website: add more blueprint docs, 2022.8 release notes
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
872c18dddc
commit
1c569c79f3
|
@ -7,3 +7,24 @@ Requires authentik 2022.8
|
|||
:::
|
||||
|
||||
Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.
|
||||
|
||||
## Types
|
||||
|
||||
Blueprints are yaml files, whose format is described further in [File structure](./v1/structure). Blueprints can be applied in one of two ways:
|
||||
|
||||
- As a Blueprint instance, which is a YAML file mounted into the authentik (worker) container. This file is read and applied regularly (every 60 minutes). Multiple instances can be created for a single blueprint file, and instances can be given context key:value attributes to configure the blueprint.
|
||||
- As a Flow import, which is a YAML file uploaded via the Browser/API. This file is validated and applied directly after being uploaded, but is not further monitored/applied.
|
||||
|
||||
Starting with authentik 2022.8, blueprints are used to manage authentik default flows and other system objects. These blueprints can be disabled/replaced with custom blueprints in certain circumstances.
|
||||
|
||||
## Usage
|
||||
|
||||
The authentik container by default looks for blueprints in `/blueprints`. Underneath this directory, there are a couple default subdirectories:
|
||||
|
||||
- `/blueprints/default`: Default blueprints for default flows, tenants, etc
|
||||
- `/blueprints/example`: Example blueprints for common configurations and flows
|
||||
- `/blueprints/system`: System blueprints for authentik managed Property mappings, etc
|
||||
|
||||
Any additional `.yaml` file in `/blueprints` will be discovered and automatically instantiated, depending on their labels.
|
||||
|
||||
To disable existing blueprints, an empty file can be mounted over the existing blueprint.
|
||||
|
|
|
@ -1,32 +1,7 @@
|
|||
---
|
||||
title: File structure
|
||||
---
|
||||
# File structure
|
||||
|
||||
Blueprints are YAML files, which can use some additional tags to ease blueprint creation.
|
||||
|
||||
## Additional Tags
|
||||
|
||||
#### `!KeyOf`
|
||||
|
||||
Example: `policy: !KeyOf my-policy-id`
|
||||
|
||||
Resolves to the primary key of the model instance defined by id _my-policy-id_.
|
||||
|
||||
If no matching entry can be found, an error is raised and the blueprint is invalid.
|
||||
|
||||
#### `!Find`
|
||||
|
||||
Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]`
|
||||
|
||||
Looks up any model and resolves to the the matches' primary key.
|
||||
First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
|
||||
|
||||
#### `!Context`
|
||||
|
||||
Example: `configure_flow: !Context foo`
|
||||
|
||||
Find values from the context. Can optionally be called with a default like `!Context [foo, default-value]`.
|
||||
|
||||
## Structure
|
||||
|
||||
```yaml
|
||||
|
@ -65,6 +40,6 @@ entries:
|
|||
|
||||
Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases.
|
||||
|
||||
#### `blueprints.goauthentik.io/example`:
|
||||
#### `blueprints.goauthentik.io/instantiate`:
|
||||
|
||||
Blueprints with this label are not automatically imported. They are still available when creating a new instance.
|
||||
Configure if this blueprint should automatically be instantiated (defaults to `"true"`). When set to `"false"`, blueprints are listed and available to be instantiated via API/Browser.
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# YAML Tags
|
||||
|
||||
#### `!KeyOf`
|
||||
|
||||
Example: `policy: !KeyOf my-policy-id`
|
||||
|
||||
Resolves to the primary key of the model instance defined by id _my-policy-id_.
|
||||
|
||||
If no matching entry can be found, an error is raised and the blueprint is invalid.
|
||||
|
||||
#### `!Find`
|
||||
|
||||
Example: `configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]`
|
||||
|
||||
Looks up any model and resolves to the the matches' primary key.
|
||||
First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
|
||||
|
||||
#### `!Context`
|
||||
|
||||
Example: `configure_flow: !Context foo`
|
||||
|
||||
Find values from the context. Can optionally be called with a default like `!Context [foo, default-value]`.
|
||||
|
||||
#### `!Format`
|
||||
|
||||
Example: `name: !Format [my-policy-%s, !Context instance_name]`
|
||||
|
||||
Format a string using python's % formatting. First argument is the format string, any remaining arguments are used for formatting.
|
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
title: Release 2022.8
|
||||
slug: "2022.8"
|
||||
---
|
||||
|
||||
## Breaking changes
|
||||
|
||||
- Prompt fields with file type are now a full Base64 Data-URI
|
||||
|
||||
Previously the data was parsed into a string when possible, and when decoding failed, the raw base64 would be saved. Now, the entire URI is parsed, validated and kept in one piece, to make it possible to validate/save the MIME type.
|
||||
|
||||
## New features
|
||||
|
||||
- Blueprints
|
||||
|
||||
Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](../../developer-docs/blueprints/)
|
||||
|
||||
For installations upgrading to 2022.8, if a single flow exists, then the default blueprints will not be activated, to not overwrite user modifications.
|
||||
|
||||
- Simplified forward auth
|
||||
|
||||
In previous releases, to use forward auth, the reverse proxy would have to be configured to both send auth requests to the outpost, but also allow access to URLs starting with `/outpost.goauthentik.io`. The second part is now no longer required, with the exception of nginx. Existing setups should continue to function as previously.
|
||||
|
||||
- Support for Caddy forward auth
|
||||
|
||||
Based on the traefik support, there is now dedicated support for Caddy with configuration examples, see [here](../providers/proxy/forward_auth)
|
||||
|
||||
## Minor changes/fixes
|
||||
|
||||
- \*: improve error handling for startup tasks
|
||||
- core: add API Endpoint to get all MFA devices, add web ui to delete MFA devices of any user
|
||||
- core: add attributes. avatar method to allow custom uploaded avatars
|
||||
- core: pre-hydrate config into templates to directly load correct assets
|
||||
- flows: migrate flows to be yaml (#3335)
|
||||
- internal: centralise config for listeners to use same config system everywhere (#3367)
|
||||
- internal: fix outposts not reacting to signals while starting
|
||||
- internal: fix race conditions when accessing settings before bootstrap
|
||||
- internal: walk config in go, check, parse and load from scheme like in python
|
||||
- lifecycle: optimise container lifecycle and process signals (#3332)
|
||||
- providers/oauth2: don't separate scopes by comma-space
|
||||
- providers/oauth2: fix scopes without descriptions not being saved in consent
|
||||
- providers/proxy: add caddy endpoint (#3330)
|
||||
- providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser
|
||||
- providers/proxy: no exposed urls (#3151)
|
||||
- root: fix dockerfile for blueprints
|
||||
- sources/oauth: only send header authentication for OIDC source
|
||||
- sources/oauth: use mailcow full_name as username for mailcow source (#3299)
|
||||
- stages/\*: use stage-bound logger when possible
|
||||
- stages/authentiactor_validate: improve error handling for duo
|
||||
- stages/authenticator_duo: fix imported Duo Device not having a name
|
||||
- stages/authenticator_sms: use twilio SDK, improve docs
|
||||
- stages/authenticator_totp: remove single device per user limit
|
||||
- stages/consent: fix error when requests with identical empty permissions
|
||||
- stages/consent: fix for post requests (#3339)
|
||||
- stages/prompt: fix tests for file field
|
||||
|
||||
## Upgrading
|
||||
|
||||
This release does not introduce any new requirements.
|
||||
|
||||
### docker-compose
|
||||
|
||||
Download the docker-compose file for 2022.8 from [here](https://goauthentik.io/version/2022.8/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
||||
|
||||
### Kubernetes
|
||||
|
||||
Update your values to use the new images:
|
||||
|
||||
```yaml
|
||||
image:
|
||||
repository: ghcr.io/goauthentik/server
|
||||
tag: 2022.8.1
|
||||
```
|
|
@ -205,13 +205,14 @@ module.exports = {
|
|||
description: "Release notes for recent authentik versions",
|
||||
},
|
||||
items: [
|
||||
"releases/v2022.8",
|
||||
"releases/v2022.7",
|
||||
"releases/v2022.6",
|
||||
"releases/v2022.5",
|
||||
{
|
||||
type: "category",
|
||||
label: "Previous versions",
|
||||
items: [
|
||||
"releases/v2022.5",
|
||||
"releases/v2022.4",
|
||||
"releases/v2022.2",
|
||||
"releases/v2022.1",
|
||||
|
|
|
@ -11,7 +11,7 @@ module.exports = {
|
|||
type: "doc",
|
||||
id: "blueprints/index",
|
||||
},
|
||||
items: ["blueprints/v1/structure"],
|
||||
items: ["blueprints/v1/structure", "blueprints/v1/tags"],
|
||||
},
|
||||
{
|
||||
type: "category",
|
||||
|
|
Reference in New Issue