website/docs: add architecture and persistence (#6250)
* website/docs: add architecture and persistence Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * add note about kubernetes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * link to relevant parts Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
parent
9dc37eb30e
commit
33e7903699
61
website/docs/core/architecture.md
Normal file
61
website/docs/core/architecture.md
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
title: Architecture
|
||||||
|
---
|
||||||
|
|
||||||
|
authentik consists of a handful of components, most of which are required for a functioning setup.
|
||||||
|
|
||||||
|
```mermaid
|
||||||
|
graph LR
|
||||||
|
user(User) --> ak_server(authentik Server)
|
||||||
|
ak_server --> ak_server_core(authentik Server Core)
|
||||||
|
ak_server --> ak_outpost(Embedded outpost)
|
||||||
|
ak_server_core --> db(PostgreSQL)
|
||||||
|
ak_server_core --> cache(Redis)
|
||||||
|
ak_worker(Background Worker) --> db(PostgreSQL)
|
||||||
|
ak_worker(Background Worker) --> cache(Redis)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Server
|
||||||
|
|
||||||
|
The server container consists of two sub-components, the actual server itself and the embedded outpost. Incoming requests to the server container(s) are routed by a lightweight router to either the _Core_ server or the embedded outpost. This router also handles requests for any static assets such as JavaScript and CSS files.
|
||||||
|
|
||||||
|
#### Core
|
||||||
|
|
||||||
|
The core sub-component handles most of authentik's logic, such as API requests, flow executions, any kind of SSO requests, etc.
|
||||||
|
|
||||||
|
#### Embedded outpost
|
||||||
|
|
||||||
|
Similar to [other outposts](../outposts/index.mdx), this outposts allows using [Proxy providers](../providers/proxy/index.md) without deploying a separate outpost.
|
||||||
|
|
||||||
|
#### Persistence
|
||||||
|
|
||||||
|
- `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
|
||||||
|
|
||||||
|
### Background Worker
|
||||||
|
|
||||||
|
This container executes background tasks, such as sending emails, the event notification system, and everything you can see on the _System Tasks_ page in the frontend.
|
||||||
|
|
||||||
|
#### Persistence
|
||||||
|
|
||||||
|
- `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
|
||||||
|
- `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
|
||||||
|
|
||||||
|
### PostgreSQL
|
||||||
|
|
||||||
|
authentik uses PostgreSQL to store all of its configuration and other data (excluding uploaded files).
|
||||||
|
|
||||||
|
#### Persistence
|
||||||
|
|
||||||
|
- `/var/lib/postgresql/data` is used to store the PostgreSQL database
|
||||||
|
|
||||||
|
On Kubernetes, with the default Helm chart and using the packaged PostgreSQL sub-chart, persistent data is stored in a PVC.
|
||||||
|
|
||||||
|
### Redis
|
||||||
|
|
||||||
|
authentik uses Redis as a message-queue and a cache. Data in Redis is not required to be persistent, however you should be aware that restarting Redis will cause the loss of all sessions.
|
||||||
|
|
||||||
|
#### Persistence
|
||||||
|
|
||||||
|
- `/data` is used to store the Redis data
|
||||||
|
|
||||||
|
On Kubernetes, with the default Helm chart and using the packaged Redis sub-chart, persistent data is stored in a PVC.
|
|
@ -71,6 +71,13 @@ See [Configuration](../installation/configuration) to change the internal ports.
|
||||||
|
|
||||||
## Startup
|
## Startup
|
||||||
|
|
||||||
|
:::warning
|
||||||
|
The server assumes to have local timezone as UTC.
|
||||||
|
All internals are handled in UTC; whenever a time is displayed to the user in UI, the time shown is localized.
|
||||||
|
Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers.
|
||||||
|
This will not give any advantages. It will cause problems with OAuth and SAML authentication, e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
|
||||||
|
:::
|
||||||
|
|
||||||
Afterwards, run these commands to finish:
|
Afterwards, run these commands to finish:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -85,28 +92,3 @@ By default, authentik is reachable (by default) on port 9000 (HTTP) and port 944
|
||||||
To start the initial setup, navigate to `https://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
|
To start the initial setup, navigate to `https://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
|
||||||
|
|
||||||
There you are prompted to set a password for the akadmin user (the default user).
|
There you are prompted to set a password for the akadmin user (the default user).
|
||||||
|
|
||||||
## Explanation
|
|
||||||
|
|
||||||
:::warning
|
|
||||||
The server assumes to have local timezone as UTC.
|
|
||||||
All internals are handled in UTC; whenever a time is displayed to the user in UI it gets localized.
|
|
||||||
Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers.
|
|
||||||
This will not give any advantages.
|
|
||||||
On the contrary, it will cause problems with OAuth and SAML authentication,
|
|
||||||
e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
|
|
||||||
:::
|
|
||||||
|
|
||||||
The Docker-Compose project contains the following containers:
|
|
||||||
|
|
||||||
- server
|
|
||||||
|
|
||||||
This is the backend service, which does all the logic, plus runs the API and the SSO functionality. It also runs the frontend, hosts the JS/CSS files, and serves the files you've uploaded for icons/etc.
|
|
||||||
|
|
||||||
- worker
|
|
||||||
|
|
||||||
This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend.
|
|
||||||
|
|
||||||
- redis (for cache)
|
|
||||||
|
|
||||||
- postgresql (default database)
|
|
||||||
|
|
|
@ -33,6 +33,7 @@ module.exports = {
|
||||||
"core/tenants",
|
"core/tenants",
|
||||||
"core/certificates",
|
"core/certificates",
|
||||||
"core/geoip",
|
"core/geoip",
|
||||||
|
"core/architecture",
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
Reference in a new issue