retry

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Dockerfile

@@ -150,8 +150,6 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
-WORKDIR /
-
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
@@ -160,27 +158,26 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
+    adduser --system --no-create-home --uid 1000 --group --home /ak-root authentik && \
     mkdir -p /certs /media /blueprints && \
-    mkdir -p /authentik/.ssh && \
+    mkdir -p /ak-root/authentik/.ssh && \
-    mkdir -p /ak-root && \
+    chown authentik:authentik /certs /media /ak-root/authentik/.ssh /ak-root
-    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
 
-COPY ./authentik/ /authentik
+COPY ./authentik/ /ak-root/authentik
-COPY ./pyproject.toml /
+COPY ./pyproject.toml /ak-root
-COPY ./poetry.lock /
+COPY ./poetry.lock /ak-root
-COPY ./schemas /schemas
+COPY ./schemas /ak-root/schemas
-COPY ./locale /locale
+COPY ./locale /ak-root/locale
-COPY ./tests /tests
+COPY ./tests /ak-root/tests
-COPY ./manage.py /
+COPY ./manage.py /ak-root
 COPY ./blueprints /blueprints
-COPY ./lifecycle/ /lifecycle
+COPY ./lifecycle/ /ak-root/lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/dist/ /ak-root/web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=web-builder /work/web/authentik/ /ak-root/web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=website-builder /work/website/build/ /ak-root/website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
@@ -188,11 +185,13 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
-    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    PATH="/ak-root/venv/bin:/ak-root/lifecycle:$PATH" \
     VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     GOFIPS=1
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 
+WORKDIR /ak-root
+
 ENTRYPOINT [ "dumb-init", "--", "ak" ]

lifecycle/ak

@@ -62,10 +62,29 @@ function prepare_debug {
     chown authentik:authentik /unittest.xml
 }
 
+function migrate_container_change_root_dir {
+    # With authentik 2025.2 we're moving the root directory of the authentik app
+    # into /ak-root, mainly to not clutter the root filesystem of the container
+    # and to make it possible to use devcontainers in the future.
+    # In most installs this migration isn't required as no files are mounted into
+    # these directories, however it is used if scripts are overwritten from the outside
+    # or more commonly the flow background image is overwritten in `/web`
+    if [ -d /authentik ]; then
+        log "Legacy /authentik folder exist, migrating files"
+        cp -rp /authentik/* /ak-root/authentik
+    fi
+    if [ ! -d /web ]; then
+        log "Legacy /web folder exist, migrating files"
+        cp -rp /web/* /ak-root/web
+    fi
+}
+
 if [[ "${AUTHENTIK_REMOTE_DEBUG}" == "true" ]]; then
     prepare_debug
 fi
 
+migrate_container_change_root_dir
+
 if [[ "$1" == "server" ]]; then
     set_mode "server"
     # If we have bootstrap credentials set, run bootstrap tasks outside of main server