release: 2021.5.1-rc4

ci: use local context for docker build
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-09 21:43:38 +02:00 · 2021-05-09 21:42:22 +02:00 · 2021-05-09 21:40:25 +02:00 · 2021-05-09 20:57:23 +02:00 · 2021-05-09 20:27:37 +02:00 · 2021-05-09 20:13:58 +02:00
21 changed files with 79 additions and 47 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.5.1-rc2
+current_version = 2021.5.1-rc4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,5 +1,13 @@
 version: 2
 updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
 - package-ecosystem: gomod
  directory: "/outpost"
  schedule:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -9,9 +9,9 @@ jobs:
  build-server:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.1.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -27,15 +27,16 @@ jobs:
        with:
          push: true
          tags: |
-            beryju/authentik:2021.5.1-rc2,
+            beryju/authentik:2021.5.1-rc4,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.5.1-rc2,
+            ghcr.io/goauthentik/server:2021.5.1-rc4,
            ghcr.io/goauthentik/server:latest
-          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
+          platforms: linux/amd64,linux/arm64,linux/arm
+          context: .
  build-proxy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
@ -46,7 +47,7 @@ jobs:
          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
          go build -v ./cmd/proxy/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.1.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -59,17 +60,18 @@ jobs:
        with:
          push: true
          tags: |
-            beryju/authentik-proxy:2021.5.1-rc2,
+            beryju/authentik-proxy:2021.5.1-rc4,
            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.5.1-rc2,
+            ghcr.io/goauthentik/proxy:2021.5.1-rc4,
            ghcr.io/goauthentik/proxy:latest
          context: outpost/
          file: outpost/proxy.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
+          platforms: linux/amd64,linux/arm64,linux/arm
+          context: .
  build-ldap:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
@ -80,7 +82,7 @@ jobs:
          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
          go build -v ./cmd/ldap/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.1.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -93,13 +95,14 @@ jobs:
        with:
          push: true
          tags: |
-            beryju/authentik-ldap:2021.5.1-rc2,
+            beryju/authentik-ldap:2021.5.1-rc4,
            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.5.1-rc2,
+            ghcr.io/goauthentik/ldap:2021.5.1-rc4,
            ghcr.io/goauthentik/ldap:latest
          context: outpost/
          file: outpost/ldap.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v8
+          platforms: linux/amd64,linux/arm64,linux/arm
+          context: .
  test-release:
    needs:
      - build-server
@ -107,7 +110,7 @@ jobs:
      - build-ldap
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Run test suite in final docker images
        run: |
          sudo apt-get install -y pwgen
@ -122,7 +125,7 @@ jobs:
      - test-release
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Create a Sentry.io release
        uses: getsentry/action-release@v1
        env:
@ -131,5 +134,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.5.1-rc2
+          version: authentik@2021.5.1-rc4
          environment: beryjuorg-prod
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -10,7 +10,7 @@ jobs:
    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
      - name: prepare ts api client
        run: |
          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.5.1-rc2"
+__version__ = "2021.5.1-rc4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -116,9 +116,11 @@ class SourceFlowManager:
                )
                return Action.DENY, None
            query = Q(username__exact=self.enroll_info.get("username", None))
+        self._logger.debug("trying to link with existing user", query=query)
        matching_users = User.objects.filter(query)
        # No matching users, always enroll
        if not matching_users.exists():
+            self._logger.debug("no matching users found, enrolling")
            return Action.ENROLL, self.update_connection(new_connection, **kwargs)

        user = matching_users.first()
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -48,10 +48,13 @@ class KubernetesObjectReconciler(Generic[T]):
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
-        return self.controller.outpost.config.object_naming_template % {
-            "name": slugify(self.controller.outpost.name),
-            "uuid": self.controller.outpost.uuid.hex,
-        }
+        return (
+            self.controller.outpost.config.object_naming_template
+            % {
+                "name": slugify(self.controller.outpost.name),
+                "uuid": self.controller.outpost.uuid.hex,
+            }
+        ).lower()

    def up(self):
        """Create object if it doesn't exist, update if needed or recreate if needed."""
--- a/authentik/outposts/controllers/k8s/utils.py
+++ b/authentik/outposts/controllers/k8s/utils.py
@ -0,0 +1,11 @@
+"""k8s utils"""
+from pathlib import Path
+
+
+def get_namespace() -> str:
+    """Get the namespace if we're running in a pod, otherwise default to default"""
+    path = Path("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+    if path.exists():
+        with open(path, "r") as _namespace_file:
+            return _namespace_file.read()
+    return "default"
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -61,6 +61,7 @@ class KubernetesController(BaseController):
        try:
            for reconcile_key in self.reconcile_order:
                reconciler = self.reconcilers[reconcile_key](self)
+                self.logger.debug("Tearing down object", name=reconcile_key)
                reconciler.down()

        except ApiException as exc:
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -33,6 +33,7 @@ from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.http import USER_ATTRIBUTE_CAN_OVERRIDE_IP
+from authentik.outposts.controllers.k8s.utils import get_namespace
 from authentik.outposts.docker_tls import DockerInlineTLS

 OUR_VERSION = parse(__version__)
@ -59,7 +60,7 @@ class OutpostConfig:

    object_naming_template: str = field(default="ak-outpost-%(name)s")
    kubernetes_replicas: int = field(default=1)
-    kubernetes_namespace: str = field(default="default")
+    kubernetes_namespace: str = field(default_factory=get_namespace)
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
    kubernetes_service_type: str = field(default="ClusterIP")
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -75,6 +75,7 @@ class OAuthSourceSerializer(SourceSerializer):
            "callback_url",
            "type",
        ]
+        extra_kwargs = {"consumer_secret": {"write_only": True}}


 class OAuthSourceViewSet(ModelViewSet):
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -21,7 +21,7 @@ services:
    networks:
      - internal
  server:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.5.1-rc2}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.5.1-rc4}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - "0.0.0.0:9000:9000"
      - "0.0.0.0:9443:9443"
  worker:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.5.1-rc2}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.5.1-rc4}
    restart: unless-stopped
    command: worker
    networks:
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -1,3 +1,3 @@
 package constants

-const VERSION = "2021.5.1-rc2"
+const VERSION = "2021.5.1-rc4"
--- a/lifecycle/wait_for_db.py
+++ b/lifecycle/wait_for_db.py
@ -41,11 +41,9 @@ while True:

 while True:
    try:
-        redis = Redis(
-            host=CONFIG.y("redis.host"),
-            port=6379,
-            db=CONFIG.y("redis.message_queue_db"),
-            password=CONFIG.y("redis.password"),
+        redis = Redis.from_url(
+            f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:6379"
+            f"/{CONFIG.y('redis.ws_db')}"
        )
        redis.ping()
        break
--- a/outpost/pkg/proxy/proxy.go
+++ b/outpost/pkg/proxy/proxy.go
@ -344,7 +344,11 @@ func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request)
 			}
 			if _, ok := req.URL.Query()["traefik"]; ok {
 				host := getHost(req)
-				http.Redirect(rw, req, fmt.Sprintf("//%s%s", host, p.OAuthStartPath), http.StatusTemporaryRedirect)
+				proto := req.Header.Get("X-Forwarded-Proto")
+				if proto != "" {
+					proto = proto + ":"
+				}
+				http.Redirect(rw, req, fmt.Sprintf("%s//%s%s", proto, host, p.OAuthStartPath), http.StatusTemporaryRedirect)
 				return
 			}
 		}
--- a/outpost/pkg/version.go
+++ b/outpost/pkg/version.go
@ -1,3 +1,3 @@
 package pkg

-const VERSION = "2021.5.1-rc2"
+const VERSION = "2021.5.1-rc4"
--- a/web/nginx.conf
+++ b/web/nginx.conf
@ -81,7 +81,7 @@ http {
        location /static/ {
            expires 31d;
            add_header Cache-Control "public, no-transform";
-            add_header X-authentik-version "2021.5.1-rc2";
+            add_header X-authentik-version "2021.5.1-rc4";
            add_header Vary X-authentik-version;
        }

--- a/web/src/constants.ts
+++ b/web/src/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.5.1-rc2";
+export const VERSION = "2021.5.1-rc4";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@ -16,7 +16,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte

 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`

-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.5.1-rc2 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.5.1-rc4 >> .env`

 If this is a fresh authentik install run the following commands to generate a password:

--- a/website/docs/outposts/manual-deploy-docker-compose.md
+++ b/website/docs/outposts/manual-deploy-docker-compose.md
@ -11,7 +11,7 @@ version: "3.5"

 services:
  authentik_proxy:
-    image: beryju/authentik-proxy:2021.5.1-rc2
+    image: beryju/authentik-proxy:2021.5.1-rc4
    ports:
      - 4180:4180
      - 4443:4443
--- a/website/docs/outposts/manual-deploy-kubernetes.md
+++ b/website/docs/outposts/manual-deploy-kubernetes.md
@ -14,7 +14,7 @@ metadata:
    app.kubernetes.io/instance: __OUTPOST_NAME__
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.1-rc2
+    app.kubernetes.io/version: 2021.5.1-rc4
  name: authentik-outpost-api
 stringData:
  authentik_host: "__AUTHENTIK_URL__"
@ -29,7 +29,7 @@ metadata:
    app.kubernetes.io/instance: __OUTPOST_NAME__
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.1-rc2
+    app.kubernetes.io/version: 2021.5.1-rc4
  name: authentik-outpost
 spec:
  ports:
@ -54,7 +54,7 @@ metadata:
    app.kubernetes.io/instance: __OUTPOST_NAME__
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.1-rc2
+    app.kubernetes.io/version: 2021.5.1-rc4
  name: authentik-outpost
 spec:
  selector:
@ -62,14 +62,14 @@ spec:
      app.kubernetes.io/instance: __OUTPOST_NAME__
      app.kubernetes.io/managed-by: goauthentik.io
      app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.5.1-rc2
+      app.kubernetes.io/version: 2021.5.1-rc4
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: __OUTPOST_NAME__
        app.kubernetes.io/managed-by: goauthentik.io
        app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.5.1-rc2
+        app.kubernetes.io/version: 2021.5.1-rc4
    spec:
      containers:
        - env:
@ -88,7 +88,7 @@ spec:
              secretKeyRef:
                key: authentik_host_insecure
                name: authentik-outpost-api
-        image: beryju/authentik-proxy:2021.5.1-rc2
+        image: beryju/authentik-proxy:2021.5.1-rc4
        name: proxy
        ports:
          - containerPort: 4180
@ -110,7 +110,7 @@ metadata:
    app.kubernetes.io/instance: __OUTPOST_NAME__
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.1-rc2
+    app.kubernetes.io/version: 2021.5.1-rc4
  name: authentik-outpost
 spec:
  rules:
Author	SHA1	Message	Date
Jens Langhammer	f7fd31cc84	release: 2021.5.1-rc4	2021-05-09 21:43:38 +02:00
Jens Langhammer	465d9c2b93	ci: use local context for docker build Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 21:42:22 +02:00
Jens Langhammer	04aae8f584	sources/oauth: make secret write_only Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 21:40:25 +02:00
Jens Langhammer	bbca90c93a	Merge branch 'next' into version-2021.5	2021-05-09 20:57:23 +02:00
Jens Langhammer	dda1d4e0fb	core: add more logs to flow_manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 20:27:37 +02:00
Jens Langhammer	f072c600cc	lifecycle: use URl for redis on startup to prevent errors with no paswords Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 20:13:58 +02:00
Jens Langhammer	65b8a5bb8d	outposts/proxy: redirect to protocol based on X-Forwarded-Proto Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 19:12:35 +02:00
Jens Langhammer	92537a6c8d	Merge branch 'next' into version-2021.5	2021-05-09 18:46:26 +02:00
Jens Langhammer	72836ecd9d	outposts: default to currently running namespace if possible Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 18:44:32 +02:00
Jens Langhammer	251a97c77e	Merge branch 'next' into version-2021.5	2021-05-09 18:13:52 +02:00
Jens Langhammer	7f7046f0e4	outposts: lowercase k8s object names Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 18:13:21 +02:00
Jens Langhammer	20e59158c2	root: add github actions to dependabot Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 18:08:06 +02:00
Jens Langhammer	9a9e55ae32	ci: bump qemu action version Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 17:53:57 +02:00
Jens Langhammer	481260a5ca	ci: bump checkout actions Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 17:51:56 +02:00
Jens Langhammer	cd3f02fd3b	release: 2021.5.1-rc3	2021-05-09 17:25:48 +02:00
Jens Langhammer	7abfd24150	ci: only build arm64 and arm Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-05-09 17:23:19 +02:00