website/docs: edited Docs about tenants #8549
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
|
||
| Starting with 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several authentik installations without having to deploy additional instances. | ||
| Starting with version 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several different and distinct authentik installations, each with it's own Install ID and license(s). The relationships between tenant and installation (Install ID) is a 1:1 relationship, so for each tenant, there is a unique Install ID. |
There was a problem hiding this comment.
So the relationships between an installation, tenants, and licenses are as follows (the leftmost items contain the items under them):
- Authentik installation (i.e. a docker-compose or kubernetes deployment)
- Install ID (unique to the installation)
- Default Tenant
- License 1
- License 2
- Brand 1
- Brand 2
- Tenant 1
- [...]
- Tenant 2
- [...]
There was a problem hiding this comment.
Yep, that is the relationship I finally understood yesterday (thanks to your patience), and attempted to say in the words above. Do you see any word changes that need to be made?
There was a problem hiding this comment.
I don't really know tbh. Whatever you think is best to explain this
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326eFor arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-df205a96c53a1227f1f21fe1872351bf94dd326e-arm64Afterwards, run the upgrade commands from the latest release notes. |
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
website/docs/advanced/tenancy.md
Outdated
|
|
||
| By default, all requests that do not explicitly belong to a tenant are redirected to the default tenant. Thus, after creating a tenant, you must associate a domain for which incoming requests will be redirected to said tenant. You can do so with API endpoints. After creating a domain `example.org` that is associated to the tenant `t_example`, all requests made to `example.org` will use the `t_example` tenant. However, requests made to `authentik.tld`, `subdomain.example.org` and all other domains will use the default tenant. | ||
| Then set `AUTHENTIK_TENANTS__API_KEY` to a random string, which will be used to authenticate to the tenancy API. This key allows the creation of recovery keys for every tenant hosted by authentik, so be sure to _store it securely_. Be aware that creating a recovery key allows access to all data stored inside a tenant. |
There was a problem hiding this comment.
I read "first/then" awkwardly. Maybe eliminate "First, " in the first sentence? Or numbers?
- Enable multi-tenancy with the ...
- Set the
AUTHENTIK_TENANTS__API_KEYto a random string. This string will be used to ...
In the second task, I separated the task from the reason to make it clear that one is an action, the other an explanation. The context is supported by their being in the same paragraph.
There was a problem hiding this comment.
Also, maybe recommend how someone could generate a random string? My favorite that works on both Linux and Mac is:
$ cut -b1-2048 < /dev/urandom | head -1 | md5sum
9df3b806764fcdfd2e9ac532bf912fc2
$
The "2048" can be any length, but more is better than less.
There was a problem hiding this comment.
Yes! I want more of this in our docs... helpful ways to do things... so that we don't come across assuming everyone is a senior dev. ;-) (Though it is challenging to find the right balance, and not be too pedantic!)
There was a problem hiding this comment.
My usual go-to is tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32; echo, but we can provide the more generic pwgen 64 1
website/docs/advanced/tenancy.md
Outdated
| ::::warning | ||
| Expression policies currently have access to all tenants. | ||
| :::: | ||
| You will need to disable the embedded outpost with `AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true` because it is not supported with tenants. |
There was a problem hiding this comment.
That seems like a pretty damn big takeaway! Is that noted anywhere before someone starts down this merry path? Also, if we plan on updating the outpost in the future to support multi-tenancy, we should definitely note that here, even if it's just a weak "... it's on the roadmap" statement.
Added a bit more info about tenants, and separated the Usage section into the three main parts, wrote to be more procedural style.
If applicable
make website)