website: latest PR for new Docs structure (#11639)

* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

website/docs/add-secure-apps/outposts/integrations/docker.md

@@ -0,0 +1,80 @@
+---
+title: Docker
+---
+
+The Docker integration automatically deploys and manages outpost containers using the Docker HTTP API.
+
+This integration has the advantage over manual deployments of automatic updates (whenever authentik is updated, it updates the outposts), and authentik can (in a future version) automatically rotate the token that the outpost uses to communicate with the core authentik server.
+
+The following outpost settings are used:
+
+-   `object_naming_template`: Configures how the container is called
+-   `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx#authentik_outposts) to configure the global default)
+-   `docker_network`: The Docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname.
+-   `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with Traefik for example, you might not want to bind ports as they are routed through Traefik.
+-   `docker_labels`: Optional additional labels that can be applied to the container.
+
+The container is created with the following hardcoded properties:
+
+-   Labels
+
+    -   `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes.
+
+    Additionally, the proxy outposts have the following extra labels to add themselves into Traefik automatically.
+
+    -   `traefik.enable`: "true"
+    -   `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
+    -   `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
+    -   `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
+    -   `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
+    -   `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
+    -   `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
+
+## Permissions
+
+To minimise the potential risks of mapping the Docker socket into a container/giving an application access to the Docker API, many people use Projects like [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy). authentik requires these permissions from the Docker API:
+
+-   Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image.
+-   Containers/Read: Gather infos about currently running container
+-   Containers/Create: Create new containers
+-   Containers/Kill: Cleanup during upgrades
+-   Containers/Remove: Removal of outposts
+
+## Remote hosts (TLS)
+
+To connect remote hosts, follow this guide from Docker [Use TLS (HTTPS) to protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) to configure Docker.
+
+Afterwards, create two certificate-keypairs in authentik:
+
+-   `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
+-   `Docker Cert`, with the contents of `~/.docker/cert.pem` as the certificate and `~/.docker/key.pem` as the private key.
+
+Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_.
+
+## Remote hosts (SSH)
+
+Starting with authentik 2021.12.5, you can connect to remote Docker hosts using SSH. To configure this, create a new SSH keypair using these commands:
+
+```
+# Generate the keypair itself, using RSA keys in the PEM format
+ssh-keygen -t rsa -f authentik  -N "" -m pem
+# Generate a certificate from the private key, required by authentik.
+# The values that openssl prompts you for are not relevant
+openssl req -x509 -sha256 -nodes -days 365 -out certificate.pem -key authentik
+```
+
+You'll end up with three files:
+
+-   `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user.
+-   `authentik` is the private key, which should be imported into a Keypair in authentik.
+-   `certificate.pem` is the matching certificate for the keypair above.
+
+Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_.
+
+The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`.
+
+#### Advanced SSH config
+
+With the above configuration, authentik will create and manage an `~/.ssh/config` file. If you need advanced configuration, for example SSH Certificates, you can mount a custom SSH Config file.
+
+Mount the config file into `/authentik/.ssh/config`, and mount any other relevant files into a directory under `/opt`. Afterwards, create an integration using `ssh://hostname`, and don't select a keypair.

website/docs/add-secure-apps/outposts/integrations/kubernetes.md

@@ -0,0 +1,46 @@
+---
+title: Kubernetes
+---
+
+The kubernetes integration will automatically deploy outposts on any Kubernetes Cluster.
+
+This integration has the advantage over manual deployments of automatic updates (whenever authentik is updated, it updates the outposts), and authentik can (in a future version) automatically rotate the token that the outpost uses to communicate with the core authentik server.
+
+This integration creates the following objects:
+
+-   Deployment for the outpost container
+-   Service
+-   Secret to store the token
+-   Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
+-   Ingress (only Proxy outposts)
+-   Traefik Middleware (only Proxy outposts with forward auth enabled)
+
+The following outpost settings are used:
+
+-   `object_naming_template`: Configures how the container is called
+-   `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx) to configure the global default)
+-   `kubernetes_replicas`: Replica count for the deployment of the outpost
+-   `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
+-   `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
+-   `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config
+-   `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
+-   `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
+-   `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
+    -   'secret'
+    -   'deployment'
+    -   'service'
+    -   'prometheus servicemonitor'
+    -   'ingress'
+    -   'traefik middleware'
+-   `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
+-   `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.
+
+## Permissions
+
+The permissions required for this integration are documented in the helm chart. See [Cluster-level](https://github.com/goauthentik/helm/blob/main/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml) and [Namespace-level](https://github.com/goauthentik/helm/blob/main/charts/authentik-remote-cluster/templates/rolebinding.yaml).
+
+## Remote clusters
+
+To add a remote cluster, you can simply install this helm chart in the target cluster and namespace: https://artifacthub.io/packages/helm/goauthentik/authentik-remote-cluster
+
+After installation, the helm chart outputs an example kubeconfig file, that you can enter in authentik to connect to the cluster.