release: 2021.8.5

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.8.4
+current_version = 2021.8.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/release-publish.yml

@@ -33,14 +33,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.8.4,
+            beryju/authentik:2021.8.5,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.8.4,
+            ghcr.io/goauthentik/server:2021.8.5,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.4', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.5', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -75,14 +75,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.8.4,
+            beryju/authentik-proxy:2021.8.5,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.8.4,
+            ghcr.io/goauthentik/proxy:2021.8.5,
             ghcr.io/goauthentik/proxy:latest
           file: proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.4', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.5', 'rc') }}
         run: |
           docker pull beryju/authentik-proxy:latest
           docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@@ -117,14 +117,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.8.4,
+            beryju/authentik-ldap:2021.8.5,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.8.4,
+            ghcr.io/goauthentik/ldap:2021.8.5,
             ghcr.io/goauthentik/ldap:latest
           file: ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.4', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.8.5', 'rc') }}
         run: |
           docker pull beryju/authentik-ldap:latest
           docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@@ -175,7 +175,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.8.4
+          version: authentik@2021.8.5
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.8.4"
+__version__ = "2021.8.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/sources/oauth/views/redirect.py

@@ -6,7 +6,6 @@ from django.urls import reverse
 from django.views.generic import RedirectView
 from structlog.stdlib import get_logger
 
-from authentik.flows.views import FlowExecutorView
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.views.base import OAuthClientMixin
 
@@ -43,5 +42,4 @@ class OAuthRedirect(OAuthClientMixin, RedirectView):
                 raise Http404(f"source {slug} is not enabled.")
             client = self.get_client(source, callback=self.get_callback_url(source))
             params = self.get_additional_parameters(source)
-            FlowExecutorView(request=self.request).cancel()
             return client.get_redirect_url(params)

docker-compose.yml

@@ -21,7 +21,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.5}
     restart: unless-stopped
     command: server
     environment:
@@ -44,7 +44,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.8.5}
     restart: unless-stopped
     command: worker
     networks:

internal/constants/constants.go

@@ -17,4 +17,4 @@ func OutpostUserAgent() string {
 	return fmt.Sprintf("authentik-outpost@%s (%s)", VERSION, BUILD())
 }
 
-const VERSION = "2021.8.4"
+const VERSION = "2021.8.5"

internal/outpost/ak/api.go

@@ -107,8 +107,24 @@ func (a *APIController) Start() error {
 	return nil
 }
 
+func (a *APIController) OnRefresh() error {
+	// Because we don't know the outpost UUID, we simply do a list and pick the first
+	// The service account this token belongs to should only have access to a single outpost
+	outposts, _, err := a.Client.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+
+	if err != nil {
+		log.WithError(err).Error("Failed to fetch outpost configuration")
+		return err
+	}
+	outpost := outposts.Results[0]
+	doGlobalSetup(outpost.Config)
+
+	log.WithField("name", outpost.Name).Debug("Fetched outpost configuration")
+	return a.Server.Refresh()
+}
+
 func (a *APIController) StartBackgorundTasks() error {
-	err := a.Server.Refresh()
+	err := a.OnRefresh()
 	if err != nil {
 		return errors.Wrap(err, "failed to run initial refresh")
 	}

internal/outpost/ak/api_ws.go

@@ -82,7 +82,7 @@ func (ac *APIController) startWSHandler() {
 		if wsMsg.Instruction == WebsocketInstructionTriggerUpdate {
 			time.Sleep(ac.reloadOffset)
 			logger.Debug("Got update trigger...")
-			err := ac.Server.Refresh()
+			err := ac.OnRefresh()
 			if err != nil {
 				logger.WithError(err).Debug("Failed to update")
 			}
@@ -118,7 +118,7 @@ func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
 	ticker := time.NewTicker(5 * time.Minute)
 	for ; true; <-ticker.C {
-		err := ac.Server.Refresh()
+		err := ac.OnRefresh()
 		if err != nil {
 			logger.WithError(err).Debug("Failed to update")
 		}

lifecycle/ak

@@ -14,9 +14,12 @@ function check_if_root {
         # Get group ID of the docker socket, so we can create a matching group and
         # add ourselves to it
         DOCKER_GID=$(stat -c '%g' $SOCKET)
+        # Ensure group for the id exists
         getent group $DOCKER_GID || groupadd -f -g $DOCKER_GID docker
         usermod -a -G $DOCKER_GID authentik
-        GROUP="authentik:docker"
+        # since the name of the group might not be docker, we need to lookup the group id
+        GROUP_NAME=$(getent group $DOCKER_GID  | sed 's/:/\n/g' | head -1)
+        GROUP="authentik:${GROUP_NAME}"
     fi
     # Fix permissions of backups and media
     chown -R authentik:authentik /media /backups

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.8.4
+  version: 2021.8.5
   description: Making authentication simple.
   contact:
     email: hello@beryju.org

web/src/api/Sentry.ts

@@ -14,6 +14,9 @@ export function configureSentry(canDoPpi: boolean = false): Promise<Config> {
         if (config.errorReportingEnabled) {
             Sentry.init({
                 dsn: "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
+                ignoreErrors: [
+                    /network/i,
+                ],
                 release: `authentik@${VERSION}`,
                 tunnel: "/api/v3/sentry/",
                 integrations: [

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.8.4";
+export const VERSION = "2021.8.5";
 export const PAGE_SIZE = 20;
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

website/docs/installation/docker-compose.md

@@ -12,9 +12,9 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Preparation
 
-Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.8.4/docker-compose.yml). Place it in a directory of your choice.
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.8.5/docker-compose.yml). Place it in a directory of your choice.
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.8.4 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.8.5 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/outposts/manual-deploy-docker-compose.md

@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: ghcr.io/goauthentik/proxy:2021.8.4
+    image: ghcr.io/goauthentik/proxy:2021.8.5
     ports:
       - 4180:4180
       - 4443:4443
@@ -21,7 +21,7 @@ services:
       AUTHENTIK_TOKEN: token-generated-by-authentik
   # Or, for the LDAP Outpost
   authentik_proxy:
-    image: ghcr.io/goauthentik/ldap:2021.8.4
+    image: ghcr.io/goauthentik/ldap:2021.8.5
     ports:
       - 389:3389
     environment:

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.4
+    app.kubernetes.io/version: 2021.8.5
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.4
+    app.kubernetes.io/version: 2021.8.5
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.4
+    app.kubernetes.io/version: 2021.8.5
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.8.4
+      app.kubernetes.io/version: 2021.8.5
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.8.4
+        app.kubernetes.io/version: 2021.8.5
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: ghcr.io/goauthentik/proxy:2021.8.4
+        image: ghcr.io/goauthentik/proxy:2021.8.5
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.8.4
+    app.kubernetes.io/version: 2021.8.5
   name: authentik-outpost
 spec:
   rules: