-
-
Notifications
You must be signed in to change notification settings - Fork 874
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
website/docs: edited Docs about tenants #8549
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
||
Starting with 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several authentik installations without having to deploy additional instances. | ||
Starting with version 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several different and distinct authentik installations, each with it's own Install ID and license(s). The relationships between tenant and installation (Install ID) is a 1:1 relationship, so for each tenant, there is a unique Install ID. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the relationships between an installation, tenants, and licenses are as follows (the leftmost items contain the items under them):
- Authentik installation (i.e. a docker-compose or kubernetes deployment)
- Install ID (unique to the installation)
- Default Tenant
- License 1
- License 2
- Brand 1
- Brand 2
- Tenant 1
- [...]
- Tenant 2
- [...]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, that is the relationship I finally understood yesterday (thanks to your patience), and attempted to say in the words above. Do you see any word changes that need to be made?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really know tbh. Whatever you think is best to explain this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very much needed improvements, thank you @tanberry!
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s For arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Afterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e-arm64 Afterwards, run the upgrade commands from the latest release notes. |
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The usual comments, etc. etc. It's shippable as is.
website/docs/advanced/tenancy.md
Outdated
|
||
By default, all requests that do not explicitly belong to a tenant are redirected to the default tenant. Thus, after creating a tenant, you must associate a domain for which incoming requests will be redirected to said tenant. You can do so with API endpoints. After creating a domain `example.org` that is associated to the tenant `t_example`, all requests made to `example.org` will use the `t_example` tenant. However, requests made to `authentik.tld`, `subdomain.example.org` and all other domains will use the default tenant. | ||
Then set `AUTHENTIK_TENANTS__API_KEY` to a random string, which will be used to authenticate to the tenancy API. This key allows the creation of recovery keys for every tenant hosted by authentik, so be sure to _store it securely_. Be aware that creating a recovery key allows access to all data stored inside a tenant. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read "first/then" awkwardly. Maybe eliminate "First, " in the first sentence? Or numbers?
- Enable multi-tenancy with the ...
- Set the
AUTHENTIK_TENANTS__API_KEY
to a random string. This string will be used to ...
In the second task, I separated the task from the reason to make it clear that one is an action, the other an explanation. The context is supported by their being in the same paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, maybe recommend how someone could generate a random string? My favorite that works on both Linux and Mac is:
$ cut -b1-2048 < /dev/urandom | head -1 | md5sum
9df3b806764fcdfd2e9ac532bf912fc2
$
The "2048" can be any length, but more is better than less.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! I want more of this in our docs... helpful ways to do things... so that we don't come across assuming everyone is a senior dev. ;-) (Though it is challenging to find the right balance, and not be too pedantic!)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My usual go-to is tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32; echo
, but we can provide the more generic pwgen 64 1
website/docs/advanced/tenancy.md
Outdated
::::warning | ||
Expression policies currently have access to all tenants. | ||
:::: | ||
You will need to disable the embedded outpost with `AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true` because it is not supported with tenants. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems like a pretty damn big takeaway! Is that noted anywhere before someone starts down this merry path? Also, if we plan on updating the outpost in the future to support multi-tenancy, we should definitely note that here, even if it's just a weak "... it's on the roadmap" statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a bit more info about tenants, and separated the Usage section into the three main parts, wrote to be more procedural style.
If applicable
make website
)