feat: generate webkeys setup step (#10105)

# Which Problems Are Solved We are preparing to roll-out and stabilize webkeys in the next version of Zitadel. Before removing legacy signing-key code, we must ensure all existing instances have their webkeys generated. # How the Problems Are Solved Add a setup step which generate 2 webkeys for each existing instance that didn't have webkeys yet. # Additional Changes Return an error from the config type-switch, when the type is unknown. # Additional Context - Part 1/2 of https://github.com/zitadel/zitadel/issues/10029 - Should be back-ported to v3
2025-08-11 21:27:42 +00:00 · 2025-06-24 12:41:41 +03:00
parent 3a4298c179
commit fa9de9a0f1
4 changed files with 60 additions and 0 deletions
--- a/cmd/setup/59.go
+++ b/cmd/setup/59.go
@@ -0,0 +1,54 @@
+package setup
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+)
+
+type SetupWebkeys struct {
+	eventstore *eventstore.Eventstore
+	commands   *command.Commands
+}
+
+func (mig *SetupWebkeys) Execute(ctx context.Context, _ eventstore.Event) error {
+	instances, err := mig.eventstore.InstanceIDs(
+		ctx,
+		eventstore.NewSearchQueryBuilder(eventstore.ColumnsInstanceIDs).
+			OrderDesc().
+			AddQuery().
+			AggregateTypes(instance.AggregateType).
+			EventTypes(instance.InstanceAddedEventType).
+			Builder().ExcludeAggregateIDs().
+			AggregateTypes(instance.AggregateType).
+			EventTypes(instance.InstanceRemovedEventType).
+			Builder(),
+	)
+	if err != nil {
+		return fmt.Errorf("%s get instance IDs: %w", mig, err)
+	}
+	conf := &crypto.WebKeyRSAConfig{
+		Bits:   crypto.RSABits2048,
+		Hasher: crypto.RSAHasherSHA256,
+	}
+
+	for _, instance := range instances {
+		ctx := authz.WithInstanceID(ctx, instance)
+		logging.Info("prepare initial webkeys for instance", "instance_id", instance, "migration", mig)
+		if err := mig.commands.GenerateInitialWebKeys(ctx, conf); err != nil {
+			return fmt.Errorf("%s generate initial webkeys: %w", mig, err)
+		}
+	}
+	return nil
+}
+
+func (mig *SetupWebkeys) String() string {
+	return "59_setup_webkeys"
+}