core: bundle geoip (#4250)

* bundle geoip Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * correctly pass secrets Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add geoip docs and release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-20 22:09:30 +01:00 · 2022-12-20 22:09:30 +01:00 · f4990bb5da
parent 980d2a022c
commit f4990bb5da
12 changed files with 348 additions and 35 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,8 +1,8 @@
 env
 static
 htmlcov
 *.env.yml
 **/node_modules
 dist/**
 build/**
 build_docs/**
 Dockerfile
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -208,6 +208,9 @@ jobs:
      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -31,6 +31,9 @@ jobs:
        uses: docker/build-push-action@v3
        with:
          push: ${{ github.event_name == 'release' }}
          secrets:
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: |
            beryju/authentik:${{ steps.ev.outputs.version }},
            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
@ -39,7 +42,8 @@ jobs:
            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
-          context: .
+          build-args: |
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost:
    runs-on: ubuntu-latest
    strategy:
@ -84,6 +88,11 @@ jobs:
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
--- a/17
+++ b/17
@ -46,7 +46,21 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/
-# Stage 5: Run
+# Stage 5: MaxMind GeoIP
 FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "\
        export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
        export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
        /usr/bin/entry.sh || exit 0 \
    "
 # Stage 6: Run
 FROM docker.io/python:3.11.1-slim-bullseye AS final-image
 LABEL org.opencontainers.image.url https://goauthentik.io
@ -60,6 +74,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 COPY --from=poetry-locker /work/requirements.txt /
 COPY --from=poetry-locker /work/requirements-dev.txt /
 COPY --from=geoip /usr/share/GeoIP /geoip
 RUN apt-get update && \
    # Required for installing pip packages
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -44,7 +44,6 @@ services:
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    ports:
@ -72,16 +71,6 @@ services:
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
    env_file:
      - .env
@ -90,5 +79,3 @@ volumes:
    driver: local
  redis:
    driver: local
  geoip:
    driver: local
--- a/website/docs/core/geoip.mdx
+++ b/website/docs/core/geoip.mdx
@ -0,0 +1,105 @@
 # GeoIP
 authentik supports GeoIP to add additional information to login/authorization/enrollment requests, and make policy decisions based on the lookup result.
 ### Configuration
 :::info
 Starting with authentik 2022.12, GeoIP is bundled and does not require any additional setup.
 :::
 By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If more frequent database updates are desired, a volume can be mounted to `/geoip` to update this file externally. authentik will automatically re-load the file when it changes.
 ### Deactivating GeoIP
 If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
 <Tabs
  defaultValue="docker-compose"
  values={[
    {label: 'docker-compose', value: 'docker-compose'},
    {label: 'Kubernetes', value: 'kubernetes'},
  ]}>
  <TabItem value="docker-compose">
 Add the following block to your `.env` file:
 ```shell
 AUTHENTIK_GEOIP=/tmp/non-existent-file
 ```
 Afterwards, run the upgrade commands from the latest release notes.
  </TabItem>
  <TabItem value="kubernetes">
 Add the following block to your `values.yml` file:
 ```yaml
 authentik:
    geoip: /tmp/non-existent-file
 ```
 Afterwards, run the upgrade commands from the latest release notes.
  </TabItem>
 </Tabs>
 ### External updates
 Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
 <Tabs
  defaultValue="docker-compose"
  values={[
    {label: 'docker-compose', value: 'docker-compose'},
    {label: 'Kubernetes', value: 'kubernetes'},
  ]}>
  <TabItem value="docker-compose">
 Add the following block to a `docker-compose.override.yml` file in the same folder as the authentik docker-compose file:
 ```yaml
 version: "3.2"
 services:
    server:
        volumes:
            - geoip:/geoip
    worker:
        volumes:
            - geoip:/geoip
    geoipupdate:
        image: "maxmindinc/geoipupdate:latest"
        volumes:
            - "geoip:/usr/share/GeoIP"
        environment:
            GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
            GEOIPUPDATE_FREQUENCY: "8"
            GEOIPUPDATE_ACCOUNT_ID: "*your account ID*"
            GEOIPUPDATE_LICENSE_KEY: "*your license key*"
 volumes:
    geoip:
        driver: local
 ```
 Afterwards, run the upgrade commands from the latest release notes.
  </TabItem>
  <TabItem value="kubernetes">
 Add the following block to your `values.yml` file:
 ```yaml
 geoip:
    enabled: true
    accountId: "*your account ID*"
    licenseKey: "*your license key*"
    editionIds: "GeoLite2-City"
    image: maxmindinc/geoipupdate:v4.8
    updateInterval: 8
 ```
 Afterwards, run the upgrade commands from the latest release notes.
  </TabItem>
 </Tabs>
--- a/website/docs/flow/stages/captcha/index.md
+++ b/website/docs/flow/stages/captcha/index.md
@ -2,8 +2,18 @@
 title: Captcha stage
 ---
-This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html).
+This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html) or compatible services.
 ### Google ReCaptcha
 This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin.
 ![](captcha-admin.png)
 ### hCaptcha
 See https://docs.hcaptcha.com/switch
 ### Turnstile
 See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -78,6 +78,10 @@ Defaults to `info`.
 Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
 ### `AUTHENTIK_GEOIP`
 Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.
 ### `AUTHENTIK_DISABLE_UPDATE_CHECK`
 Disable the inbuilt update-checker. Defaults to `false`.
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@ -49,22 +49,6 @@ AUTHENTIK_EMAIL__TIMEOUT=10
 AUTHENTIK_EMAIL__FROM=authentik@localhost
 ```
 ## GeoIP configuration (optional)
 authentik can use a MaxMind-formatted GeoIP Database to extract location data from IPs. You can then use this location data in policies, and location data is saved in events.
 To configure GeoIP, sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
 After you have your account ID and license key, add the following block to your `.env` file:
 ```shell
 GEOIPUPDATE_ACCOUNT_ID=*your account ID*
 GEOIPUPDATE_LICENSE_KEY=* your license key*
 AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
 ```
 The GeoIP database will automatically be updated every 8 hours.
 ## Running on Port 80/443
 By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in `.env`:
--- a/website/docs/policies/expression.mdx
+++ b/website/docs/policies/expression.mdx
@ -70,7 +70,7 @@ import Objects from "../expressions/_objects.md";
    -   `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
    -   `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
-   `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
+-   `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
 -   `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
 -   `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example
--- a/website/docs/releases/v2022.12.md
+++ b/website/docs/releases/v2022.12.md
@ -0,0 +1,194 @@
 ---
 title: Release 2022.12
 slug: "2022.12"
 ---
 ## New features
 -   Bundled GeoIP City database
    authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip)
 -   Customisable Captcha stage
    The captcha stage now supports alternate compatible providers, like [hCaptcha](https://docs.hcaptcha.com/switch/) and [Turnstile](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha/).
 ## Upgrading
 This release does not introduce any new requirements.
 ### docker-compose
 Download the docker-compose file for 2022.12 from [here](https://goauthentik.io/version/2022.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
 ### Kubernetes
 Update your values to use the new images:
 ```yaml
 image:
    repository: ghcr.io/goauthentik/server
    tag: 2022.12.0
 ```
 ## Minor changes/fixes
 ## API Changes
 #### What's Changed
 ---
 ##### `GET` /stages/captcha/{stage_uuid}/
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    -   Added property `js_url` (string)
    -   Added property `api_url` (string)
    -   Changed property `public_key` (string)
        > Public key, acquired your captcha Provider.
 ##### `PUT` /stages/captcha/{stage_uuid}/
 ###### Request:
 Changed content type : `application/json`
 -   Added property `js_url` (string)
 -   Added property `api_url` (string)
 -   Changed property `public_key` (string)
    > Public key, acquired your captcha Provider.
 -   Changed property `private_key` (string)
    > Private key, acquired your captcha Provider.
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    -   Added property `js_url` (string)
    -   Added property `api_url` (string)
    -   Changed property `public_key` (string)
        > Public key, acquired your captcha Provider.
 ##### `PATCH` /stages/captcha/{stage_uuid}/
 ###### Request:
 Changed content type : `application/json`
 -   Added property `js_url` (string)
 -   Added property `api_url` (string)
 -   Changed property `public_key` (string)
    > Public key, acquired your captcha Provider.
 -   Changed property `private_key` (string)
    > Private key, acquired your captcha Provider.
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    -   Added property `js_url` (string)
    -   Added property `api_url` (string)
    -   Changed property `public_key` (string)
        > Public key, acquired your captcha Provider.
 ##### `GET` /flows/executor/{flow_slug}/
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    Updated `ak-stage-captcha` component:
    New required properties:
    -   `js_url`
    *   Added property `js_url` (string)
 ##### `POST` /flows/executor/{flow_slug}/
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    Updated `ak-stage-captcha` component:
    New required properties:
    -   `js_url`
    *   Added property `js_url` (string)
 ##### `POST` /stages/captcha/
 ###### Request:
 Changed content type : `application/json`
 -   Added property `js_url` (string)
 -   Added property `api_url` (string)
 -   Changed property `public_key` (string)
    > Public key, acquired your captcha Provider.
 -   Changed property `private_key` (string)
    > Private key, acquired your captcha Provider.
 ###### Return Type:
 Changed response : **201 Created**
 -   Changed content type : `application/json`
    -   Added property `js_url` (string)
    -   Added property `api_url` (string)
    -   Changed property `public_key` (string)
        > Public key, acquired your captcha Provider.
 ##### `GET` /stages/captcha/
 ###### Return Type:
 Changed response : **200 OK**
 -   Changed content type : `application/json`
    -   Changed property `results` (array)
        Changed items (object): > CaptchaStage Serializer
        -   Added property `js_url` (string)
        -   Added property `api_url` (string)
        -   Changed property `public_key` (string)
            > Public key, acquired your captcha Provider.
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -34,6 +34,7 @@ module.exports = {
                "core/applications",
                "core/tenants",
                "core/certificates",
                "core/geoip",
            ],
        },
        {
@ -217,13 +218,14 @@ module.exports = {
                description: "Release notes for recent authentik versions",
            },
            items: [
                "releases/v2022.12",
                "releases/v2022.11",
                "releases/v2022.10",
                "releases/v2022.9",
                {
                    type: "category",
                    label: "Previous versions",
                    items: [
                        "releases/v2022.9",
                        "releases/v2022.8",
                        "releases/v2022.7",
                        "releases/v2022.6",