diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 3bb72cf77..27be37620 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -13,6 +13,7 @@ redis: ws_db: 2 debug: false + log_level: info # Error reporting, sends stacktrace to sentry.beryju.org diff --git a/authentik/policies/signals.py b/authentik/policies/signals.py index 3fabc7202..fabde968f 100644 --- a/authentik/policies/signals.py +++ b/authentik/policies/signals.py @@ -26,5 +26,5 @@ def invalidate_policy_cache(sender, instance, **_): cache.delete_many(keys) LOGGER.debug("Invalidating policy cache", policy=instance, keys=total) # Also delete user application cache - keys = cache.keys(user_app_cache_key("*")) + keys = cache.keys(user_app_cache_key("*")) or [] cache.delete_many(keys) diff --git a/authentik/sources/oauth/forms.py b/authentik/sources/oauth/forms.py index 69ee0e41d..c8190882b 100644 --- a/authentik/sources/oauth/forms.py +++ b/authentik/sources/oauth/forms.py @@ -15,9 +15,11 @@ class OAuthSourceForm(forms.ModelForm): self.fields["authentication_flow"].queryset = Flow.objects.filter( designation=FlowDesignation.AUTHENTICATION ) + self.fields["authentication_flow"].required = True self.fields["enrollment_flow"].queryset = Flow.objects.filter( designation=FlowDesignation.ENROLLMENT ) + self.fields["enrollment_flow"].required = True if hasattr(self.Meta, "overrides"): for overide_field, overide_value in getattr(self.Meta, "overrides").items(): self.fields[overide_field].initial = overide_value diff --git a/authentik/sources/oauth/views/callback.py b/authentik/sources/oauth/views/callback.py index 17d3ad8bd..54a294826 100644 --- a/authentik/sources/oauth/views/callback.py +++ b/authentik/sources/oauth/views/callback.py @@ -4,6 +4,7 @@ from typing import Any, Optional from django.conf import settings from django.contrib import messages from django.http import Http404, HttpRequest, HttpResponse +from django.http.response import HttpResponseBadRequest from django.shortcuts import redirect from django.urls import reverse from django.utils.translation import gettext as _ @@ -151,6 +152,8 @@ class OAuthCallback(OAuthClientMixin, View): PLAN_CONTEXT_REDIRECT: final_redirect, } ) + if not flow: + return HttpResponseBadRequest() # We run the Flow planner here so we can pass the Pending user in the context planner = FlowPlanner(flow) plan = planner.plan(self.request, kwargs) @@ -233,6 +236,9 @@ class OAuthCallback(OAuthClientMixin, View): PLAN_CONTEXT_SOURCES_OAUTH_ACCESS: access, } # We run the Flow planner here so we can pass the Pending user in the context + if not source.enrollment_flow: + LOGGER.warning("source has no enrollment flow", source=source) + return HttpResponseBadRequest() planner = FlowPlanner(source.enrollment_flow) plan = planner.plan(self.request, context) plan.append(in_memory_stage(PostUserEnrollmentStage)) diff --git a/docker-compose.yml b/docker-compose.yml index d3971f525..f05eceb82 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,7 +19,7 @@ services: networks: - internal server: - image: beryju/authentik:${AUTHENTIK_TAG:-2021.3.3} + image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.3.3} command: server environment: AUTHENTIK_REDIS__HOST: redis @@ -47,7 +47,7 @@ services: env_file: - .env worker: - image: beryju/authentik:${AUTHENTIK_TAG:-2021.3.3} + image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.3.3} command: worker networks: - internal @@ -66,7 +66,7 @@ services: env_file: - .env static: - image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.3.3} + image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.3.3} networks: - internal labels: diff --git a/website/docs/installation/beta.mdx b/website/docs/installation/beta.mdx new file mode 100644 index 000000000..370d1eaf4 --- /dev/null +++ b/website/docs/installation/beta.mdx @@ -0,0 +1,43 @@ +--- +title: Beta versions +--- + +You can test upcoming authentik versions by switching to the *next* images. These beta versions supported upgrades from the latest stable version, and have a supported upgrade plan to the next stable version. + +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + + + +Add the following block to your `.env` file: + +```shell +AUTHENTIK_IMAGE=docker.beryju.org/authentik/server +AUTHENTIK_IMAGE_STATIC=docker.beryju.org/authentik/static +AUTHENTIK_TAG=gh-next +AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE=docker.beryju.org/authentik +``` + +Afterwards, run the upgrade commands from the [release notes](../releases/next) + + +Add the following block to your `values.yml` file: + +```yaml +image: + name: docker.beryju.org/authentik/server + name_static: docker.beryju.org/authentik/static + name_outposts: docker.beryju.org/authentik + tag: gh-next + # pullPolicy: Always to ensure you always get the latest version + pullPolicy: Always +``` + +Afterwards, run the upgrade commands from the [release notes](../releases/next) + + diff --git a/website/docs/installation/docker-compose-config.md b/website/docs/installation/docker-compose-config.md new file mode 100644 index 000000000..1fed61250 --- /dev/null +++ b/website/docs/installation/docker-compose-config.md @@ -0,0 +1,84 @@ +--- +title: docker-compose configuration +--- + +These are all the configuration options you can set via docker-compose. These don't apply to Kubernetes, as those settings are configured via helm. + +Append any of the following keys to your `.env` file, and run `docker-compose up -d` to apply them. + +## AUTHENTIK_LOG_LEVEL + +Log level for the server and worker containers. Possible values: debug, info, warning, error +Defaults to `info`. + +## AUTHENTIK_ERROR_REPORTING + +- AUTHENTIK_ERROR_REPORTING__ENABLED + + Enable error reporting. Defaults to `false`. + + Error reports are sent to https://sentry.beryju.org, and are used for debugging and general feedback. Anonymous performance data is also sent. + +- AUTHENTIK_ERROR_REPORTING__ENVIRONMENT + + Unique environment that is attached to your error reports, should be set to your email address for example. Defaults to `customer`. + +- AUTHENTIK_ERROR_REPORTING__SEND_PII + + Whether or not to send personal data, like usernames. Defaults to `false`. + +## AUTHENTIK_EMAIL + +- AUTHENTIK_EMAIL__HOST + + Default: `localhost` + +- AUTHENTIK_EMAIL__PORT + + Default: `25` + +- AUTHENTIK_EMAIL__USERNAME + + Default: `""` + +- AUTHENTIK_EMAIL__PASSWORD + + Default: `""` + +- AUTHENTIK_EMAIL__USE_TLS + + Default: `false` + +- AUTHENTIK_EMAIL__USE_SSL + + Default: `false` + +- AUTHENTIK_EMAIL__TIMEOUT + + Default: `10` + +- AUTHENTIK_EMAIL__FROM + + Default: `authentik@localhost` + + Email address authentik will send from, should have a correct @domain + +## AUTHENTIK_OUTPOSTS + +- AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE + + This is the prefix used for authentik-managed outposts. Default: `beryju/authentik`. + +## AUTHENTIK_AUTHENTIK + +- AUTHENTIK_AUTHENTIK__AVATARS + + Controls which avatars are shown. Defaults to `gravatar`. Can be set to `none` to disable avatars. + +- AUTHENTIK_AUTHENTIK__BRANDING__TITLE + + Branding title used throughout the UI. Defaults to `authentik`. + +- AUTHENTIK_AUTHENTIK__BRANDING__LOGO + + Logo shown in the sidebar and flow executions. Defaults to `/static/dist/assets/icons/icon_left_brand.svg` diff --git a/website/docs/installation/index.md b/website/docs/installation/index.md index b88bf106e..289e061a7 100644 --- a/website/docs/installation/index.md +++ b/website/docs/installation/index.md @@ -2,6 +2,6 @@ title: Installation --- -If you want to try out authentik, or only want a small deployment (< 100 Users), you should use [docker-compose](./docker-compose). +If you want to try out authentik, or only want a small deployment you should use [docker-compose](./docker-compose). If you want a larger deployment, or you want High-Availability, you should use [Kubernetes](./kubernetes). diff --git a/website/docs/installation/kubernetes.md b/website/docs/installation/kubernetes.md index 663828d90..16f1aeadf 100644 --- a/website/docs/installation/kubernetes.md +++ b/website/docs/installation/kubernetes.md @@ -21,10 +21,10 @@ It is also recommended to configure global email credentials. These are used by # Values directly affecting authentik ################################### image: - name: beryju/authentik - name_static: beryju/authentik-static - name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended - tag: 2021.3.3 + name: beryju/authentik + name_static: beryju/authentik-static + name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended + tag: 2021.3.3 serverReplicas: 1 workerReplicas: 1 @@ -33,31 +33,38 @@ workerReplicas: 1 kubernetesIntegration: true config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - errorReporting: - enabled: false - environment: customer - sendPii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: warning - # Global Email settings - email: - # SMTP Host Emails are sent to - host: localhost - port: 25 - # Optionally authenticate - username: "" - password: "" - # Use StartTLS - useTls: false - # Use SSL - useSsl: false - timeout: 10 - # Email address authentik will send from, should have a correct @domain - from: authentik@localhost + # Optionally specify fixed secret_key, otherwise generated automatically + # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o + # Enable error reporting + errorReporting: + enabled: false + environment: customer + sendPii: false + # Log level used by web and worker + # Can be either debug, info, warning, error + logLevel: warning + # Global Email settings + email: + # SMTP Host Emails are sent to + host: localhost + port: 25 + # Optionally authenticate + username: "" + password: "" + # Use StartTLS + useTls: false + # Use SSL + useSsl: false + timeout: 10 + # Email address authentik will send from, should have a correct @domain + from: authentik@localhost + +# Enable MaxMind GeoIP +# geoip: +# enabled: false +# accountId: "" +# licenseKey: "" +# image: maxmindinc/geoipupdate:latest # Enable Database Backups to S3 # backup: @@ -68,33 +75,22 @@ config: # host: s3-host ingress: - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - authentik.k8s.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - authentik.k8s.local + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - authentik.k8s.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - authentik.k8s.local ################################### # Values controlling dependencies ################################### install: - postgresql: true - redis: true - -# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect -postgresql: - postgresqlDatabase: authentik - -redis: - cluster: - enabled: false - master: - persistence: - enabled: false + postgresql: true + redis: true ``` diff --git a/website/docs/releases/next.md b/website/docs/releases/next.md new file mode 100644 index 000000000..fd7c2463f --- /dev/null +++ b/website/docs/releases/next.md @@ -0,0 +1,17 @@ +--- +title: Next +--- + +# TBD + +## Upgrading + +This release does not introduce any new requirements. + +### docker-compose + +Download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. + +### Kubernetes + +Run `helm repo update` and then upgrade your release with `helm upgrade passbook authentik/authentik --devel -f values.yaml`. diff --git a/website/sidebars.js b/website/sidebars.js index 1481752cd..7d70df6d3 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -14,8 +14,10 @@ module.exports = { items: [ "installation/index", "installation/docker-compose", - "installation/kubernetes", + "installation/docker-compose-config", "installation/reverse-proxy", + "installation/kubernetes", + "installation/beta", ], }, {