website/docs: add architecture and persistence (#6250)

* website/docs: add architecture and persistence

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* add note about kubernetes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* link to relevant parts

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Jens L 2023-07-31 11:21:33 +02:00 committed by GitHub
parent 9dc37eb30e
commit 33e7903699
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 69 additions and 25 deletions

View File

@ -0,0 +1,61 @@
---
title: Architecture
---
authentik consists of a handful of components, most of which are required for a functioning setup.
```mermaid
graph LR
user(User) --> ak_server(authentik Server)
ak_server --> ak_server_core(authentik Server Core)
ak_server --> ak_outpost(Embedded outpost)
ak_server_core --> db(PostgreSQL)
ak_server_core --> cache(Redis)
ak_worker(Background Worker) --> db(PostgreSQL)
ak_worker(Background Worker) --> cache(Redis)
```
### Server
The server container consists of two sub-components, the actual server itself and the embedded outpost. Incoming requests to the server container(s) are routed by a lightweight router to either the _Core_ server or the embedded outpost. This router also handles requests for any static assets such as JavaScript and CSS files.
#### Core
The core sub-component handles most of authentik's logic, such as API requests, flow executions, any kind of SSO requests, etc.
#### Embedded outpost
Similar to [other outposts](../outposts/index.mdx), this outposts allows using [Proxy providers](../providers/proxy/index.md) without deploying a separate outpost.
#### Persistence
- `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload
### Background Worker
This container executes background tasks, such as sending emails, the event notification system, and everything you can see on the _System Tasks_ page in the frontend.
#### Persistence
- `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](../core/certificates.md#lets-encrypt)
- `/templates` is used for [custom email templates](../flow/stages/email/index.mdx#custom-templates), and as with the other ones fully optional
### PostgreSQL
authentik uses PostgreSQL to store all of its configuration and other data (excluding uploaded files).
#### Persistence
- `/var/lib/postgresql/data` is used to store the PostgreSQL database
On Kubernetes, with the default Helm chart and using the packaged PostgreSQL sub-chart, persistent data is stored in a PVC.
### Redis
authentik uses Redis as a message-queue and a cache. Data in Redis is not required to be persistent, however you should be aware that restarting Redis will cause the loss of all sessions.
#### Persistence
- `/data` is used to store the Redis data
On Kubernetes, with the default Helm chart and using the packaged Redis sub-chart, persistent data is stored in a PVC.

View File

@ -71,6 +71,13 @@ See [Configuration](../installation/configuration) to change the internal ports.
## Startup ## Startup
:::warning
The server assumes to have local timezone as UTC.
All internals are handled in UTC; whenever a time is displayed to the user in UI, the time shown is localized.
Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers.
This will not give any advantages. It will cause problems with OAuth and SAML authentication, e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
:::
Afterwards, run these commands to finish: Afterwards, run these commands to finish:
```shell ```shell
@ -85,28 +92,3 @@ By default, authentik is reachable (by default) on port 9000 (HTTP) and port 944
To start the initial setup, navigate to `https://<your server's IP or hostname>:9000/if/flow/initial-setup/`. To start the initial setup, navigate to `https://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
There you are prompted to set a password for the akadmin user (the default user). There you are prompted to set a password for the akadmin user (the default user).
## Explanation
:::warning
The server assumes to have local timezone as UTC.
All internals are handled in UTC; whenever a time is displayed to the user in UI it gets localized.
Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers.
This will not give any advantages.
On the contrary, it will cause problems with OAuth and SAML authentication,
e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
:::
The Docker-Compose project contains the following containers:
- server
This is the backend service, which does all the logic, plus runs the API and the SSO functionality. It also runs the frontend, hosts the JS/CSS files, and serves the files you've uploaded for icons/etc.
- worker
This container executes background tasks, everything you can see on the _System Tasks_ page in the frontend.
- redis (for cache)
- postgresql (default database)

View File

@ -33,6 +33,7 @@ module.exports = {
"core/tenants", "core/tenants",
"core/certificates", "core/certificates",
"core/geoip", "core/geoip",
"core/architecture",
], ],
}, },
{ {