Merge branch 'basics' into proto-files

# Conflicts: # go.mod # go.sum
2025-08-11 18:17:35 +00:00 · 2020-03-24 14:22:34 +01:00
parent 8632263ec3 96b88f5d8c
commit e6a4b7398c
36 changed files with 1452 additions and 63 deletions
--- a/internal/api/grpc/client/middleware/tracing.go
+++ b/internal/api/grpc/client/middleware/tracing.go
@@ -0,0 +1,38 @@
+package middleware
+
+import (
+	"context"
+	"strings"
+
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/stats"
+
+	"github.com/caos/zitadel/internal/api"
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type GRPCMethod string
+
+func TracingStatsClient(ignoredMethods ...GRPCMethod) grpc.DialOption {
+	return grpc.WithStatsHandler(&tracingClientHandler{ignoredMethods, ocgrpc.ClientHandler{StartOptions: trace.StartOptions{Sampler: tracing.Sampler(), SpanKind: trace.SpanKindClient}}})
+}
+
+func DefaultTracingStatsClient() grpc.DialOption {
+	return TracingStatsClient(api.Healthz, api.Readiness, api.Validation)
+}
+
+type tracingClientHandler struct {
+	IgnoredMethods []GRPCMethod
+	ocgrpc.ClientHandler
+}
+
+func (s *tracingClientHandler) TagRPC(ctx context.Context, tagInfo *stats.RPCTagInfo) context.Context {
+	for _, method := range s.IgnoredMethods {
+		if strings.HasSuffix(tagInfo.FullMethodName, string(method)) {
+			return ctx
+		}
+	}
+	return s.ClientHandler.TagRPC(ctx, tagInfo)
+}
--- a/internal/api/grpc/header.go
+++ b/internal/api/grpc/header.go
@@ -4,12 +4,8 @@ import (
 	"context"

 	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
-)

-const (
-	Authorization = "authorization"
-
-	ZitadelOrgID = "x-zitadel-orgid"
+	"github.com/caos/zitadel/internal/api"
 )

 func GetHeader(ctx context.Context, headername string) string {
@@ -17,5 +13,5 @@ func GetHeader(ctx context.Context, headername string) string {
 }

 func GetAuthorizationHeader(ctx context.Context) string {
-	return GetHeader(ctx, Authorization)
+	return GetHeader(ctx, api.Authorization)
 }
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -0,0 +1,110 @@
+package server
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+	"google.golang.org/grpc"
+
+	"github.com/caos/logging"
+
+	client_middleware "github.com/caos/zitadel/internal/api/grpc/client/middleware"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
+)
+
+const (
+	defaultGatewayPort = "8080"
+	mimeWildcard       = "*/*"
+)
+
+var (
+	DefaultJSONMarshaler = &runtime.JSONPb{OrigName: false, EmitDefaults: false}
+
+	DefaultServeMuxOptions = []runtime.ServeMuxOption{
+		runtime.WithMarshalerOption(DefaultJSONMarshaler.ContentType(), DefaultJSONMarshaler),
+		runtime.WithMarshalerOption(mimeWildcard, DefaultJSONMarshaler),
+		runtime.WithMarshalerOption(runtime.MIMEWildcard, DefaultJSONMarshaler),
+		runtime.WithIncomingHeaderMatcher(runtime.DefaultHeaderMatcher),
+		runtime.WithOutgoingHeaderMatcher(runtime.DefaultHeaderMatcher),
+	}
+)
+
+type Gateway interface {
+	GRPCEndpoint() string
+	GatewayPort() string
+	Gateway() GatewayFunc
+}
+
+type GatewayFunc func(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) error
+
+type gatewayCustomServeMuxOptions interface {
+	GatewayServeMuxOptions() []runtime.ServeMuxOption
+}
+type grpcGatewayCustomInterceptor interface {
+	GatewayHTTPInterceptor(http.Handler) http.Handler
+}
+
+type gatewayCustomCallOptions interface {
+	GatewayCallOptions() []grpc.DialOption
+}
+
+func StartGateway(ctx context.Context, g Gateway) {
+	mux := createMux(ctx, g)
+	serveGateway(ctx, mux, gatewayPort(g.GatewayPort()), g)
+}
+
+func createMux(ctx context.Context, g Gateway) *runtime.ServeMux {
+	muxOptions := DefaultServeMuxOptions
+	if customOpts, ok := g.(gatewayCustomServeMuxOptions); ok {
+		muxOptions = customOpts.GatewayServeMuxOptions()
+	}
+	mux := runtime.NewServeMux(muxOptions...)
+
+	opts := []grpc.DialOption{grpc.WithInsecure()}
+	opts = append(opts, client_middleware.DefaultTracingStatsClient())
+
+	if customOpts, ok := g.(gatewayCustomCallOptions); ok {
+		opts = append(opts, customOpts.GatewayCallOptions()...)
+	}
+	err := g.Gateway()(ctx, mux, g.GRPCEndpoint(), opts)
+	logging.Log("SERVE-7B7G0E").OnError(err).Panic("failed to create mux for grpc gateway")
+
+	return mux
+}
+
+func addInterceptors(handler http.Handler, g Gateway) http.Handler {
+	handler = http_mw.DefaultTraceHandler(handler)
+	if interceptor, ok := g.(grpcGatewayCustomInterceptor); ok {
+		handler = interceptor.GatewayHTTPInterceptor(handler)
+	}
+	return http_mw.CORSInterceptorOpts(http_mw.DefaultCORSOptions, handler)
+}
+
+func serveGateway(ctx context.Context, handler http.Handler, port string, g Gateway) {
+	server := &http.Server{
+		Handler: addInterceptors(handler, g),
+	}
+
+	listener := http_util.CreateListener(port)
+
+	go func() {
+		<-ctx.Done()
+		err := server.Shutdown(ctx)
+		logging.Log("SERVE-m7kBlq").OnError(err).Warn("error during graceful shutdown of grpc gateway")
+	}()
+
+	go func() {
+		err := server.Serve(listener)
+		logging.Log("SERVE-tBHR60").OnError(err).Panic("grpc gateway serve failed")
+	}()
+	logging.LogWithFields("SERVE-KHh0Cb", "port", port).Info("grpc gateway is listening")
+}
+
+func gatewayPort(port string) string {
+	if port == "" {
+		return defaultGatewayPort
+	}
+	return port
+}
--- a/internal/api/grpc/server/middleware/auth_interceptor.go
+++ b/internal/api/grpc/server/middleware/auth_interceptor.go
@@ -1,4 +1,4 @@
-package grpc
+package middleware

 import (
 	"context"
@@ -7,7 +7,9 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

+	"github.com/caos/zitadel/internal/api"
 	"github.com/caos/zitadel/internal/api/auth"
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 )

 func AuthorizationInterceptor(verifier auth.TokenVerifier, authConfig *auth.Config, authMethods auth.MethodMapping) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
@@ -17,12 +19,12 @@ func AuthorizationInterceptor(verifier auth.TokenVerifier, authConfig *auth.Conf
 			return handler(ctx, req)
 		}

-		authToken := GetAuthorizationHeader(ctx)
+		authToken := grpc_util.GetAuthorizationHeader(ctx)
 		if authToken == "" {
 			return nil, status.Error(codes.Unauthenticated, "auth header missing")
 		}

-		orgID := GetHeader(ctx, ZitadelOrgID)
+		orgID := grpc_util.GetHeader(ctx, api.ZitadelOrgID)

 		ctx, err := auth.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt)
 		if err != nil {
--- a/internal/api/grpc/server/middleware/error_interceptor.go
+++ b/internal/api/grpc/server/middleware/error_interceptor.go
@@ -1,14 +1,16 @@
-package grpc
+package middleware

 import (
 	"context"

 	"google.golang.org/grpc"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 )

 func ErrorHandler() func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 		resp, err := handler(ctx, req)
-		return resp, CaosToGRPCError(err)
+		return resp, grpc_util.CaosToGRPCError(err)
 	}
 }
--- a/internal/api/grpc/server/middleware/tracing.go
+++ b/internal/api/grpc/server/middleware/tracing.go
@@ -0,0 +1,33 @@
+package middleware
+
+import (
+	"context"
+	"strings"
+
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/stats"
+
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type GRPCMethod string
+
+func TracingStatsServer(ignoredMethods ...GRPCMethod) grpc.ServerOption {
+	return grpc.StatsHandler(&tracingServerHandler{ignoredMethods, ocgrpc.ServerHandler{StartOptions: trace.StartOptions{Sampler: tracing.Sampler(), SpanKind: trace.SpanKindServer}}})
+}
+
+type tracingServerHandler struct {
+	IgnoredMethods []GRPCMethod
+	ocgrpc.ServerHandler
+}
+
+func (s *tracingServerHandler) TagRPC(ctx context.Context, tagInfo *stats.RPCTagInfo) context.Context {
+	for _, method := range s.IgnoredMethods {
+		if strings.HasSuffix(tagInfo.FullMethodName, string(method)) {
+			return ctx
+		}
+	}
+	return s.ServerHandler.TagRPC(ctx, tagInfo)
+}
--- a/internal/api/grpc/server/probes.go
+++ b/internal/api/grpc/server/probes.go
@@ -1,4 +1,4 @@
-package grpc
+package server

 import (
 	"context"
--- a/internal/api/grpc/server/server.go
+++ b/internal/api/grpc/server/server.go
@@ -0,0 +1,53 @@
+package server
+
+import (
+	"context"
+	"net"
+
+	"github.com/caos/logging"
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/api/http"
+)
+
+const (
+	defaultGrpcPort = "80"
+)
+
+type Server interface {
+	GRPCPort() string
+	GRPCServer() (*grpc.Server, error)
+}
+
+func StartServer(ctx context.Context, s Server) {
+	port := grpcPort(s.GRPCPort())
+	listener := http.CreateListener(port)
+	server := createGrpcServer(s)
+	serveServer(ctx, server, listener, port)
+}
+
+func createGrpcServer(s Server) *grpc.Server {
+	grpcServer, err := s.GRPCServer()
+	logging.Log("SERVE-k280HZ").OnError(err).Panic("failed to create grpc server")
+	return grpcServer
+}
+
+func serveServer(ctx context.Context, server *grpc.Server, listener net.Listener, port string) {
+	go func() {
+		<-ctx.Done()
+		server.GracefulStop()
+	}()
+
+	go func() {
+		err := server.Serve(listener)
+		logging.Log("SERVE-Ga3e94").OnError(err).Panic("grpc server serve failed")
+	}()
+	logging.LogWithFields("SERVE-bZ44QM", "port", port).Info("grpc server is listening")
+}
+
+func grpcPort(port string) string {
+	if port == "" {
+		return defaultGrpcPort
+	}
+	return port
+}
--- a/internal/api/header.go
+++ b/internal/api/header.go
@@ -0,0 +1,12 @@
+package api
+
+const (
+	Authorization  = "authorization"
+	Accept         = "accept"
+	AcceptLanguage = "accept-language"
+	ContentType    = "content-type"
+	Location       = "location"
+	Origin         = "origin"
+
+	ZitadelOrgID = "x-zitadel-orgid"
+)
--- a/internal/api/html/i18n.go
+++ b/internal/api/html/i18n.go
@@ -0,0 +1,108 @@
+package html
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"path"
+
+	"github.com/BurntSushi/toml"
+	"github.com/caos/logging"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"golang.org/x/text/language"
+	"gopkg.in/yaml.v2"
+
+	"github.com/caos/zitadel/internal/api"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+type Translator struct {
+	bundle        *i18n.Bundle
+	cookieName    string
+	cookieHandler *http_util.CookieHandler
+}
+
+type TranslatorConfig struct {
+	Path            string
+	DefaultLanguage language.Tag
+	CookieName      string
+}
+
+func NewTranslator(config TranslatorConfig) (*Translator, error) {
+	t := new(Translator)
+	var err error
+	t.bundle, err = newBundle(config.Path, config.DefaultLanguage)
+	if err != nil {
+		return nil, err
+	}
+	t.cookieHandler = http_util.NewCookieHandler()
+	t.cookieName = config.CookieName
+	return t, nil
+}
+
+func newBundle(i18nDir string, defaultLanguage language.Tag) (*i18n.Bundle, error) {
+	bundle := i18n.NewBundle(defaultLanguage)
+	bundle.RegisterUnmarshalFunc("yaml", yaml.Unmarshal)
+	bundle.RegisterUnmarshalFunc("yml", yaml.Unmarshal)
+	bundle.RegisterUnmarshalFunc("json", json.Unmarshal)
+	bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
+	files, err := ioutil.ReadDir(i18nDir)
+	if err != nil {
+		return nil, errors.ThrowNotFound(err, "HTML-MnXRie", "path not found")
+	}
+	for _, file := range files {
+		bundle.MustLoadMessageFile(path.Join(i18nDir, file.Name()))
+	}
+	return bundle, nil
+}
+
+func (t *Translator) LocalizeFromRequest(r *http.Request, id string, args map[string]interface{}) string {
+	s, err := t.localizerFromRequest(r).Localize(&i18n.LocalizeConfig{
+		MessageID:    id,
+		TemplateData: args,
+	})
+	if err != nil {
+		logging.Log("HTML-MsF5sx").WithError(err).Warnf("missing translation")
+		return id
+	}
+	return s
+}
+
+func (t *Translator) Localize(id string, args map[string]interface{}) string {
+	s, _ := t.localizer().Localize(&i18n.LocalizeConfig{
+		MessageID:    id,
+		TemplateData: args,
+	})
+	return s
+}
+
+func (t *Translator) Lang(r *http.Request) language.Tag {
+	matcher := language.NewMatcher(t.bundle.LanguageTags())
+	tag, _ := language.MatchStrings(matcher, t.langsFromRequest(r)...)
+	return tag
+}
+
+func (t *Translator) SetLangCookie(w http.ResponseWriter, lang language.Tag) {
+	t.cookieHandler.SetCookie(w, t.cookieName, lang.String())
+}
+
+func (t *Translator) localizerFromRequest(r *http.Request) *i18n.Localizer {
+	return t.localizer(t.langsFromRequest(r)...)
+}
+
+func (t *Translator) localizer(langs ...string) *i18n.Localizer {
+	return i18n.NewLocalizer(t.bundle, langs...)
+}
+
+func (t *Translator) langsFromRequest(r *http.Request) []string {
+	langs := make([]string, 0)
+	if r != nil {
+		lang, err := t.cookieHandler.GetCookieValue(r, t.cookieName)
+		if err == nil {
+			langs = append(langs, lang)
+		}
+		langs = append(langs, r.Header.Get(api.AcceptLanguage))
+	}
+	return langs
+}
--- a/internal/api/html/renderer.go
+++ b/internal/api/html/renderer.go
@@ -0,0 +1,82 @@
+package html
+
+import (
+	"net/http"
+	"path"
+	"text/template"
+
+	"github.com/caos/logging"
+	"golang.org/x/text/language"
+)
+
+const (
+	TranslateFn = "t"
+)
+
+type Renderer struct {
+	Templates map[string]*template.Template
+	i18n      *Translator
+}
+
+func NewRenderer(templatesDir string, tmplMapping map[string]string, funcs map[string]interface{}, translatorConfig TranslatorConfig) (*Renderer, error) {
+	var err error
+	r := new(Renderer)
+	r.i18n, err = NewTranslator(translatorConfig)
+	if err != nil {
+		return nil, err
+	}
+	r.loadTemplates(templatesDir, tmplMapping, funcs)
+	return r, nil
+}
+
+func (r *Renderer) RenderTemplate(w http.ResponseWriter, req *http.Request, tmpl *template.Template, data interface{}, reqFuncs map[string]interface{}) {
+	reqFuncs = r.registerTranslateFn(req, reqFuncs)
+	if err := tmpl.Funcs(reqFuncs).Execute(w, data); err != nil {
+		logging.Log("HTML-lF8F6w").WithError(err).WithField("template", tmpl.Name).Error("error rendering template")
+	}
+}
+
+func (r *Renderer) Localize(id string, args map[string]interface{}) string {
+	return r.i18n.Localize(id, args)
+}
+
+func (r *Renderer) LocalizeFromRequest(req *http.Request, id string, args map[string]interface{}) string {
+	return r.i18n.LocalizeFromRequest(req, id, args)
+}
+func (r *Renderer) Lang(req *http.Request) language.Tag {
+	return r.i18n.Lang(req)
+}
+
+func (r *Renderer) loadTemplates(templatesDir string, tmplMapping map[string]string, funcs map[string]interface{}) {
+	funcs = r.registerTranslateFn(nil, funcs)
+	funcs[TranslateFn] = func(id string, args ...interface{}) string {
+		return id
+	}
+	tmpls := template.Must(template.New("").Funcs(funcs).ParseGlob(path.Join(templatesDir, "*.html")))
+	r.Templates = make(map[string]*template.Template, len(tmplMapping))
+	for name, file := range tmplMapping {
+		r.Templates[name] = tmpls.Lookup(file)
+	}
+}
+
+func (r *Renderer) registerTranslateFn(req *http.Request, funcs map[string]interface{}) map[string]interface{} {
+	if funcs == nil {
+		funcs = make(map[string]interface{})
+	}
+	funcs[TranslateFn] = func(id string, args ...interface{}) string {
+		m := map[string]interface{}{}
+		var key string
+		for i, arg := range args {
+			if i%2 == 0 {
+				key = arg.(string)
+				continue
+			}
+			m[key] = arg
+		}
+		if r == nil {
+			return r.Localize(id, m)
+		}
+		return r.LocalizeFromRequest(req, id, m)
+	}
+	return funcs
+}
--- a/internal/api/http/listener.go
+++ b/internal/api/http/listener.go
@@ -0,0 +1,21 @@
+package http
+
+import (
+	"net"
+	"strings"
+
+	"github.com/caos/logging"
+)
+
+func CreateListener(endpoint string) net.Listener {
+	l, err := net.Listen("tcp", listenerEndpoint(endpoint))
+	logging.Log("SERVE-6vasef").OnError(err).Fatal("creating listener failed")
+	return l
+}
+
+func listenerEndpoint(endpoint string) string {
+	if strings.Contains(endpoint, ":") {
+		return endpoint
+	}
+	return ":" + endpoint
+}
--- a/internal/api/http/middleware/cors_interceptor.go
+++ b/internal/api/http/middleware/cors_interceptor.go
@@ -0,0 +1,47 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/rs/cors"
+
+	"github.com/caos/zitadel/internal/api"
+)
+
+var (
+	DefaultCORSOptions = cors.Options{
+		AllowCredentials: true,
+		AllowedHeaders: []string{
+			api.Origin,
+			api.ContentType,
+			api.Accept,
+			api.AcceptLanguage,
+			api.Authorization,
+			api.ZitadelOrgID,
+			"x-grpc-web", //TODO: needed
+		},
+		AllowedMethods: []string{
+			http.MethodOptions,
+			http.MethodGet,
+			http.MethodHead,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		ExposedHeaders: []string{
+			api.Location,
+		},
+		AllowedOrigins: []string{
+			"http://localhost:*",
+		},
+	}
+)
+
+func CORSInterceptorOpts(opts cors.Options, h http.Handler) http.Handler {
+	return cors.New(opts).Handler(h)
+}
+
+func CORSInterceptor(h http.Handler) http.Handler {
+	return CORSInterceptorOpts(DefaultCORSOptions, h)
+}
--- a/internal/api/http/middleware/trace_interceptor.go
+++ b/internal/api/http/middleware/trace_interceptor.go
@@ -0,0 +1,12 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/caos/zitadel/internal/api"
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+func DefaultTraceHandler(handler http.Handler) http.Handler {
+	return tracing.TraceHandler(handler, api.Probes...)
+}
--- a/internal/api/probes.go
+++ b/internal/api/probes.go
@@ -0,0 +1,11 @@
+package api
+
+const (
+	Healthz    = "/Healthz"
+	Readiness  = "/Ready"
+	Validation = "/Validate"
+)
+
+var (
+	Probes = []string{Healthz, Readiness, Validation}
+)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -7,31 +7,21 @@ import (
 	"path/filepath"

 	"github.com/BurntSushi/toml"
-	"github.com/ghodss/yaml"
+	"gopkg.in/yaml.v2"

 	"github.com/caos/zitadel/internal/errors"
 )

-type Reader interface {
-	Unmarshal(data []byte, o interface{}) error
-}
-
 type ValidatableConfiguration interface {
 	Validate() error
 }

 type ReaderFunc func(data []byte, o interface{}) error

-func (c ReaderFunc) Unmarshal(data []byte, o interface{}) error {
-	return c(data, o)
-}
-
 var (
-	JSONReader = ReaderFunc(json.Unmarshal)
-	TOMLReader = ReaderFunc(toml.Unmarshal)
-	YAMLReader = ReaderFunc(func(y []byte, o interface{}) error {
-		return yaml.Unmarshal(y, o)
-	})
+	JSONReader = json.Unmarshal
+	TOMLReader = toml.Unmarshal
+	YAMLReader = yaml.Unmarshal
 )

 // Read deserializes each config file to the target obj
@@ -39,11 +29,11 @@ var (
 // env vars are replaced in the config file as well as the file path
 func Read(obj interface{}, configFiles ...string) error {
 	for _, cf := range configFiles {
-		configReader, err := configReaderForFile(cf)
+		readerFunc, err := readerFuncForFile(cf)
 		if err != nil {
 			return err
 		}
-		if err := readConfigFile(configReader, cf, obj); err != nil {
+		if err := readConfigFile(readerFunc, cf, obj); err != nil {
 			return err
 		}
 	}
@@ -57,13 +47,9 @@ func Read(obj interface{}, configFiles ...string) error {
 	return nil
 }

-func readConfigFile(configReader Reader, configFile string, obj interface{}) error {
+func readConfigFile(readerFunc ReaderFunc, configFile string, obj interface{}) error {
 	configFile = os.ExpandEnv(configFile)

-	if _, err := os.Stat(configFile); err != nil {
-		return errors.ThrowNotFoundf(err, "CONFI-Hs93M", "config file %s does not exist", configFile)
-	}
-
 	configStr, err := ioutil.ReadFile(configFile)
 	if err != nil {
 		return errors.ThrowInternalf(err, "CONFI-nJk2a", "failed to read config file %s", configFile)
@@ -71,14 +57,14 @@ func readConfigFile(configReader Reader, configFile string, obj interface{}) err

 	configStr = []byte(os.ExpandEnv(string(configStr)))

-	if err := configReader.Unmarshal(configStr, obj); err != nil {
+	if err := readerFunc(configStr, obj); err != nil {
 		return errors.ThrowInternalf(err, "CONFI-2Mc3c", "error parse config file %s", configFile)
 	}

 	return nil
 }

-func configReaderForFile(configFile string) (Reader, error) {
+func readerFuncForFile(configFile string) (ReaderFunc, error) {
 	ext := filepath.Ext(configFile)
 	switch ext {
 	case ".yaml", ".yml":
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -0,0 +1,198 @@
+package config
+
+import (
+	"errors"
+	"reflect"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type test struct {
+	Test bool
+}
+
+type validatable struct {
+	Test bool
+}
+
+func (v *validatable) Validate() error {
+	if v.Test {
+		return nil
+	}
+	return errors.New("invalid")
+}
+
+func TestRead(t *testing.T) {
+	type args struct {
+		obj         interface{}
+		configFiles []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			"not supoorted config file error",
+			args{
+				configFiles: []string{"notsupported.unknown"},
+				obj:         nil,
+			},
+			true,
+		},
+		{
+			"non existing config file error",
+			args{
+				configFiles: []string{"nonexisting.yaml"},
+				obj:         nil,
+			},
+			true,
+		},
+		{
+			"non parsable config file error",
+			args{
+				configFiles: []string{"./testdata/non_parsable.json"},
+				obj:         &test{},
+			},
+			true,
+		},
+		{
+			"invalid parsable config file error",
+			args{
+				configFiles: []string{"./testdata/invalid.json"},
+				obj:         &validatable{},
+			},
+			true,
+		},
+		{
+			"parsable config file ok",
+			args{
+				configFiles: []string{"./testdata/valid.json"},
+				obj:         &test{},
+			},
+			false,
+		},
+		{
+			"valid parsable config file ok",
+			args{
+				configFiles: []string{"./testdata/valid.json"},
+				obj:         &validatable{},
+			},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := Read(tt.args.obj, tt.args.configFiles...); (err != nil) != tt.wantErr {
+				t.Errorf("Read() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func Test_readerFuncForFile(t *testing.T) {
+	type args struct {
+		configFile string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    ReaderFunc
+		wantErr bool
+	}{
+		{
+			"unknown extension error",
+			args{configFile: "test.unknown"},
+			nil,
+			true,
+		},
+		{
+			"toml",
+			args{configFile: "test.toml"},
+			TOMLReader,
+			false,
+		},
+		{
+			"json",
+			args{configFile: "test.json"},
+			JSONReader,
+			false,
+		},
+		{
+			"yaml",
+			args{configFile: "test.yaml"},
+			YAMLReader,
+			false,
+		},
+		{
+			"yml",
+			args{configFile: "test.yml"},
+			YAMLReader,
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := readerFuncForFile(tt.args.configFile)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("configReaderForFile() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			funcName1 := runtime.FuncForPC(reflect.ValueOf(got).Pointer()).Name()
+			funcName2 := runtime.FuncForPC(reflect.ValueOf(tt.want).Pointer()).Name()
+			if !assert.Equal(t, funcName1, funcName2) {
+				t.Errorf("configReaderForFile() got = %v, want %v", funcName1, funcName2)
+			}
+		})
+	}
+}
+
+func Test_readConfigFile(t *testing.T) {
+	type args struct {
+		configReader ReaderFunc
+		configFile   string
+		obj          interface{}
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			"non existing config file error",
+			args{
+				configReader: YAMLReader,
+				configFile:   "nonexisting.json",
+				obj:          nil,
+			},
+			true,
+		},
+		{
+			"non parsable config file error",
+			args{
+				configReader: YAMLReader,
+				configFile:   "./testdata/non_parsable.json",
+				obj:          &test{},
+			},
+			true,
+		},
+		{
+			"parsable config file no error",
+			args{
+				configReader: YAMLReader,
+				configFile:   "./testdata/valid.json",
+				obj:          &test{},
+			},
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := readConfigFile(tt.args.configReader, tt.args.configFile, tt.args.obj); (err != nil) != tt.wantErr {
+				t.Errorf("readConfigFile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/internal/config/testdata/invalid.json
+++ b/internal/config/testdata/invalid.json
@@ -0,0 +1,3 @@
+{
+  "Test" : false
+}
--- a/internal/config/testdata/non_parsable.json
+++ b/internal/config/testdata/non_parsable.json
@@ -0,0 +1 @@
+Test
--- a/internal/config/testdata/valid.json
+++ b/internal/config/testdata/valid.json
@@ -0,0 +1,3 @@
+{
+  "Test" : true
+}
--- a/internal/errors/generate/error_creator.go
+++ b/internal/errors/generate/error_creator.go
@@ -32,7 +32,7 @@ func main() {

 	fmt.Print(`
 !!!!!
-  Add status mapping in grpc/errors/caos_errors.go	
+  Add status mapping in internal/api/grpc/caos_errors.go	
 !!!!!`)
 }

--- a/internal/tracing/caller.go
+++ b/internal/tracing/caller.go
@@ -0,0 +1,24 @@
+package tracing
+
+import (
+	"runtime"
+
+	"github.com/caos/logging"
+)
+
+func GetCaller() string {
+	fpcs := make([]uintptr, 1)
+
+	n := runtime.Callers(3, fpcs)
+	if n == 0 {
+		logging.Log("HELPE-rWjfC").Debug("no caller")
+	}
+
+	caller := runtime.FuncForPC(fpcs[0] - 1)
+	if caller == nil {
+		logging.Log("HELPE-25POw").Debug("caller was nil")
+	}
+
+	// Print the name of the function
+	return caller.Name()
+}
--- a/internal/tracing/config/config.go
+++ b/internal/tracing/config/config.go
@@ -0,0 +1,61 @@
+package config
+
+import (
+	"encoding/json"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/caos/zitadel/internal/tracing"
+	tracing_g "github.com/caos/zitadel/internal/tracing/google"
+	tracing_log "github.com/caos/zitadel/internal/tracing/log"
+)
+
+type TracingConfig struct {
+	Type   string
+	Config tracing.Config
+}
+
+var tracer = map[string]func() tracing.Config{
+	"google": func() tracing.Config { return &tracing_g.Config{} },
+	"log":    func() tracing.Config { return &tracing_log.Config{} },
+}
+
+func (c *TracingConfig) UnmarshalJSON(data []byte) error {
+	var rc struct {
+		Type   string
+		Config json.RawMessage
+	}
+
+	if err := json.Unmarshal(data, &rc); err != nil {
+		return status.Errorf(codes.Internal, "%v parse config: %v", "TRACE-vmjS", err)
+	}
+
+	c.Type = rc.Type
+
+	var err error
+	c.Config, err = newTracingConfig(c.Type, rc.Config)
+	if err != nil {
+		return status.Errorf(codes.Internal, "%v parse config: %v", "TRACE-Ws9E", err)
+	}
+
+	return c.Config.NewTracer()
+}
+
+func newTracingConfig(tracerType string, configData []byte) (tracing.Config, error) {
+	t, ok := tracer[tracerType]
+	if !ok {
+		return nil, status.Errorf(codes.Internal, "%v No config: %v", "TRACE-HMEJ", tracerType)
+	}
+
+	tracingConfig := t()
+	if len(configData) == 0 {
+		return tracingConfig, nil
+	}
+
+	if err := json.Unmarshal(configData, tracingConfig); err != nil {
+		return nil, status.Errorf(codes.Internal, "%v Could not read conifg: %v", "TRACE-1tSS", err)
+	}
+
+	return tracingConfig, nil
+}
--- a/internal/tracing/generate.go
+++ b/internal/tracing/generate.go
@@ -0,0 +1,3 @@
+package tracing
+
+//go:generate mockgen -package mock -destination mock/tracing_mock.go github.com/caos/zitadel/internal/tracing Tracer
--- a/internal/tracing/google/config.go
+++ b/internal/tracing/google/config.go
@@ -0,0 +1,25 @@
+package google
+
+import (
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type Config struct {
+	ProjectID    string
+	MetricPrefix string
+	Fraction     float64
+}
+
+func (c *Config) NewTracer() error {
+	if !envIsSet() {
+		return status.Error(codes.InvalidArgument, "env not properly set, GOOGLE_APPLICATION_CREDENTIALS is misconfigured or missing")
+	}
+
+	tracing.T = &Tracer{projectID: c.ProjectID, metricPrefix: c.MetricPrefix, sampler: trace.ProbabilitySampler(c.Fraction)}
+
+	return tracing.T.Start()
+}
--- a/internal/tracing/google/googletracing.go
+++ b/internal/tracing/google/googletracing.go
@@ -0,0 +1,95 @@
+package google
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"strings"
+
+	"contrib.go.opencensus.io/exporter/stackdriver"
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/plugin/ochttp"
+	"go.opencensus.io/stats/view"
+	"go.opencensus.io/trace"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type Tracer struct {
+	Exporter     *stackdriver.Exporter
+	projectID    string
+	metricPrefix string
+	sampler      trace.Sampler
+}
+
+func (t *Tracer) Start() (err error) {
+	t.Exporter, err = stackdriver.NewExporter(stackdriver.Options{
+		ProjectID:    t.projectID,
+		MetricPrefix: t.metricPrefix,
+	})
+	if err != nil {
+		return errors.ThrowInternal(err, "GOOGL-4dCnX", "unable to start exporter")
+	}
+
+	views := append(ocgrpc.DefaultServerViews, ocgrpc.DefaultClientViews...)
+	views = append(views, ochttp.DefaultClientViews...)
+	views = append(views, ochttp.DefaultServerViews...)
+
+	if err = view.Register(views...); err != nil {
+		return errors.ThrowInternal(err, "GOOGL-Q6L6w", "unable to register view")
+	}
+
+	trace.RegisterExporter(t.Exporter)
+	trace.ApplyConfig(trace.Config{DefaultSampler: t.sampler})
+
+	return nil
+}
+
+func (t *Tracer) Sampler() trace.Sampler {
+	return t.sampler
+}
+
+func (t *Tracer) NewServerInterceptorSpan(ctx context.Context, name string) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, name, trace.WithSpanKind(trace.SpanKindServer))
+}
+
+func (t *Tracer) NewServerSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller, trace.WithSpanKind(trace.SpanKindServer))
+}
+
+func (t *Tracer) NewClientInterceptorSpan(ctx context.Context, name string) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, name, trace.WithSpanKind(trace.SpanKindClient))
+}
+
+func (t *Tracer) NewClientSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller, trace.WithSpanKind(trace.SpanKindClient))
+}
+
+func (t *Tracer) NewSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller)
+}
+
+func (t *Tracer) newSpan(ctx context.Context, caller string, options ...trace.StartOption) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, caller, options...)
+}
+
+func (t *Tracer) newSpanFromName(ctx context.Context, name string, options ...trace.StartOption) (context.Context, *tracing.Span) {
+	ctx, span := trace.StartSpan(ctx, name, options...)
+	return ctx, tracing.CreateSpan(span)
+}
+
+func (t *Tracer) NewSpanHTTP(r *http.Request, caller string) (*http.Request, *tracing.Span) {
+	ctx, span := t.NewSpan(r.Context(), caller)
+	r = r.WithContext(ctx)
+	return r, span
+}
+
+func envIsSet() bool {
+	gAuthCred := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")
+	return strings.Contains(gAuthCred, ".json")
+}
+
+func (t *Tracer) SetErrStatus(span *trace.Span, code int32, err error, obj ...string) {
+	span.SetStatus(trace.Status{Code: code, Message: err.Error() + strings.Join(obj, ", ")})
+}
--- a/internal/tracing/http_handler.go
+++ b/internal/tracing/http_handler.go
@@ -0,0 +1,30 @@
+package tracing
+
+import (
+	"net/http"
+	"strings"
+
+	"go.opencensus.io/plugin/ochttp"
+	"go.opencensus.io/trace"
+)
+
+func TraceHandler(handler http.Handler, ignoredMethods ...string) http.Handler {
+	healthEndpoints := strings.Join(ignoredMethods, ";;")
+
+	return &ochttp.Handler{
+		Handler: handler,
+		FormatSpanName: func(r *http.Request) string {
+			host := r.URL.Host
+			if host == "" {
+				host = r.Host
+			}
+			return host + r.URL.Path
+		},
+
+		StartOptions: trace.StartOptions{Sampler: Sampler()},
+		IsHealthEndpoint: func(r *http.Request) bool {
+			n := strings.Contains(healthEndpoints, r.URL.RequestURI())
+			return n
+		},
+	}
+}
--- a/internal/tracing/log/config.go
+++ b/internal/tracing/log/config.go
@@ -0,0 +1,21 @@
+package log
+
+import (
+	"go.opencensus.io/trace"
+
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type Config struct {
+	Fraction float64
+}
+
+func (c *Config) NewTracer() error {
+	if c.Fraction < 1 {
+		c.Fraction = 1
+	}
+
+	tracing.T = &Tracer{trace.ProbabilitySampler(c.Fraction)}
+
+	return tracing.T.Start()
+}
--- a/internal/tracing/log/logTracing.go
+++ b/internal/tracing/log/logTracing.go
@@ -0,0 +1,74 @@
+package log
+
+import (
+	"context"
+	"net/http"
+
+	"go.opencensus.io/examples/exporter"
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/plugin/ochttp"
+	"go.opencensus.io/stats/view"
+	"go.opencensus.io/trace"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+type Tracer struct {
+	sampler trace.Sampler
+}
+
+func (t *Tracer) Start() error {
+	trace.RegisterExporter(&exporter.PrintExporter{})
+
+	views := append(ocgrpc.DefaultServerViews, ocgrpc.DefaultClientViews...)
+	views = append(views, ochttp.DefaultClientViews...)
+	views = append(views, ochttp.DefaultServerViews...)
+
+	if err := view.Register(views...); err != nil {
+		return errors.ThrowInternal(err, "LOG-PoFiB", "unable to register view")
+	}
+
+	trace.ApplyConfig(trace.Config{DefaultSampler: t.sampler})
+
+	return nil
+}
+
+func (t *Tracer) Sampler() trace.Sampler {
+	return t.sampler
+}
+
+func (t *Tracer) NewServerInterceptorSpan(ctx context.Context, name string) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, name, trace.WithSpanKind(trace.SpanKindServer))
+}
+
+func (t *Tracer) NewServerSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller, trace.WithSpanKind(trace.SpanKindServer))
+}
+
+func (t *Tracer) NewClientInterceptorSpan(ctx context.Context, name string) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, name, trace.WithSpanKind(trace.SpanKindClient))
+}
+
+func (t *Tracer) NewClientSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller, trace.WithSpanKind(trace.SpanKindClient))
+}
+
+func (t *Tracer) NewSpan(ctx context.Context, caller string) (context.Context, *tracing.Span) {
+	return t.newSpan(ctx, caller)
+}
+
+func (t *Tracer) newSpan(ctx context.Context, caller string, options ...trace.StartOption) (context.Context, *tracing.Span) {
+	return t.newSpanFromName(ctx, caller, options...)
+}
+
+func (t *Tracer) newSpanFromName(ctx context.Context, name string, options ...trace.StartOption) (context.Context, *tracing.Span) {
+	ctx, span := trace.StartSpan(ctx, name, options...)
+	return ctx, tracing.CreateSpan(span)
+}
+
+func (t *Tracer) NewSpanHTTP(r *http.Request, caller string) (*http.Request, *tracing.Span) {
+	ctx, span := t.NewSpan(r.Context(), caller)
+	r = r.WithContext(ctx)
+	return r, span
+}
--- a/internal/tracing/mock/tracing_mock.go
+++ b/internal/tracing/mock/tracing_mock.go
@@ -0,0 +1,155 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/caos/zitadel/internal/tracing (interfaces: Tracer)
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	tracing "github.com/caos/zitadel/internal/tracing"
+	gomock "github.com/golang/mock/gomock"
+	trace "go.opencensus.io/trace"
+	http "net/http"
+	reflect "reflect"
+)
+
+// MockTracer is a mock of Tracer interface
+type MockTracer struct {
+	ctrl     *gomock.Controller
+	recorder *MockTracerMockRecorder
+}
+
+// MockTracerMockRecorder is the mock recorder for MockTracer
+type MockTracerMockRecorder struct {
+	mock *MockTracer
+}
+
+// NewMockTracer creates a new mock instance
+func NewMockTracer(ctrl *gomock.Controller) *MockTracer {
+	mock := &MockTracer{ctrl: ctrl}
+	mock.recorder = &MockTracerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockTracer) EXPECT() *MockTracerMockRecorder {
+	return m.recorder
+}
+
+// NewClientInterceptorSpan mocks base method
+func (m *MockTracer) NewClientInterceptorSpan(arg0 context.Context, arg1 string) (context.Context, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewClientInterceptorSpan", arg0, arg1)
+	ret0, _ := ret[0].(context.Context)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewClientInterceptorSpan indicates an expected call of NewClientInterceptorSpan
+func (mr *MockTracerMockRecorder) NewClientInterceptorSpan(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewClientInterceptorSpan", reflect.TypeOf((*MockTracer)(nil).NewClientInterceptorSpan), arg0, arg1)
+}
+
+// NewClientSpan mocks base method
+func (m *MockTracer) NewClientSpan(arg0 context.Context, arg1 string) (context.Context, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewClientSpan", arg0, arg1)
+	ret0, _ := ret[0].(context.Context)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewClientSpan indicates an expected call of NewClientSpan
+func (mr *MockTracerMockRecorder) NewClientSpan(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewClientSpan", reflect.TypeOf((*MockTracer)(nil).NewClientSpan), arg0, arg1)
+}
+
+// NewServerInterceptorSpan mocks base method
+func (m *MockTracer) NewServerInterceptorSpan(arg0 context.Context, arg1 string) (context.Context, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewServerInterceptorSpan", arg0, arg1)
+	ret0, _ := ret[0].(context.Context)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewServerInterceptorSpan indicates an expected call of NewServerInterceptorSpan
+func (mr *MockTracerMockRecorder) NewServerInterceptorSpan(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewServerInterceptorSpan", reflect.TypeOf((*MockTracer)(nil).NewServerInterceptorSpan), arg0, arg1)
+}
+
+// NewServerSpan mocks base method
+func (m *MockTracer) NewServerSpan(arg0 context.Context, arg1 string) (context.Context, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewServerSpan", arg0, arg1)
+	ret0, _ := ret[0].(context.Context)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewServerSpan indicates an expected call of NewServerSpan
+func (mr *MockTracerMockRecorder) NewServerSpan(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewServerSpan", reflect.TypeOf((*MockTracer)(nil).NewServerSpan), arg0, arg1)
+}
+
+// NewSpan mocks base method
+func (m *MockTracer) NewSpan(arg0 context.Context, arg1 string) (context.Context, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewSpan", arg0, arg1)
+	ret0, _ := ret[0].(context.Context)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewSpan indicates an expected call of NewSpan
+func (mr *MockTracerMockRecorder) NewSpan(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewSpan", reflect.TypeOf((*MockTracer)(nil).NewSpan), arg0, arg1)
+}
+
+// NewSpanHTTP mocks base method
+func (m *MockTracer) NewSpanHTTP(arg0 *http.Request, arg1 string) (*http.Request, *tracing.Span) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NewSpanHTTP", arg0, arg1)
+	ret0, _ := ret[0].(*http.Request)
+	ret1, _ := ret[1].(*tracing.Span)
+	return ret0, ret1
+}
+
+// NewSpanHTTP indicates an expected call of NewSpanHTTP
+func (mr *MockTracerMockRecorder) NewSpanHTTP(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewSpanHTTP", reflect.TypeOf((*MockTracer)(nil).NewSpanHTTP), arg0, arg1)
+}
+
+// Sampler mocks base method
+func (m *MockTracer) Sampler() trace.Sampler {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Sampler")
+	ret0, _ := ret[0].(trace.Sampler)
+	return ret0
+}
+
+// Sampler indicates an expected call of Sampler
+func (mr *MockTracerMockRecorder) Sampler() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Sampler", reflect.TypeOf((*MockTracer)(nil).Sampler))
+}
+
+// Start mocks base method
+func (m *MockTracer) Start() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Start")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Start indicates an expected call of Start
+func (mr *MockTracerMockRecorder) Start() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Start", reflect.TypeOf((*MockTracer)(nil).Start))
+}
--- a/internal/tracing/mock/tracing_mock_impl.go
+++ b/internal/tracing/mock/tracing_mock_impl.go
@@ -0,0 +1,20 @@
+package mock
+
+import (
+	"context"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+
+	"github.com/caos/zitadel/internal/tracing"
+)
+
+func NewSimpleMockTracer(t *testing.T) *MockTracer {
+	return NewMockTracer(gomock.NewController(t))
+}
+
+func ExpectServerSpan(ctx context.Context, mock interface{}) {
+	m := mock.(*MockTracer)
+	any := gomock.Any()
+	m.EXPECT().NewServerSpan(any, any).AnyTimes().Return(ctx, &tracing.Span{})
+}
--- a/internal/tracing/span.go
+++ b/internal/tracing/span.go
@@ -0,0 +1,89 @@
+package tracing
+
+import (
+	"fmt"
+	"strconv"
+
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type Span struct {
+	span       *trace.Span
+	attributes []trace.Attribute
+}
+
+func CreateSpan(span *trace.Span) *Span {
+	return &Span{span: span, attributes: []trace.Attribute{}}
+}
+
+func (s *Span) End() {
+	if s.span == nil {
+		return
+	}
+	s.span.AddAttributes(s.attributes...)
+	s.span.End()
+}
+
+func (s *Span) EndWithError(err error) {
+	s.SetStatusByError(err)
+	s.End()
+}
+
+func (s *Span) SetStatusByError(err error) {
+	if s.span == nil {
+		return
+	}
+	s.span.SetStatus(statusFromError(err))
+}
+
+func statusFromError(err error) trace.Status {
+	if statusErr, ok := status.FromError(err); ok {
+		return trace.Status{Code: int32(statusErr.Code()), Message: statusErr.Message()}
+	}
+	return trace.Status{Code: int32(codes.Unknown), Message: "Unknown"}
+}
+
+// AddAnnotation creates an annotation. The annotation will not be added to the tracing use Annotate(msg) afterwards
+func (s *Span) AddAnnotation(key string, value interface{}) *Span {
+	attribute, err := toTraceAttribute(key, value)
+	if err != nil {
+		return s
+	}
+	s.attributes = append(s.attributes, attribute)
+	return s
+}
+
+// Annotate creates an annotation in tracing. Before added annotations will be set
+func (s *Span) Annotate(message string) *Span {
+	if s.span == nil {
+		return s
+	}
+	s.span.Annotate(s.attributes, message)
+	s.attributes = []trace.Attribute{}
+	return s
+}
+
+func (s *Span) Annotatef(format string, addiations ...interface{}) *Span {
+	s.Annotate(fmt.Sprintf(format, addiations...))
+	return s
+}
+
+func toTraceAttribute(key string, value interface{}) (attr trace.Attribute, err error) {
+	switch value := value.(type) {
+	case bool:
+		return trace.BoolAttribute(key, value), nil
+	case string:
+		return trace.StringAttribute(key, value), nil
+	}
+	if valueInt, err := convertToInt64(value); err == nil {
+		return trace.Int64Attribute(key, valueInt), nil
+	}
+	return attr, status.Error(codes.InvalidArgument, "Attribute is not of type bool, string or int64")
+}
+
+func convertToInt64(value interface{}) (int64, error) {
+	valueString := fmt.Sprintf("%v", value)
+	return strconv.ParseInt(valueString, 10, 64)
+}
--- a/internal/tracing/tracing.go
+++ b/internal/tracing/tracing.go
@@ -0,0 +1,74 @@
+package tracing
+
+import (
+	"context"
+	"net/http"
+
+	"go.opencensus.io/trace"
+)
+
+type Tracer interface {
+	Start() error
+	NewSpan(ctx context.Context, caller string) (context.Context, *Span)
+	NewClientSpan(ctx context.Context, caller string) (context.Context, *Span)
+	NewServerSpan(ctx context.Context, caller string) (context.Context, *Span)
+	NewClientInterceptorSpan(ctx context.Context, name string) (context.Context, *Span)
+	NewServerInterceptorSpan(ctx context.Context, name string) (context.Context, *Span)
+	NewSpanHTTP(r *http.Request, caller string) (*http.Request, *Span)
+	Sampler() trace.Sampler
+}
+
+type Config interface {
+	NewTracer() error
+}
+
+var T Tracer
+
+func Sampler() trace.Sampler {
+	if T == nil {
+		return trace.NeverSample()
+	}
+	return T.Sampler()
+}
+
+func NewSpan(ctx context.Context) (context.Context, *Span) {
+	if T == nil {
+		return ctx, CreateSpan(nil)
+	}
+	return T.NewSpan(ctx, GetCaller())
+}
+
+func NewClientSpan(ctx context.Context) (context.Context, *Span) {
+	if T == nil {
+		return ctx, CreateSpan(nil)
+	}
+	return T.NewClientSpan(ctx, GetCaller())
+}
+
+func NewServerSpan(ctx context.Context) (context.Context, *Span) {
+	if T == nil {
+		return ctx, CreateSpan(nil)
+	}
+	return T.NewServerSpan(ctx, GetCaller())
+}
+
+func NewClientInterceptorSpan(ctx context.Context, name string) (context.Context, *Span) {
+	if T == nil {
+		return ctx, CreateSpan(nil)
+	}
+	return T.NewClientInterceptorSpan(ctx, name)
+}
+
+func NewServerInterceptorSpan(ctx context.Context, name string) (context.Context, *Span) {
+	if T == nil {
+		return ctx, CreateSpan(nil)
+	}
+	return T.NewServerInterceptorSpan(ctx, name)
+}
+
+func NewSpanHTTP(r *http.Request) (*http.Request, *Span) {
+	if T == nil {
+		return r, CreateSpan(nil)
+	}
+	return T.NewSpanHTTP(r, GetCaller())
+}