			}
+
+			if backup == "" {
+				prompt := promptui.Select{
+					Label: "Select backup to restore",
+					Items: list,
+				}
+
+				_, result, err := prompt.Run()
+				if err != nil {
+					monitor.Error(err)
+					return nil
+				}
+				backup = result
+			}
+			existing := false
+			for _, listedBackup := range list {
+				if listedBackup == backup {
+					existing = true
+				}
+			}
+
+			if !existing {
+				monitor.Error(errors.New("chosen backup is not existing"))
+				return nil
+			}
+
+			if err := start.Restore(monitor, gitClient, orbConfig, k8sClient, backup, &version); err != nil {
+				monitor.Error(err)
+			}
+			return nil
+		}
+		return nil
+	}
+	return cmd
+}

cmd/zitadelctl/cmds/root.go

@@ -0,0 +1,72 @@
+package cmds
+
+import (
+	"context"
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/orb"
+	"github.com/caos/zitadel/operator/helpers"
+	"github.com/spf13/cobra"
+)
+
+type RootValues func() (context.Context, mntr.Monitor, *orb.Orb, *git.Client, string, errFunc, error)
+
+type errFunc func(err error) error
+
+func RootCommand(version string) (*cobra.Command, RootValues) {
+
+	var (
+		verbose       bool
+		orbConfigPath string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "zitadelctl [flags]",
+		Short: "Interact with your IAM orbs",
+		Long: `zitadelctl launches zitadel and simplifies common tasks such as updating your kubeconfig.
+Participate in our community on https://github.com/caos/orbos
+and visit our website at https://caos.ch`,
+		Example: `$ mkdir -p ~/.orb
+$ cat > ~/.orb/myorb << EOF
+> url: git@github.com:me/my-orb.git
+> masterkey: "$(gopass my-secrets/orbs/myorb/masterkey)"
+> repokey: |
+> $(cat ~/.ssh/myorbrepo | sed s/^/\ \ /g)
+> EOF
+$ orbctl -f ~/.orb/myorb [command]
+`,
+	}
+
+	flags := cmd.PersistentFlags()
+	flags.StringVarP(&orbConfigPath, "orbconfig", "f", "~/.orb/config", "Path to the file containing the orbs git repo URL, deploy key and the master key for encrypting and decrypting secrets")
+	flags.BoolVar(&verbose, "verbose", false, "Print debug levelled logs")
+
+	return cmd, func() (context.Context, mntr.Monitor, *orb.Orb, *git.Client, string, errFunc, error) {
+
+		monitor := mntr.Monitor{
+			OnInfo:   mntr.LogMessage,
+			OnChange: mntr.LogMessage,
+			OnError:  mntr.LogError,
+		}
+
+		if verbose {
+			monitor = monitor.Verbose()
+		}
+
+		prunedPath := helpers.PruneHome(orbConfigPath)
+		orbConfig, err := orb.ParseOrbConfig(prunedPath)
+		if err != nil {
+			orbConfig = &orb.Orb{Path: prunedPath}
+			return nil, mntr.Monitor{}, nil, nil, "", nil, err
+		}
+
+		ctx := context.Background()
+
+		return ctx, monitor, orbConfig, git.New(ctx, monitor, "orbos", "orbos@caos.ch"), version, func(err error) error {
+			if err != nil {
+				monitor.Error(err)
+			}
+			return nil
+		}, nil
+	}
+}

cmd/zitadelctl/cmds/start.go

@@ -0,0 +1,82 @@
+package cmds
+
+import (
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/zitadel/operator/helpers"
+	"github.com/caos/zitadel/operator/start"
+	"github.com/spf13/cobra"
+)
+
+func StartOperator(rv RootValues) *cobra.Command {
+	var (
+		kubeconfig string
+		cmd        = &cobra.Command{
+			Use:   "operator",
+			Short: "Launch a ZITADEL operator",
+			Long:  "Ensures a desired state of ZITADEL",
+		}
+	)
+	flags := cmd.Flags()
+	flags.StringVar(&kubeconfig, "kubeconfig", "", "Kubeconfig for ZITADEL operator deployment")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		_, monitor, orbConfig, _, version, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		kubeconfig = helpers.PruneHome(kubeconfig)
+
+		k8sClient, err := kubernetes.NewK8sClientWithPath(monitor, kubeconfig)
+		if err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if k8sClient.Available() {
+			if err := start.Operator(monitor, orbConfig.Path, k8sClient, &version); err != nil {
+				monitor.Error(err)
+				return nil
+			}
+		}
+		return nil
+	}
+	return cmd
+}
+
+func StartDatabase(rv RootValues) *cobra.Command {
+	var (
+		kubeconfig string
+		cmd        = &cobra.Command{
+			Use:   "database",
+			Short: "Launch a database operator",
+			Long:  "Ensures a desired state of the database",
+		}
+	)
+	flags := cmd.Flags()
+	flags.StringVar(&kubeconfig, "kubeconfig", "", "kubeconfig used by zitadel operator")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) (err error) {
+		_, monitor, orbConfig, _, version, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		k8sClient, err := kubernetes.NewK8sClientWithPath(monitor, kubeconfig)
+		if err != nil {
+			return err
+		}
+
+		if k8sClient.Available() {
+			return start.Database(monitor, orbConfig.Path, k8sClient, &version)
+		}
+		return nil
+	}
+	return cmd
+}

cmd/zitadelctl/cmds/takeoff.go

@@ -0,0 +1,127 @@
+package cmds
+
+import (
+	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
+	"io/ioutil"
+
+	"github.com/caos/zitadel/operator/helpers"
+
+	"github.com/caos/orbos/mntr"
+	"github.com/caos/orbos/pkg/git"
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/zitadel/operator/api"
+	"github.com/caos/zitadel/operator/zitadel/kinds/orb"
+	"github.com/spf13/cobra"
+)
+
+func TakeoffCommand(rv RootValues) *cobra.Command {
+	var (
+		kubeconfig string
+		cmd        = &cobra.Command{
+			Use:   "takeoff",
+			Short: "Launch a ZITADEL operator on the orb",
+			Long:  "Ensures a desired state of the resources on the orb",
+		}
+	)
+
+	flags := cmd.Flags()
+	flags.StringVar(&kubeconfig, "kubeconfig", "~/.kube/config", "Kubeconfig for ZITADEL operator deployment")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		_, monitor, orbConfig, gitClient, _, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+		kubeconfig = helpers.PruneHome(kubeconfig)
+
+		if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if err := gitClient.Clone(); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		value, err := ioutil.ReadFile(kubeconfig)
+		if err != nil {
+			monitor.Error(err)
+			return nil
+		}
+		kubeconfigStr := string(value)
+
+		if err := deployOperator(
+			monitor,
+			gitClient,
+			&kubeconfigStr,
+		); err != nil {
+			monitor.Error(err)
+		}
+
+		if err := deployDatabase(
+			monitor,
+			gitClient,
+			&kubeconfigStr,
+		); err != nil {
+			monitor.Error(err)
+		}
+		return nil
+	}
+	return cmd
+}
+
+func deployOperator(monitor mntr.Monitor, gitClient *git.Client, kubeconfig *string) error {
+	found, err := api.ExistsZitadelYml(gitClient)
+	if err != nil {
+		return err
+	}
+	if !found {
+		monitor.Info("No ZITADEL operator deployed as no zitadel.yml present")
+		return nil
+	}
+
+	if found {
+		k8sClient := kubernetes.NewK8sClient(monitor, kubeconfig)
+
+		if k8sClient.Available() {
+			desiredTree, err := api.ReadZitadelYml(gitClient)
+			if err != nil {
+				return err
+			}
+			if err := orb.Reconcile(monitor, desiredTree, true)(k8sClient); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func deployDatabase(monitor mntr.Monitor, gitClient *git.Client, kubeconfig *string) error {
+	found, err := api.ExistsDatabaseYml(gitClient)
+	if err != nil {
+		return err
+	}
+	if found {
+		k8sClient := kubernetes.NewK8sClient(monitor, kubeconfig)
+
+		if k8sClient.Available() {
+			tree, err := api.ReadDatabaseYml(gitClient)
+			if err != nil {
+				return err
+			}
+
+			if err := orbdb.Reconcile(
+				monitor,
+				tree)(k8sClient); err != nil {
+				return err
+			}
+		} else {
+			monitor.Info("Failed to connect to k8s")
+		}
+	}
+	return nil
+}

cmd/zitadelctl/cmds/writesecret.go

@@ -0,0 +1,115 @@
+package cmds
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+
+	"github.com/caos/orbos/pkg/secret"
+	"github.com/caos/zitadel/operator/secrets"
+	"github.com/spf13/cobra"
+)
+
+func WriteSecretCommand(rv RootValues) *cobra.Command {
+
+	var (
+		value string
+		file  string
+		stdin bool
+		cmd   = &cobra.Command{
+			Use:   "writesecret [path]",
+			Short: "Encrypt a secret and push it to the repository",
+			Long:  "Encrypt a secret and push it to the repository.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
+			Args:  cobra.MaximumNArgs(1),
+			Example: `orbctl writesecret mystaticprovider.bootstrapkey --file ~/.ssh/my-orb-bootstrap
+orbctl writesecret mygceprovider.google_application_credentials_value --value "$(cat $GOOGLE_APPLICATION_CREDENTIALS)" `,
+		}
+	)
+
+	flags := cmd.Flags()
+	flags.StringVar(&value, "value", "", "Secret value to encrypt")
+	flags.StringVarP(&file, "file", "s", "", "File containing the value to encrypt")
+	flags.BoolVar(&stdin, "stdin", false, "Value to encrypt is read from standard input")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+
+		_, monitor, orbConfig, gitClient, _, errFunc, err := rv()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = errFunc(err)
+		}()
+
+		s, err := key(value, file, stdin)
+		if err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if err := gitClient.Configure(orbConfig.URL, []byte(orbConfig.Repokey)); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		if err := gitClient.Clone(); err != nil {
+			monitor.Error(err)
+			return nil
+		}
+
+		path := ""
+		if len(args) > 0 {
+			path = args[0]
+		}
+
+		if err := secret.Write(
+			monitor,
+			gitClient,
+			path,
+			s,
+			secrets.GetAllSecretsFunc(orbConfig),
+			secrets.PushFunc(),
+		); err != nil {
+			monitor.Error(err)
+		}
+		return nil
+	}
+	return cmd
+}
+
+func key(value string, file string, stdin bool) (string, error) {
+
+	channels := 0
+	if value != "" {
+		channels++
+	}
+	if file != "" {
+		channels++
+	}
+	if stdin {
+		channels++
+	}
+
+	if channels != 1 {
+		return "", errors.New("Key must be provided eighter by value or by file path or by standard input")
+	}
+
+	if value != "" {
+		return value, nil
+	}
+
+	readFunc := func() ([]byte, error) {
+		return ioutil.ReadFile(file)
+	}
+	if stdin {
+		readFunc = func() ([]byte, error) {
+			return ioutil.ReadAll(os.Stdin)
+		}
+	}
+
+	key, err := readFunc()
+	if err != nil {
+		panic(err)
+	}
+	return string(key), err
+}

cmd/zitadelctl/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"github.com/caos/zitadel/cmd/zitadelctl/cmds"
+	"os"
+)
+
+var (
+	Version = "unknown"
+)
+
+func main() {
+	rootCmd, rootValues := cmds.RootCommand(Version)
+	rootCmd.Version = fmt.Sprintf("%s\n", Version)
+
+	rootCmd.AddCommand(
+		cmds.StartOperator(rootValues),
+		cmds.TakeoffCommand(rootValues),
+		cmds.BackupListCommand(rootValues),
+		cmds.RestoreCommand(rootValues),
+		cmds.ReadSecretCommand(rootValues),
+		cmds.WriteSecretCommand(rootValues),
+		cmds.BackupCommand(rootValues),
+		cmds.StartDatabase(rootValues),
+	)
+
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}

console/package.json

@@ -28,40 +28,40 @@
     "@types/google-protobuf": "^3.7.4",
     "@types/uuid": "^8.3.0",
     "angular-oauth2-oidc": "^10.0.3",
-    "angularx-qrcode": "^10.0.11",
+    "angularx-qrcode": "^11.0.0",
     "cors": "^2.8.5",
     "file-saver": "^2.0.5",
-    "google-proto-files": "^2.3.0",
+    "google-proto-files": "^2.4.0",
     "google-protobuf": "^3.13.0",
     "grpc": "^1.24.3",
     "grpc-web": "^1.2.1",
     "moment": "^2.29.1",
     "ngx-quicklink": "^0.2.6",
     "rxjs": "~6.6.3",
-    "ts-protoc-gen": "^0.13.0",
+    "ts-protoc-gen": "^0.14.0",
     "tslib": "^2.0.0",
     "uuid": "^8.3.2",
     "zone.js": "~0.11.3"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "~0.1100.4",
-    "@angular/cli": "~11.0.4",
+    "@angular/cli": "~11.1.2",
+    "@angular-devkit/build-angular": "~0.1101.2",
     "@angular/compiler-cli": "~11.0.0",
-    "@types/jasmine": "~3.6.2",
-    "@angular/language-service": "~11.0.4",
+    "@types/jasmine": "~3.6.3",
+    "@angular/language-service": "~11.1.1",
     "@types/jasminewd2": "~2.0.3",
-    "@types/node": "^14.14.13",
+    "@types/node": "^14.14.22",
     "codelyzer": "^6.0.0",
     "jasmine-core": "~3.6.0",
     "jasmine-spec-reporter": "~6.0.0",
-    "karma": "~5.2.3",
+    "karma": "~6.0.3",
     "karma-chrome-launcher": "~3.1.0",
     "karma-coverage-istanbul-reporter": "~3.0.2",
     "karma-jasmine": "~4.0.0",
     "karma-jasmine-html-reporter": "^1.5.0",
     "prettier": "^2.2.1",
     "protractor": "~7.0.0",
-    "stylelint": "^13.8.0",
+    "stylelint": "^13.9.0",
     "stylelint-config-standard": "^20.0.0",
     "stylelint-scss": "^3.18.0",
     "ts-node": "~9.1.1",

console/src/app/services/interceptors/auth.interceptor.ts

@@ -1,7 +1,8 @@
 import { Injectable } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { Request, UnaryInterceptor, UnaryResponse } from 'grpc-web';
-import { filter, first, take } from 'rxjs/operators';
+import { Subject } from 'rxjs';
+import { debounceTime, filter, first, take } from 'rxjs/operators';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
 
 import { AuthenticationService } from '../authentication.service';
@@ -16,11 +17,16 @@ const accessTokenStorageKey = 'access_token';
  * Set the authentication token
  */
 export class AuthInterceptor<TReq = unknown, TResp = unknown> implements UnaryInterceptor<TReq, TResp> {
+    public triggerDialog: Subject<boolean> = new Subject();
     constructor(
         private authenticationService: AuthenticationService,
         private storageService: StorageService,
         private dialog: MatDialog,
-    ) { }
+    ) {
+        this.triggerDialog.pipe(debounceTime(1000)).subscribe(() => {
+            this.openDialog();
+        });
+    }
 
     public async intercept(request: Request<TReq, TResp>, invoker: any): Promise<UnaryResponse<TReq, TResp>> {
         await this.authenticationService.authenticationChanged.pipe(
@@ -36,22 +42,26 @@ export class AuthInterceptor<TReq = unknown, TResp = unknown> implements UnaryIn
             return response;
         }).catch((error: any) => {
             if (error.code === 16) {
-                const dialogRef = this.dialog.open(WarnDialogComponent, {
-                    data: {
-                        confirmKey: 'ACTIONS.LOGIN',
-                        titleKey: 'ERRORS.TOKENINVALID.TITLE',
-                        descriptionKey: 'ERRORS.TOKENINVALID.DESCRIPTION',
-                    },
-                    width: '400px',
-                });
-
-                dialogRef.afterClosed().pipe(take(1)).subscribe(resp => {
-                    if (resp) {
-                        this.authenticationService.authenticate(undefined, true, true);
-                    }
-                });
+                this.triggerDialog.next(true);
             }
             return Promise.reject(error);
         });
     }
+
+    openDialog() {
+        const dialogRef = this.dialog.open(WarnDialogComponent, {
+            data: {
+                confirmKey: 'ACTIONS.LOGIN',
+                titleKey: 'ERRORS.TOKENINVALID.TITLE',
+                descriptionKey: 'ERRORS.TOKENINVALID.DESCRIPTION',
+            },
+            width: '400px',
+        });
+
+        dialogRef.afterClosed().pipe(take(1)).subscribe(resp => {
+            if (resp) {
+                this.authenticationService.authenticate(undefined, true, true);
+            }
+        });
+    }
 }

go.mod

@@ -4,6 +4,7 @@ go 1.15
 
 require (
 	cloud.google.com/go v0.71.0 // indirect
+	cloud.google.com/go/storage v1.10.0
 	github.com/BurntSushi/toml v0.3.1
 	github.com/DATA-DOG/go-sqlmock v1.5.0
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v0.13.0
@@ -16,9 +17,10 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
 	github.com/caos/logging v0.0.2
 	github.com/caos/oidc v0.13.2
+	github.com/caos/orbos v1.5.14-0.20210205131708-6dc812182dc0
 	github.com/cockroachdb/cockroach-go/v2 v2.1.0
 	github.com/duo-labs/webauthn v0.0.0-20200714211715-1daaee874e43
-	github.com/envoyproxy/protoc-gen-validate v0.4.1
+	github.com/envoyproxy/protoc-gen-validate v0.1.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.4.4
@@ -41,16 +43,19 @@ require (
 	github.com/kevinburke/twilio-go v0.0.0-20200810163702-320748330fac
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lib/pq v1.9.0
-	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/manifoldco/promptui v0.7.0
+	github.com/mattn/go-colorable v0.1.8 // indirect; indirect github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.1 // indirect
 	github.com/nicksnyder/go-i18n/v2 v2.1.1
+	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.2.0
 	github.com/prometheus/client_golang v1.8.0 // indirect
 	github.com/prometheus/common v0.15.0 // indirect
 	github.com/rakyll/statik v0.1.7
 	github.com/rs/cors v1.7.0
 	github.com/sony/sonyflake v1.0.0
+	github.com/spf13/cobra v0.0.7
 	github.com/stretchr/testify v1.6.1
 	github.com/ttacon/builder v0.0.0-20170518171403-c099f663e1c2 // indirect
 	github.com/ttacon/libphonenumber v1.1.0
@@ -66,10 +71,15 @@ require (
 	golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 // indirect
 	golang.org/x/text v0.3.4
 	golang.org/x/tools v0.0.0-20201103235415-b653051172e4
+	google.golang.org/api v0.34.0
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20201103154000-415bd0cd5df6
 	google.golang.org/grpc v1.34.0
 	google.golang.org/protobuf v1.25.0
 	gopkg.in/square/go-jose.v2 v2.5.1
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c
+	gotest.tools v2.2.0+incompatible
+	k8s.io/api v0.18.5
+	k8s.io/apiextensions-apiserver v0.18.5
+	k8s.io/apimachinery v0.18.5
 )

internal/admin/repository/eventsourcing/eventstore/administrator.go

@@ -48,7 +48,7 @@ func (repo *AdministratorRepo) GetViews() ([]*view_model.View, error) {
 }
 
 func (repo *AdministratorRepo) GetSpoolerDiv(database, view string) int64 {
-	sequence, err := repo.View.GetCurrentSequence(database, view, "")
+	sequence, err := repo.View.GetCurrentSequence(database, view)
 	if err != nil {
 
 		return 0

internal/admin/repository/eventsourcing/eventstore/iam.go

@@ -40,7 +40,7 @@ func (repo *IAMRepository) IAMMemberByID(ctx context.Context, iamID, userID stri
 
 func (repo *IAMRepository) SearchIAMMembers(ctx context.Context, request *iam_model.IAMMemberSearchRequest) (*iam_model.IAMMemberSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-	sequence, err := repo.View.GetLatestIAMMemberSequence("")
+	sequence, err := repo.View.GetLatestIAMMemberSequence()
 	logging.Log("EVENT-Slkci").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest iam sequence")
 	members, count, err := repo.View.SearchIAMMembers(request)
 	if err != nil {
@@ -70,9 +70,7 @@ func (repo *IAMRepository) GetIAMMemberRoles() []string {
 }
 
 func (repo *IAMRepository) RemoveIDPConfig(ctx context.Context, idpConfigID string) error {
-	// if repo.IAMV2Command != nil {
-	// 	return repo.IAMV2Command.
-	// }
+
 	aggregates := make([]*es_models.Aggregate, 0)
 	idp := iam_model.NewIDPConfig(repo.SystemDefaults.IamID, idpConfigID)
 	_, agg, err := repo.IAMEventstore.PrepareRemoveIDPConfig(ctx, idp)
@@ -115,7 +113,7 @@ func (repo *IAMRepository) RemoveIDPConfig(ctx context.Context, idpConfigID stri
 
 func (repo *IAMRepository) SearchIDPConfigs(ctx context.Context, request *iam_model.IDPConfigSearchRequest) (*iam_model.IDPConfigSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-	sequence, err := repo.View.GetLatestIDPConfigSequence("")
+	sequence, err := repo.View.GetLatestIDPConfigSequence()
 	logging.Log("EVENT-Dk8si").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest idp config sequence")
 	idps, count, err := repo.View.SearchIDPConfigs(request)
 	if err != nil {
@@ -134,31 +132,6 @@ func (repo *IAMRepository) SearchIDPConfigs(ctx context.Context, request *iam_mo
 	return result, nil
 }
 
-func (repo *IAMRepository) GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error) {
-	policy, viewErr := repo.View.LabelPolicyByAggregateID(repo.SystemDefaults.IamID)
-	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
-		return nil, viewErr
-	}
-	if caos_errs.IsNotFound(viewErr) {
-		policy = new(iam_es_model.LabelPolicyView)
-	}
-	events, esErr := repo.IAMEventstore.IAMEventsByID(ctx, repo.SystemDefaults.IamID, policy.Sequence)
-	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
-		return nil, caos_errs.ThrowNotFound(nil, "EVENT-4bM0s", "Errors.IAM.LabelPolicy.NotFound")
-	}
-	if esErr != nil {
-		logging.Log("EVENT-3M0xs").WithError(esErr).Debug("error retrieving new events")
-		return iam_es_model.LabelPolicyViewToModel(policy), nil
-	}
-	policyCopy := *policy
-	for _, event := range events {
-		if err := policyCopy.AppendEvent(event); err != nil {
-			return iam_es_model.LabelPolicyViewToModel(policy), nil
-		}
-	}
-	return iam_es_model.LabelPolicyViewToModel(policy), nil
-}
-
 func (repo *IAMRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error) {
 	policy, viewErr := repo.View.LoginPolicyByAggregateID(repo.SystemDefaults.IamID)
 	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
@@ -187,7 +160,7 @@ func (repo *IAMRepository) GetDefaultLoginPolicy(ctx context.Context) (*iam_mode
 func (repo *IAMRepository) SearchDefaultIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
 	request.AppendAggregateIDQuery(repo.SystemDefaults.IamID)
-	sequence, err := repo.View.GetLatestIDPProviderSequence("")
+	sequence, err := repo.View.GetLatestIDPProviderSequence()
 	logging.Log("EVENT-Tuiks").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest iam sequence")
 	providers, count, err := repo.View.SearchIDPProviders(request)
 	if err != nil {
@@ -352,3 +325,97 @@ func (repo *IAMRepository) GetOrgIAMPolicy(ctx context.Context) (*iam_model.OrgI
 	}
 	return iam_es_model.OrgIAMViewToModel(policy), nil
 }
+
+func (repo *IAMRepository) AddDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddOrgIAMPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultOrgIAMPolicy(ctx context.Context, policy *iam_model.OrgIAMPolicy) (*iam_model.OrgIAMPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangeOrgIAMPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error) {
+	policy, err := repo.View.LabelPolicyByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LabelPolicyViewToModel(policy), err
+}
+
+func (repo *IAMRepository) AddDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddLabelPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) ChangeDefaultLabelPolicy(ctx context.Context, policy *iam_model.LabelPolicy) (*iam_model.LabelPolicy, error) {
+	policy.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangeLabelPolicy(ctx, policy)
+}
+
+func (repo *IAMRepository) GetDefaultMailTemplate(ctx context.Context) (*iam_model.MailTemplateView, error) {
+	template, err := repo.View.MailTemplateByAggregateID(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.MailTemplateViewToModel(template), err
+}
+
+func (repo *IAMRepository) AddDefaultMailTemplate(ctx context.Context, template *iam_model.MailTemplate) (*iam_model.MailTemplate, error) {
+	template.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddMailTemplate(ctx, template)
+}
+
+func (repo *IAMRepository) ChangeDefaultMailTemplate(ctx context.Context, template *iam_model.MailTemplate) (*iam_model.MailTemplate, error) {
+	template.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangeMailTemplate(ctx, template)
+}
+
+func (repo *IAMRepository) SearchIAMMembersx(ctx context.Context, request *iam_model.IAMMemberSearchRequest) (*iam_model.IAMMemberSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, err := repo.View.GetLatestIAMMemberSequence()
+	logging.Log("EVENT-Slkci").OnError(err).Warn("could not read latest iam sequence")
+	members, count, err := repo.View.SearchIAMMembers(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &iam_model.IAMMemberSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      iam_es_model.IAMMembersToModel(members),
+	}
+	if err == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = result.Timestamp
+	}
+	return result, nil
+}
+
+func (repo *IAMRepository) GetDefaultMailTexts(ctx context.Context) (*iam_model.MailTextsView, error) {
+	text, err := repo.View.MailTexts(repo.SystemDefaults.IamID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.MailTextsViewToModel(text, true), err
+}
+
+func (repo *IAMRepository) GetDefaultMailText(ctx context.Context, textType string, language string) (*iam_model.MailTextView, error) {
+	text, err := repo.View.MailTextByIDs(repo.SystemDefaults.IamID, textType, language)
+	if err != nil {
+		return nil, err
+	}
+	text.Default = true
+	return iam_es_model.MailTextViewToModel(text), err
+}
+
+func (repo *IAMRepository) AddDefaultMailText(ctx context.Context, text *iam_model.MailText) (*iam_model.MailText, error) {
+	text.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.AddMailText(ctx, text)
+}
+
+func (repo *IAMRepository) ChangeDefaultMailText(ctx context.Context, text *iam_model.MailText) (*iam_model.MailText, error) {
+	text.AggregateID = repo.SystemDefaults.IamID
+	return repo.IAMEventstore.ChangeMailText(ctx, text)
+}

internal/admin/repository/eventsourcing/eventstore/org.go

@@ -87,7 +87,7 @@ func (repo *OrgRepo) OrgByID(ctx context.Context, id string) (*org_model.Org, er
 
 func (repo *OrgRepo) SearchOrgs(ctx context.Context, query *org_model.OrgSearchRequest) (*org_model.OrgSearchResult, error) {
 	query.EnsureLimit(repo.SearchLimit)
-	sequence, err := repo.View.GetLatestOrgSequence("")
+	sequence, err := repo.View.GetLatestOrgSequence()
 	logging.Log("EVENT-LXo9w").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest iam sequence")
 	orgs, count, err := repo.View.SearchOrgs(query)
 	if err != nil {

internal/admin/repository/eventsourcing/handler/handler.go

@@ -74,6 +74,10 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es
 			defaults,
 			repos.IamEvents,
 			repos.OrgEvents),
+		newMailTemplate(
+			handler{view, bulkLimit, configs.cycleDuration("MailTemplate"), errorCount, es}),
+		newMailText(
+			handler{view, bulkLimit, configs.cycleDuration("MailText"), errorCount, es}),
 	}
 }
 

internal/admin/repository/eventsourcing/handler/iam_member.go

@@ -45,8 +45,8 @@ func (m *IAMMember) subscribe() {
 	}()
 }
 
-func (m *IAMMember) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := m.view.GetLatestIAMMemberSequence(string(event.AggregateType))
+func (m *IAMMember) CurrentSequence() (uint64, error) {
+	sequence, err := m.view.GetLatestIAMMemberSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -62,7 +62,7 @@ func (m *IAMMember) AggregateTypes() []es_models.AggregateType {
 }
 
 func (m *IAMMember) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := m.view.GetLatestIAMMemberSequence("")
+	sequence, err := m.view.GetLatestIAMMemberSequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/idp_config.go

@@ -47,8 +47,8 @@ func (i *IDPConfig) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.IAMAggregate}
 }
 
-func (i *IDPConfig) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestIDPConfigSequence(string(event.AggregateType))
+func (i *IDPConfig) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestIDPConfigSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -56,7 +56,7 @@ func (i *IDPConfig) CurrentSequence(event *es_models.Event) (uint64, error) {
 }
 
 func (i *IDPConfig) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestIDPConfigSequence("")
+	sequence, err := i.view.GetLatestIDPConfigSequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/idp_providers.go

@@ -64,8 +64,8 @@ func (i *IDPProvider) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.IAMAggregate, org_es_model.OrgAggregate}
 }
 
-func (i *IDPProvider) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestIDPProviderSequence(string(event.AggregateType))
+func (i *IDPProvider) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestIDPProviderSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -73,7 +73,7 @@ func (i *IDPProvider) CurrentSequence(event *es_models.Event) (uint64, error) {
 }
 
 func (i *IDPProvider) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestIDPProviderSequence("")
+	sequence, err := i.view.GetLatestIDPProviderSequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/label_policy.go

@@ -47,7 +47,7 @@ func (p *LabelPolicy) AggregateTypes() []es_models.AggregateType {
 }
 
 func (p *LabelPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestLabelPolicySequence("")
+	sequence, err := p.view.GetLatestLabelPolicySequence()
 	if err != nil {
 		return nil, err
 	}
@@ -56,8 +56,8 @@ func (p *LabelPolicy) EventQuery() (*es_models.SearchQuery, error) {
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }
 
-func (p *LabelPolicy) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestLabelPolicySequence(string(event.AggregateType))
+func (p *LabelPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLabelPolicySequence()
 	if err != nil {
 		return 0, err
 	}

internal/admin/repository/eventsourcing/handler/login_policy.go

@@ -48,7 +48,7 @@ func (p *LoginPolicy) AggregateTypes() []models.AggregateType {
 }
 
 func (p *LoginPolicy) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestLoginPolicySequence("")
+	sequence, err := p.view.GetLatestLoginPolicySequence()
 	if err != nil {
 		return nil, err
 	}
@@ -57,8 +57,8 @@ func (p *LoginPolicy) EventQuery() (*models.SearchQuery, error) {
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }
 
-func (p *LoginPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestLoginPolicySequence(string(event.AggregateType))
+func (p *LoginPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLoginPolicySequence()
 	if err != nil {
 		return 0, err
 	}

internal/admin/repository/eventsourcing/handler/mail_template.go

@@ -0,0 +1,105 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/query"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type MailTemplate struct {
+	handler
+	subscription *eventstore.Subscription
+}
+
+func newMailTemplate(handler handler) *MailTemplate {
+	h := &MailTemplate{
+		handler: handler,
+	}
+
+	h.subscribe()
+
+	return h
+}
+
+func (m *MailTemplate) subscribe() {
+	m.subscription = m.es.Subscribe(m.AggregateTypes()...)
+	go func() {
+		for event := range m.subscription.Events {
+			query.ReduceEvent(m, event)
+		}
+	}()
+}
+
+const (
+	mailTemplateTable = "adminapi.mail_templates"
+)
+
+func (m *MailTemplate) ViewModel() string {
+	return mailTemplateTable
+}
+
+func (_ *MailTemplate) AggregateTypes() []es_models.AggregateType {
+	return []es_models.AggregateType{iam_es_model.IAMAggregate}
+}
+
+func (p *MailTemplate) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestMailTemplateSequence()
+	if err != nil {
+		return 0, err
+	}
+	return sequence.CurrentSequence, nil
+}
+
+func (m *MailTemplate) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestMailTemplateSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(m.AggregateTypes()...).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *MailTemplate) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate:
+		err = m.processMailTemplate(event)
+	}
+	return err
+}
+
+func (m *MailTemplate) processMailTemplate(event *models.Event) (err error) {
+	template := new(iam_model.MailTemplateView)
+	switch event.Type {
+	case model.MailTemplateAdded:
+		err = template.AppendEvent(event)
+	case model.MailTemplateChanged:
+		template, err = m.view.MailTemplateByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = template.AppendEvent(event)
+	default:
+		return m.view.ProcessedMailTemplateSequence(event)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutMailTemplate(template, event)
+}
+
+func (m *MailTemplate) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Wj8sf", "id", event.AggregateID).WithError(err).Warn("something went wrong in label template handler")
+	return spooler.HandleError(event, err, m.view.GetLatestMailTemplateFailedEvent, m.view.ProcessedMailTemplateFailedEvent, m.view.ProcessedMailTemplateSequence, m.errorCountUntilSkip)
+}
+
+func (o *MailTemplate) OnSuccess() error {
+	return spooler.HandleSuccess(o.view.UpdateMailTemplateSpoolerRunTimestamp)
+}

internal/admin/repository/eventsourcing/handler/mail_text.go

@@ -0,0 +1,109 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/query"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type MailText struct {
+	handler
+	subscription *eventstore.Subscription
+}
+
+func newMailText(handler handler) *MailText {
+	h := &MailText{
+		handler: handler,
+	}
+
+	h.subscribe()
+
+	return h
+}
+
+func (m *MailText) subscribe() {
+	m.subscription = m.es.Subscribe(m.AggregateTypes()...)
+	go func() {
+		for event := range m.subscription.Events {
+			query.ReduceEvent(m, event)
+		}
+	}()
+}
+
+const (
+	mailTextTable = "adminapi.mail_texts"
+)
+
+func (m *MailText) ViewModel() string {
+	return mailTextTable
+}
+
+func (_ *MailText) AggregateTypes() []es_models.AggregateType {
+	return []es_models.AggregateType{iam_es_model.IAMAggregate}
+}
+
+func (p *MailText) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestMailTextSequence()
+	if err != nil {
+		return 0, err
+	}
+	return sequence.CurrentSequence, nil
+}
+
+func (m *MailText) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestMailTextSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(m.AggregateTypes()...).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *MailText) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate:
+		err = m.processMailText(event)
+	}
+	return err
+}
+
+func (m *MailText) processMailText(event *models.Event) (err error) {
+	mailText := new(iam_model.MailTextView)
+	switch event.Type {
+	case model.MailTextAdded:
+		err = mailText.AppendEvent(event)
+	case model.MailTextChanged:
+		err = mailText.SetData(event)
+		if err != nil {
+			return err
+		}
+		mailText, err = m.view.MailTextByIDs(event.AggregateID, mailText.MailTextType, mailText.Language)
+		if err != nil {
+			return err
+		}
+		err = mailText.AppendEvent(event)
+	default:
+		return m.view.ProcessedMailTextSequence(event)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutMailText(mailText, event)
+}
+
+func (m *MailText) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("HANDL-5jk84", "id", event.AggregateID).WithError(err).Warn("something went wrong in label mailText handler")
+	return spooler.HandleError(event, err, m.view.GetLatestMailTextFailedEvent, m.view.ProcessedMailTextFailedEvent, m.view.ProcessedMailTextSequence, m.errorCountUntilSkip)
+}
+
+func (o *MailText) OnSuccess() error {
+	return spooler.HandleSuccess(o.view.UpdateMailTextSpoolerRunTimestamp)
+}

internal/admin/repository/eventsourcing/handler/org.go

@@ -49,15 +49,15 @@ func (o *Org) AggregateTypes() []es_models.AggregateType {
 }
 
 func (o *Org) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := o.view.GetLatestOrgSequence("")
+	sequence, err := o.view.GetLatestOrgSequence()
 	if err != nil {
 		return nil, err
 	}
 	return eventsourcing.OrgQuery(sequence.CurrentSequence), nil
 }
 
-func (o *Org) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := o.view.GetLatestOrgSequence(string(event.AggregateType))
+func (o *Org) CurrentSequence() (uint64, error) {
+	sequence, err := o.view.GetLatestOrgSequence()
 	if err != nil {
 		return 0, err
 	}

internal/admin/repository/eventsourcing/handler/org_iam_policy.go

@@ -48,7 +48,7 @@ func (p *OrgIAMPolicy) AggregateTypes() []es_models.AggregateType {
 }
 
 func (p *OrgIAMPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestOrgIAMPolicySequence("")
+	sequence, err := p.view.GetLatestOrgIAMPolicySequence()
 	if err != nil {
 		return nil, err
 	}
@@ -57,8 +57,8 @@ func (p *OrgIAMPolicy) EventQuery() (*es_models.SearchQuery, error) {
 		LatestSequenceFilter(sequence.CurrentSequence), nil
 }
 
-func (p *OrgIAMPolicy) CurrentSequence(event *es_models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestOrgIAMPolicySequence(string(event.AggregateType))
+func (p *OrgIAMPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestOrgIAMPolicySequence()
 	if err != nil {
 		return 0, err
 	}

internal/admin/repository/eventsourcing/handler/password_age_policy.go

@@ -49,8 +49,8 @@ func (p *PasswordAgePolicy) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *PasswordAgePolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordAgePolicySequence(string(event.AggregateType))
+func (p *PasswordAgePolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestPasswordAgePolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (p *PasswordAgePolicy) CurrentSequence(event *models.Event) (uint64, error)
 }
 
 func (p *PasswordAgePolicy) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordAgePolicySequence("")
+	sequence, err := p.view.GetLatestPasswordAgePolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/password_complexity_policy.go

@@ -49,8 +49,8 @@ func (p *PasswordComplexityPolicy) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *PasswordComplexityPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence(string(event.AggregateType))
+func (p *PasswordComplexityPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (p *PasswordComplexityPolicy) CurrentSequence(event *models.Event) (uint64,
 }
 
 func (p *PasswordComplexityPolicy) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence("")
+	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/password_lockout_policy.go

@@ -49,8 +49,8 @@ func (p *PasswordLockoutPolicy) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *PasswordLockoutPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence(string(event.AggregateType))
+func (p *PasswordLockoutPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (p *PasswordLockoutPolicy) CurrentSequence(event *models.Event) (uint64, er
 }
 
 func (p *PasswordLockoutPolicy) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence("")
+	sequence, err := p.view.GetLatestPasswordLockoutPolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/user.go

@@ -68,8 +68,8 @@ func (u *User) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{es_model.UserAggregate, org_es_model.OrgAggregate}
 }
 
-func (u *User) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := u.view.GetLatestUserSequence(string(event.AggregateType))
+func (u *User) CurrentSequence() (uint64, error) {
+	sequence, err := u.view.GetLatestUserSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -77,7 +77,7 @@ func (u *User) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (u *User) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := u.view.GetLatestUserSequence("")
+	sequence, err := u.view.GetLatestUserSequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/handler/user_external_idps.go

@@ -69,8 +69,8 @@ func (i *ExternalIDP) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.UserAggregate, iam_es_model.IAMAggregate, org_es_model.OrgAggregate}
 }
 
-func (i *ExternalIDP) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestExternalIDPSequence(string(event.AggregateType))
+func (i *ExternalIDP) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestExternalIDPSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -78,7 +78,7 @@ func (i *ExternalIDP) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (i *ExternalIDP) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestExternalIDPSequence("")
+	sequence, err := i.view.GetLatestExternalIDPSequence()
 	if err != nil {
 		return nil, err
 	}

internal/admin/repository/eventsourcing/view/external_idps.go

@@ -65,8 +65,8 @@ func (v *View) DeleteExternalIDPsByUserID(userID string, event *models.Event) er
 	return v.ProcessedExternalIDPSequence(event)
 }
 
-func (v *View) GetLatestExternalIDPSequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(externalIDPTable, aggregateType)
+func (v *View) GetLatestExternalIDPSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(externalIDPTable)
 }
 
 func (v *View) ProcessedExternalIDPSequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/iam_member.go

@@ -57,8 +57,8 @@ func (v *View) DeleteIAMMembersByUserID(userID string, event *models.Event) erro
 	return v.ProcessedIAMMemberSequence(event)
 }
 
-func (v *View) GetLatestIAMMemberSequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(iamMemberTable, aggregateType)
+func (v *View) GetLatestIAMMemberSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(iamMemberTable)
 }
 
 func (v *View) ProcessedIAMMemberSequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/idp_configs.go

@@ -37,8 +37,8 @@ func (v *View) DeleteIDPConfig(idpID string, event *models.Event) error {
 	return v.ProcessedIDPConfigSequence(event)
 }
 
-func (v *View) GetLatestIDPConfigSequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(idpConfigTable, aggregateType)
+func (v *View) GetLatestIDPConfigSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(idpConfigTable)
 }
 
 func (v *View) ProcessedIDPConfigSequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/idp_providers.go

@@ -49,8 +49,8 @@ func (v *View) DeleteIDPProvider(aggregateID, idpConfigID string, event *models.
 	return v.ProcessedIDPProviderSequence(event)
 }
 
-func (v *View) GetLatestIDPProviderSequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(idpProviderTable, aggregateType)
+func (v *View) GetLatestIDPProviderSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(idpProviderTable)
 }
 
 func (v *View) ProcessedIDPProviderSequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/label_policies.go

@@ -23,8 +23,8 @@ func (v *View) PutLabelPolicy(policy *model.LabelPolicyView, event *models.Event
 	return v.ProcessedLabelPolicySequence(event)
 }
 
-func (v *View) GetLatestLabelPolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(labelPolicyTable, aggregateType)
+func (v *View) GetLatestLabelPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(labelPolicyTable)
 }
 
 func (v *View) ProcessedLabelPolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/login_policies.go

@@ -32,8 +32,8 @@ func (v *View) DeleteLoginPolicy(aggregateID string, event *models.Event) error
 	return v.ProcessedLoginPolicySequence(event)
 }
 
-func (v *View) GetLatestLoginPolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(loginPolicyTable, aggregateType)
+func (v *View) GetLatestLoginPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(loginPolicyTable)
 }
 
 func (v *View) ProcessedLoginPolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/mail_templates.go

@@ -0,0 +1,44 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	mailTemplateTable = "adminapi.mail_templates"
+)
+
+func (v *View) MailTemplateByAggregateID(aggregateID string) (*model.MailTemplateView, error) {
+	return view.GetMailTemplateByAggregateID(v.Db, mailTemplateTable, aggregateID)
+}
+
+func (v *View) PutMailTemplate(template *model.MailTemplateView, event *models.Event) error {
+	err := view.PutMailTemplate(v.Db, mailTemplateTable, template)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedMailTemplateSequence(event)
+}
+
+func (v *View) GetLatestMailTemplateSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(mailTemplateTable)
+}
+
+func (v *View) ProcessedMailTemplateSequence(event *models.Event) error {
+	return v.saveCurrentSequence(mailTemplateTable, event)
+}
+
+func (v *View) UpdateMailTemplateSpoolerRunTimestamp() error {
+	return v.updateSpoolerRunSequence(mailTemplateTable)
+}
+
+func (v *View) GetLatestMailTemplateFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(mailTemplateTable, sequence)
+}
+
+func (v *View) ProcessedMailTemplateFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/eventsourcing/view/mail_texts.go

@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	mailTextTable = "adminapi.mail_texts"
+)
+
+func (v *View) MailTexts(aggregateID string) ([]*model.MailTextView, error) {
+	return view.GetMailTexts(v.Db, mailTextTable, aggregateID)
+}
+
+func (v *View) MailTextByIDs(aggregateID string, textType string, language string) (*model.MailTextView, error) {
+	return view.GetMailTextByIDs(v.Db, mailTextTable, aggregateID, textType, language)
+}
+
+func (v *View) PutMailText(template *model.MailTextView, event *models.Event) error {
+	err := view.PutMailText(v.Db, mailTextTable, template)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedMailTextSequence(event)
+}
+
+func (v *View) GetLatestMailTextSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(mailTextTable)
+}
+
+func (v *View) ProcessedMailTextSequence(event *models.Event) error {
+	return v.saveCurrentSequence(mailTextTable, event)
+}
+
+func (v *View) UpdateMailTextSpoolerRunTimestamp() error {
+	return v.updateSpoolerRunSequence(mailTextTable)
+}
+
+func (v *View) GetLatestMailTextFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(mailTextTable, sequence)
+}
+
+func (v *View) ProcessedMailTextFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}

internal/admin/repository/eventsourcing/view/org.go

@@ -40,8 +40,8 @@ func (v *View) UpdateOrgSpoolerRunTimestamp() error {
 	return v.updateSpoolerRunSequence(orgTable)
 }
 
-func (v *View) GetLatestOrgSequence(aggregateType string) (*repository.CurrentSequence, error) {
-	return v.latestSequence(orgTable, aggregateType)
+func (v *View) GetLatestOrgSequence() (*repository.CurrentSequence, error) {
+	return v.latestSequence(orgTable)
 }
 
 func (v *View) ProcessedOrgSequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/org_iam_policy.go

@@ -32,8 +32,8 @@ func (v *View) DeleteOrgIAMPolicy(aggregateID string, event *models.Event) error
 	return v.ProcessedOrgIAMPolicySequence(event)
 }
 
-func (v *View) GetLatestOrgIAMPolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(orgIAMPolicyTable, aggregateType)
+func (v *View) GetLatestOrgIAMPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(orgIAMPolicyTable)
 }
 
 func (v *View) ProcessedOrgIAMPolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/password_age_policy.go

@@ -32,8 +32,8 @@ func (v *View) DeletePasswordAgePolicy(aggregateID string, event *models.Event)
 	return v.ProcessedPasswordAgePolicySequence(event)
 }
 
-func (v *View) GetLatestPasswordAgePolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(passwordAgePolicyTable, aggregateType)
+func (v *View) GetLatestPasswordAgePolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordAgePolicyTable)
 }
 
 func (v *View) ProcessedPasswordAgePolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/password_complexity_policy.go

@@ -32,8 +32,8 @@ func (v *View) DeletePasswordComplexityPolicy(aggregateID string, event *models.
 	return v.ProcessedPasswordComplexityPolicySequence(event)
 }
 
-func (v *View) GetLatestPasswordComplexityPolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(passwordComplexityPolicyTable, aggregateType)
+func (v *View) GetLatestPasswordComplexityPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordComplexityPolicyTable)
 }
 
 func (v *View) ProcessedPasswordComplexityPolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/password_lockout_policy.go

@@ -32,8 +32,8 @@ func (v *View) DeletePasswordLockoutPolicy(aggregateID string, event *models.Eve
 	return v.ProcessedPasswordLockoutPolicySequence(event)
 }
 
-func (v *View) GetLatestPasswordLockoutPolicySequence(aggregateType string) (*global_view.CurrentSequence, error) {
-	return v.latestSequence(passwordLockoutPolicyTable, aggregateType)
+func (v *View) GetLatestPasswordLockoutPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(passwordLockoutPolicyTable)
 }
 
 func (v *View) ProcessedPasswordLockoutPolicySequence(event *models.Event) error {

internal/admin/repository/eventsourcing/view/sequence.go

@@ -12,11 +12,11 @@ const (
 )
 
 func (v *View) saveCurrentSequence(viewName string, event *models.Event) error {
-	return repository.SaveCurrentSequence(v.Db, sequencesTable, viewName, string(event.AggregateType), event.Sequence, event.CreationDate)
+	return repository.SaveCurrentSequence(v.Db, sequencesTable, viewName, event.Sequence, event.CreationDate)
 }
 
-func (v *View) latestSequence(viewName, aggregateType string) (*repository.CurrentSequence, error) {
-	return repository.LatestSequence(v.Db, sequencesTable, viewName, aggregateType)
+func (v *View) latestSequence(viewName string) (*repository.CurrentSequence, error) {
+	return repository.LatestSequence(v.Db, sequencesTable, viewName)
 }
 
 func (v *View) AllCurrentSequences(db string) ([]*repository.CurrentSequence, error) {
@@ -24,7 +24,7 @@ func (v *View) AllCurrentSequences(db string) ([]*repository.CurrentSequence, er
 }
 
 func (v *View) updateSpoolerRunSequence(viewName string) error {
-	currentSequence, err := repository.LatestSequence(v.Db, sequencesTable, viewName, "")
+	currentSequence, err := repository.LatestSequence(v.Db, sequencesTable, viewName)
 	if err != nil {
 		return err
 	}
@@ -38,10 +38,10 @@ func (v *View) updateSpoolerRunSequence(viewName string) error {
 	return repository.UpdateCurrentSequence(v.Db, sequencesTable, currentSequence)
 }
 
-func (v *View) GetCurrentSequence(db, viewName, aggregateType string) (*repository.CurrentSequence, error) {
+func (v *View) GetCurrentSequence(db, viewName string) (*repository.CurrentSequence, error) {
 	sequenceTable := db + ".current_sequences"
 	fullView := db + "." + viewName
-	return repository.LatestSequence(v.Db, sequenceTable, fullView, aggregateType)
+	return repository.LatestSequence(v.Db, sequenceTable, fullView)
 }
 
 func (v *View) ClearView(db, viewName string) error {

internal/admin/repository/eventsourcing/view/user.go

@@ -65,8 +65,8 @@ func (v *View) DeleteUser(userID string, event *models.Event) error {
 	return v.ProcessedUserSequence(event)
 }
 
-func (v *View) GetLatestUserSequence(aggregateType string) (*repository.CurrentSequence, error) {
-	return v.latestSequence(userTable, aggregateType)
+func (v *View) GetLatestUserSequence() (*repository.CurrentSequence, error) {
+	return v.latestSequence(userTable)
 }
 
 func (v *View) ProcessedUserSequence(event *models.Event) error {

internal/admin/repository/iam.go

@@ -20,6 +20,15 @@ type IAMRepository interface {
 
 	GetDefaultLabelPolicy(ctx context.Context) (*iam_model.LabelPolicyView, error)
 
+	GetDefaultMailTemplate(ctx context.Context) (*iam_model.MailTemplateView, error)
+	AddDefaultMailTemplate(ctx context.Context, template *iam_model.MailTemplate) (*iam_model.MailTemplate, error)
+	ChangeDefaultMailTemplate(ctx context.Context, template *iam_model.MailTemplate) (*iam_model.MailTemplate, error)
+
+	GetDefaultMailTexts(ctx context.Context) (*iam_model.MailTextsView, error)
+	GetDefaultMailText(ctx context.Context, textType string, language string) (*iam_model.MailTextView, error)
+	AddDefaultMailText(ctx context.Context, mailText *iam_model.MailText) (*iam_model.MailText, error)
+	ChangeDefaultMailText(ctx context.Context, policy *iam_model.MailText) (*iam_model.MailText, error)
+
 	GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)
 
 	GetDefaultPasswordAgePolicy(ctx context.Context) (*iam_model.PasswordAgePolicyView, error)

internal/api/grpc/admin/template.go

@@ -0,0 +1,24 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultMailTemplate(ctx context.Context, _ *empty.Empty) (*admin.DefaultMailTemplateView, error) {
+	result, err := s.iam.GetDefaultMailTemplate(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return templateViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultMailTemplate(ctx context.Context, policy *admin.DefaultMailTemplateUpdate) (*admin.DefaultMailTemplate, error) {
+	result, err := s.iam.ChangeDefaultMailTemplate(ctx, templateToModel(policy))
+	if err != nil {
+		return nil, err
+	}
+	return templateFromModel(result), nil
+}

internal/api/grpc/admin/template_converter.go

@@ -0,0 +1,42 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func templateToModel(policy *admin.DefaultMailTemplateUpdate) *iam_model.MailTemplate {
+	return &iam_model.MailTemplate{
+		Template: policy.Template,
+	}
+}
+
+func templateFromModel(policy *iam_model.MailTemplate) *admin.DefaultMailTemplate {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("ADMIN-CAA7T").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("ADMIN-H52Zx").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultMailTemplate{
+		Template:     policy.Template,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func templateViewFromModel(policy *iam_model.MailTemplateView) *admin.DefaultMailTemplateView {
+	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
+	logging.Log("ADMIN-yWFs5").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
+	logging.Log("ADMIN-JRpIO").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultMailTemplateView{
+		Template:     policy.Template,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}

internal/api/grpc/admin/text.go

@@ -0,0 +1,32 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetDefaultMailTexts(ctx context.Context, _ *empty.Empty) (*admin.DefaultMailTextsView, error) {
+	result, err := s.iam.GetDefaultMailTexts(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return textsViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultMailText(ctx context.Context, textType string, language string) (*admin.DefaultMailTextView, error) {
+	result, err := s.iam.GetDefaultMailText(ctx, textType, language)
+	if err != nil {
+		return nil, err
+	}
+	return textViewFromModel(result), nil
+}
+
+func (s *Server) UpdateDefaultMailText(ctx context.Context, text *admin.DefaultMailTextUpdate) (*admin.DefaultMailText, error) {
+	result, err := s.iam.ChangeDefaultMailText(ctx, textToModel(text))
+	if err != nil {
+		return nil, err
+	}
+	return textFromModel(result), nil
+}

internal/api/grpc/admin/text_converter.go

@@ -0,0 +1,78 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func textToModel(text *admin.DefaultMailTextUpdate) *iam_model.MailText {
+	return &iam_model.MailText{
+		MailTextType: text.MailTextType,
+		Language:     text.Language,
+		Title:        text.Title,
+		PreHeader:    text.PreHeader,
+		Subject:      text.Subject,
+		Greeting:     text.Greeting,
+		Text:         text.Text,
+		ButtonText:   text.ButtonText,
+	}
+}
+
+func textFromModel(text *iam_model.MailText) *admin.DefaultMailText {
+	creationDate, err := ptypes.TimestampProto(text.CreationDate)
+	logging.Log("ADMIN-Jlzsj").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(text.ChangeDate)
+	logging.Log("ADMIN-mw5b8").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultMailText{
+		MailTextType: text.MailTextType,
+		Language:     text.Language,
+		Title:        text.Title,
+		PreHeader:    text.PreHeader,
+		Subject:      text.Subject,
+		Greeting:     text.Greeting,
+		Text:         text.Text,
+		ButtonText:   text.ButtonText,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func textsViewFromModel(textsin *iam_model.MailTextsView) *admin.DefaultMailTextsView {
+	return &admin.DefaultMailTextsView{
+		Texts: textsViewToModel(textsin.Texts),
+	}
+}
+
+func textsViewToModel(queries []*iam_model.MailTextView) []*admin.DefaultMailTextView {
+	modelQueries := make([]*admin.DefaultMailTextView, len(queries))
+	for i, query := range queries {
+		modelQueries[i] = textViewFromModel(query)
+	}
+
+	return modelQueries
+}
+
+func textViewFromModel(text *iam_model.MailTextView) *admin.DefaultMailTextView {
+	creationDate, err := ptypes.TimestampProto(text.CreationDate)
+	logging.Log("ADMIN-7RyJc").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(text.ChangeDate)
+	logging.Log("ADMIN-fTFgY").OnError(err).Debug("date parse failed")
+
+	return &admin.DefaultMailTextView{
+		MailTextType: text.MailTextType,
+		Language:     text.Language,
+		Title:        text.Title,
+		PreHeader:    text.PreHeader,
+		Subject:      text.Subject,
+		Greeting:     text.Greeting,
+		Text:         text.Text,
+		ButtonText:   text.ButtonText,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}

internal/api/grpc/management/mail_template.go

@@ -0,0 +1,45 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetMailTemplate(ctx context.Context, _ *empty.Empty) (*management.MailTemplateView, error) {
+	result, err := s.org.GetMailTemplate(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return mailTemplateViewFromModel(result), nil
+}
+
+func (s *Server) GetDefaultMailTemplate(ctx context.Context, _ *empty.Empty) (*management.MailTemplateView, error) {
+	result, err := s.org.GetDefaultMailTemplate(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return mailTemplateViewFromModel(result), nil
+}
+
+func (s *Server) CreateMailTemplate(ctx context.Context, template *management.MailTemplateUpdate) (*management.MailTemplate, error) {
+	result, err := s.org.AddMailTemplate(ctx, mailTemplateRequestToModel(template))
+	if err != nil {
+		return nil, err
+	}
+	return mailTemplateFromModel(result), nil
+}
+
+func (s *Server) UpdateMailTemplate(ctx context.Context, template *management.MailTemplateUpdate) (*management.MailTemplate, error) {
+	result, err := s.org.ChangeMailTemplate(ctx, mailTemplateRequestToModel(template))
+	if err != nil {
+		return nil, err
+	}
+	return mailTemplateFromModel(result), nil
+}
+
+func (s *Server) RemoveMailTemplate(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	err := s.org.RemoveMailTemplate(ctx)
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/mail_template_converter.go

@@ -0,0 +1,42 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func mailTemplateRequestToModel(mailTemplate *management.MailTemplateUpdate) *iam_model.MailTemplate {
+	return &iam_model.MailTemplate{
+		Template: mailTemplate.Template,
+	}
+}
+
+func mailTemplateFromModel(mailTemplate *iam_model.MailTemplate) *management.MailTemplate {
+	creationDate, err := ptypes.TimestampProto(mailTemplate.CreationDate)
+	logging.Log("MANAG-ULKZ6").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(mailTemplate.ChangeDate)
+	logging.Log("MANAG-451rI").OnError(err).Debug("date parse failed")
+	return &management.MailTemplate{
+		Template:     mailTemplate.Template,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func mailTemplateViewFromModel(mailTemplate *iam_model.MailTemplateView) *management.MailTemplateView {
+	creationDate, err := ptypes.TimestampProto(mailTemplate.CreationDate)
+	logging.Log("MANAG-koQnB").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(mailTemplate.ChangeDate)
+	logging.Log("MANAG-ToDhD").OnError(err).Debug("date parse failed")
+
+	return &management.MailTemplateView{
+		Default:      mailTemplate.Default,
+		Template:     mailTemplate.Template,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}

internal/api/grpc/management/mail_text.go

@@ -0,0 +1,45 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetMailTexts(ctx context.Context, _ *empty.Empty) (*management.MailTextsView, error) {
+	result, err := s.org.GetMailTexts(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return mailTextsViewFromModel(result.Texts), nil
+}
+
+func (s *Server) GetDefaultMailTexts(ctx context.Context, _ *empty.Empty) (*management.MailTextsView, error) {
+	result, err := s.org.GetDefaultMailTexts(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return mailTextsViewFromModel(result.Texts), nil
+}
+
+func (s *Server) CreateMailText(ctx context.Context, mailText *management.MailTextUpdate) (*management.MailText, error) {
+	result, err := s.org.AddMailText(ctx, mailTextRequestToModel(mailText))
+	if err != nil {
+		return nil, err
+	}
+	return mailTextFromModel(result), nil
+}
+
+func (s *Server) UpdateMailText(ctx context.Context, mailText *management.MailTextUpdate) (*management.MailText, error) {
+	result, err := s.org.ChangeMailText(ctx, mailTextRequestToModel(mailText))
+	if err != nil {
+		return nil, err
+	}
+	return mailTextFromModel(result), nil
+}
+
+func (s *Server) RemoveMailText(ctx context.Context, mailText *management.MailTextRemove) (*empty.Empty, error) {
+	err := s.org.RemoveMailText(ctx, mailTextRemoveToModel(mailText))
+	return &empty.Empty{}, err
+}

internal/api/grpc/management/mail_text_converter.go

@@ -0,0 +1,82 @@
+package management
+
+import (
+	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func mailTextRequestToModel(mailText *management.MailTextUpdate) *iam_model.MailText {
+	return &iam_model.MailText{
+		MailTextType: mailText.MailTextType,
+		Language:     mailText.Language,
+		Title:        mailText.Title,
+		PreHeader:    mailText.PreHeader,
+		Subject:      mailText.Subject,
+		Greeting:     mailText.Greeting,
+		Text:         mailText.Text,
+		ButtonText:   mailText.ButtonText,
+	}
+}
+
+func mailTextRemoveToModel(mailText *management.MailTextRemove) *iam_model.MailText {
+	return &iam_model.MailText{
+		MailTextType: mailText.MailTextType,
+		Language:     mailText.Language,
+	}
+}
+
+func mailTextFromModel(mailText *iam_model.MailText) *management.MailText {
+	creationDate, err := ptypes.TimestampProto(mailText.CreationDate)
+	logging.Log("MANAG-ULKZ6").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(mailText.ChangeDate)
+	logging.Log("MANAG-451rI").OnError(err).Debug("date parse failed")
+
+	return &management.MailText{
+		MailTextType: mailText.MailTextType,
+		Language:     mailText.Language,
+		Title:        mailText.Title,
+		PreHeader:    mailText.PreHeader,
+		Subject:      mailText.Subject,
+		Greeting:     mailText.Greeting,
+		Text:         mailText.Text,
+		ButtonText:   mailText.ButtonText,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}
+
+func mailTextsViewFromModel(queries []*iam_model.MailTextView) *management.MailTextsView {
+	modelQueries := make([]*management.MailTextView, len(queries))
+	for i, query := range queries {
+		modelQueries[i] = mailTextViewFromModel(query)
+	}
+
+	return &management.MailTextsView{
+		Texts: modelQueries,
+	}
+}
+
+func mailTextViewFromModel(mailText *iam_model.MailTextView) *management.MailTextView {
+	creationDate, err := ptypes.TimestampProto(mailText.CreationDate)
+	logging.Log("MANAG-koQnB").OnError(err).Debug("date parse failed")
+
+	changeDate, err := ptypes.TimestampProto(mailText.ChangeDate)
+	logging.Log("MANAG-ToDhD").OnError(err).Debug("date parse failed")
+
+	return &management.MailTextView{
+		Default:      mailText.Default,
+		MailTextType: mailText.MailTextType,
+		Language:     mailText.Language,
+		Title:        mailText.Title,
+		PreHeader:    mailText.PreHeader,
+		Subject:      mailText.Subject,
+		Greeting:     mailText.Greeting,
+		Text:         mailText.Text,
+		ButtonText:   mailText.ButtonText,
+		CreationDate: creationDate,
+		ChangeDate:   changeDate,
+	}
+}

internal/api/grpc/management/project_converter.go

@@ -94,10 +94,13 @@ func projectRoleViewsFromModel(roles []*proj_model.ProjectRoleView) []*managemen
 func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *management.ProjectRoleView {
 	creationDate, err := ptypes.TimestampProto(role.CreationDate)
 	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
+	changeDate, err := ptypes.TimestampProto(role.ChangeDate)
+	logging.Log("MANAG-BRr8Y").OnError(err).Debug("unable to parse timestamp")
 
 	return &management.ProjectRoleView{
 		ProjectId:    role.ProjectID,
 		CreationDate: creationDate,
+		ChangeDate:   changeDate,
 		Key:          role.Key,
 		Group:        role.Group,
 		DisplayName:  role.DisplayName,

internal/auth/repository/eventsourcing/eventstore/org.go

@@ -36,7 +36,7 @@ type OrgRepository struct {
 
 func (repo *OrgRepository) SearchOrgs(ctx context.Context, request *org_model.OrgSearchRequest) (*org_model.OrgSearchResult, error) {
 	request.EnsureLimit(repo.SearchLimit)
-	sequence, err := repo.View.GetLatestOrgSequence("")
+	sequence, err := repo.View.GetLatestOrgSequence()
 	logging.Log("EVENT-7Udhz").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest org sequence")
 	members, count, err := repo.View.SearchOrgs(request)
 	if err != nil {

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -94,7 +94,7 @@ func (repo *UserRepo) MyProfile(ctx context.Context) (*model.Profile, error) {
 
 func (repo *UserRepo) SearchMyExternalIDPs(ctx context.Context, request *model.ExternalIDPSearchRequest) (*model.ExternalIDPSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-	sequence, seqErr := repo.View.GetLatestExternalIDPSequence("")
+	sequence, seqErr := repo.View.GetLatestExternalIDPSequence()
 	logging.Log("EVENT-5Jsi8").OnError(seqErr).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest user sequence")
 	request.AppendUserQuery(authz.GetCtxData(ctx).UserID)
 	externalIDPS, count, err := repo.View.SearchExternalIDPs(request)

internal/auth/repository/eventsourcing/eventstore/user_grant.go

@@ -29,7 +29,7 @@ type UserGrantRepo struct {
 
 func (repo *UserGrantRepo) SearchMyUserGrants(ctx context.Context, request *grant_model.UserGrantSearchRequest) (*grant_model.UserGrantSearchResponse, error) {
 	request.EnsureLimit(repo.SearchLimit)
-	sequence, err := repo.View.GetLatestUserGrantSequence("")
+	sequence, err := repo.View.GetLatestUserGrantSequence()
 	logging.Log("EVENT-Hd7s3").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("could not read latest user grant sequence")
 	request.Queries = append(request.Queries, &grant_model.UserGrantSearchQuery{Key: grant_model.UserGrantSearchKeyUserID, Method: global_model.SearchMethodEquals, Value: authz.GetCtxData(ctx).UserID})
 	grants, count, err := repo.View.SearchUserGrants(request)

internal/auth/repository/eventsourcing/handler/application.go

@@ -53,7 +53,7 @@ func (_ *Application) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{es_model.ProjectAggregate}
 }
 
-func (a *Application) CurrentSequence(event *models.Event) (uint64, error) {
+func (a *Application) CurrentSequence() (uint64, error) {
 	sequence, err := a.view.GetLatestApplicationSequence()
 	if err != nil {
 		return 0, err

internal/auth/repository/eventsourcing/handler/idp_config.go

@@ -49,8 +49,8 @@ func (_ *IDPConfig) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (i *IDPConfig) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestIDPConfigSequence(string(event.AggregateType))
+func (i *IDPConfig) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestIDPConfigSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (i *IDPConfig) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (i *IDPConfig) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestIDPConfigSequence("")
+	sequence, err := i.view.GetLatestIDPConfigSequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/idp_providers.go

@@ -66,8 +66,8 @@ func (_ *IDPProvider) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.IAMAggregate, org_es_model.OrgAggregate}
 }
 
-func (i *IDPProvider) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestIDPProviderSequence(string(event.AggregateType))
+func (i *IDPProvider) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestIDPProviderSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -75,7 +75,7 @@ func (i *IDPProvider) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (i *IDPProvider) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestIDPProviderSequence("")
+	sequence, err := i.view.GetLatestIDPProviderSequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/key.go

@@ -49,8 +49,8 @@ func (_ *Key) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{es_model.KeyPairAggregate}
 }
 
-func (k *Key) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := k.view.GetLatestKeySequence(string(event.AggregateType))
+func (k *Key) CurrentSequence() (uint64, error) {
+	sequence, err := k.view.GetLatestKeySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (k *Key) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (k *Key) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := k.view.GetLatestKeySequence("")
+	sequence, err := k.view.GetLatestKeySequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/login_policy.go

@@ -49,8 +49,8 @@ func (_ *LoginPolicy) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *LoginPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestLoginPolicySequence(string(event.AggregateType))
+func (p *LoginPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestLoginPolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +58,7 @@ func (p *LoginPolicy) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (p *LoginPolicy) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestLoginPolicySequence("")
+	sequence, err := p.view.GetLatestLoginPolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/machine_keys.go

@@ -6,7 +6,6 @@ import (
 	"github.com/caos/logging"
 
 	"github.com/caos/zitadel/internal/eventstore"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/query"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
@@ -50,8 +49,8 @@ func (_ *MachineKeys) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.UserAggregate}
 }
 
-func (k *MachineKeys) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := k.view.GetLatestMachineKeySequence(string(event.AggregateType))
+func (k *MachineKeys) CurrentSequence() (uint64, error) {
+	sequence, err := k.view.GetLatestMachineKeySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -59,7 +58,7 @@ func (k *MachineKeys) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (k *MachineKeys) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := k.view.GetLatestMachineKeySequence("")
+	sequence, err := k.view.GetLatestMachineKeySequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/org.go

@@ -4,7 +4,6 @@ import (
 	"github.com/caos/logging"
 
 	"github.com/caos/zitadel/internal/eventstore"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/query"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
@@ -49,8 +48,8 @@ func (_ *Org) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.OrgAggregate}
 }
 
-func (o *Org) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := o.view.GetLatestOrgSequence(string(event.AggregateType))
+func (o *Org) CurrentSequence() (uint64, error) {
+	sequence, err := o.view.GetLatestOrgSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -58,7 +57,7 @@ func (o *Org) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (o *Org) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := o.view.GetLatestOrgSequence("")
+	sequence, err := o.view.GetLatestOrgSequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/org_iam_policy.go

@@ -2,8 +2,8 @@ package handler
 
 import (
 	"github.com/caos/logging"
+
 	"github.com/caos/zitadel/internal/eventstore"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/query"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
@@ -48,8 +48,8 @@ func (_ *OrgIAMPolicy) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{org_es_model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *OrgIAMPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestOrgIAMPolicySequence(string(event.AggregateType))
+func (p *OrgIAMPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestOrgIAMPolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -57,7 +57,7 @@ func (p *OrgIAMPolicy) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (p *OrgIAMPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestOrgIAMPolicySequence("")
+	sequence, err := p.view.GetLatestOrgIAMPolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/password_complexity_policy.go

@@ -2,8 +2,8 @@ package handler
 
 import (
 	"github.com/caos/logging"
+
 	"github.com/caos/zitadel/internal/eventstore"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/query"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
@@ -48,8 +48,8 @@ func (_ *PasswordComplexityPolicy) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{org_es_model.OrgAggregate, iam_es_model.IAMAggregate}
 }
 
-func (p *PasswordComplexityPolicy) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence(string(event.AggregateType))
+func (p *PasswordComplexityPolicy) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence()
 	if err != nil {
 		return 0, err
 	}
@@ -57,7 +57,7 @@ func (p *PasswordComplexityPolicy) CurrentSequence(event *models.Event) (uint64,
 }
 
 func (p *PasswordComplexityPolicy) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence("")
+	sequence, err := p.view.GetLatestPasswordComplexityPolicySequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/project_role.go

@@ -2,8 +2,8 @@ package handler
 
 import (
 	"github.com/caos/logging"
+
 	"github.com/caos/zitadel/internal/eventstore"
-	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/query"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
@@ -54,8 +54,8 @@ func (_ *ProjectRole) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.ProjectAggregate}
 }
 
-func (p *ProjectRole) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestProjectRoleSequence(string(event.AggregateType))
+func (p *ProjectRole) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestProjectRoleSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -63,7 +63,7 @@ func (p *ProjectRole) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (p *ProjectRole) EventQuery() (*es_models.SearchQuery, error) {
-	sequence, err := p.view.GetLatestProjectRoleSequence("")
+	sequence, err := p.view.GetLatestProjectRoleSequence()
 	if err != nil {
 		return nil, err
 	}
@@ -84,6 +84,7 @@ func (p *ProjectRole) Reduce(event *es_models.Event) (err error) {
 		if err != nil {
 			return err
 		}
+		role.ChangeDate = event.CreationDate
 		err = role.AppendEvent(event)
 	case model.ProjectRoleRemoved:
 		err = role.SetData(event)

internal/auth/repository/eventsourcing/handler/token.go

@@ -58,8 +58,8 @@ func (_ *Token) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{user_es_model.UserAggregate, project_es_model.ProjectAggregate}
 }
 
-func (p *Token) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := p.view.GetLatestTokenSequence(string(event.AggregateType))
+func (p *Token) CurrentSequence() (uint64, error) {
+	sequence, err := p.view.GetLatestTokenSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -67,7 +67,7 @@ func (p *Token) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (t *Token) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := t.view.GetLatestTokenSequence("")
+	sequence, err := t.view.GetLatestTokenSequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/user.go

@@ -64,8 +64,8 @@ func (_ *User) AggregateTypes() []models.AggregateType {
 	return []models.AggregateType{es_model.UserAggregate, org_es_model.OrgAggregate}
 }
 
-func (u *User) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := u.view.GetLatestUserSequence(string(event.AggregateType))
+func (u *User) CurrentSequence() (uint64, error) {
+	sequence, err := u.view.GetLatestUserSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -73,7 +73,7 @@ func (u *User) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (u *User) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := u.view.GetLatestUserSequence("")
+	sequence, err := u.view.GetLatestUserSequence()
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/handler/user_external_idps.go

@@ -68,8 +68,8 @@ func (_ *ExternalIDP) AggregateTypes() []es_models.AggregateType {
 	return []es_models.AggregateType{model.UserAggregate, iam_es_model.IAMAggregate, org_es_model.OrgAggregate}
 }
 
-func (i *ExternalIDP) CurrentSequence(event *models.Event) (uint64, error) {
-	sequence, err := i.view.GetLatestExternalIDPSequence(string(event.AggregateType))
+func (i *ExternalIDP) CurrentSequence() (uint64, error) {
+	sequence, err := i.view.GetLatestExternalIDPSequence()
 	if err != nil {
 		return 0, err
 	}
@@ -77,7 +77,7 @@ func (i *ExternalIDP) CurrentSequence(event *models.Event) (uint64, error) {
 }
 
 func (i *ExternalIDP) EventQuery() (*models.SearchQuery, error) {
-	sequence, err := i.view.GetLatestExternalIDPSequence("")
+	sequence, err := i.view.GetLatestExternalIDPSequence()
 	if err != nil {
 		return nil, err
 	}