website/docs: prepare 2021.9

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/docs/releases/v2021.8.md

@@ -147,4 +147,10 @@ Download the docker-compose file for 2021.8 from [here](https://raw.githubuserco
 
 ### Kubernetes
 
-Upgrade to the latest chart version to get the new images.
+Update your values to use the new images:
+
+```yaml
+image:
+  repository: ghcr.io/goauthentik/server
+  tag: 2021.8.5
+```

website/docs/releases/v2021.9.md

@@ -0,0 +1,72 @@
+---
+title: Release 2021.9
+slug: "2021.9"
+---
+
+## Headline Changes
+
+- New proxy
+
+    The proxy outpost has been rewritten from scratch. This replaces the old proxy, which was based on oauth2_proxy. The new proxy allows us a much greater degree of flexibility, is much lighter and reports errors better.
+
+    When using a managed outpost, authentik will automatically upgrade to the new proxy outpost. The embedded outpost also uses the new proxy.
+
+    authentik also now deploys ServiceMonitor CRDs in your Kubernetes cluster (when possibly), to record the metrics of the outposts.
+
+    If you're using a manually deployed outpost, keep in mind that the ports change to 9000 and 9443 instead of 4180 and 4443
+
+- New metrics
+
+    This version introduces new and simplified Prometheus metrics. There is a new common monitoring port across the server and all outposts, 9300. This port requires no authentication, making it easier to configure.
+
+    For the core application, this endpoint contains metrics for both authentik and the inbuilt outpost.
+
+## Minor changes
+
+- *: use common user agent for all outgoing requests
+- admin: migrate to new update check, add option to disable update check
+- api: add additional filters for ldap and proxy providers
+- core: optimise groups api by removing member superuser status
+- core: remove ?v from static files
+- events: add mark_all_seen
+- events: allow setting a mapping for webhook transport to customise request payloads
+- internal: fix font loading errors on safari
+- lifecycle: fix worker startup error when docker socket's group is not called docker
+- outpost: fix spans being sent without parent context
+- outpost: update global outpost config on refresh
+- outposts: add expected outpost replica count to metrics
+- outposts/controllers: re-create service when mismatched ports to prevent errors
+- outposts/controllers/kubernetes: don't create service monitor for embedded outpost
+- outposts/ldap: improve logging of client IPs
+- policies/password: fix symbols not being checked correctly
+- root: include authentik version in backup naming
+- root: show location header in logs when redirecting
+- sources/oauth: prevent potentially confidential data from being logged
+- stages/authenticator_duo: add API to "import" devices from duo
+- stages/identification: fix empty user_fields query returning first user
+- tenants: optimise db queries in middleware
+- web: allow duplicate messages
+- web: ignore network error
+- web/admin: fix notification clear all not triggering render
+- web/admin: fix user selection in token form
+- web/admin: increase default expiry for refresh tokens
+- web/admin: show applications instead of providers in outpost form
+- web/flows: fix display error when using IdentificationStage without input fields
+
+## Upgrading
+
+This release does not introduce any new requirements.
+
+### docker-compose
+
+Download the docker-compose file for 2021.9 from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.9/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
+
+### Kubernetes
+
+Update your values to use the new images:
+
+```yaml
+image:
+  repository: ghcr.io/goauthentik/server
+  tag: 2021.9.1
+```