Skip to content

update authentik to 2026.5.2 #14846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thieneret wants to merge 15 commits into
base: main
Choose a base branch
from
+180 −26
Open

update authentik to 2026.5.2 #14846

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
6fdf825
update authentik
thieneret Jun 1, 2026
0accd6e
Apply e
thieneret Jun 1, 2026
2ac56e4
Apply requested change
thieneret Jun 1, 2026
7b776e9
refactored
thieneret Jun 1, 2026
8b925c1
Update install/authentik-install.sh
MickLesk Jun 2, 2026
2713e68
Update install/authentik-install.sh
MickLesk Jun 2, 2026
96a3b98
Update install/authentik-install.sh
MickLesk Jun 2, 2026
7337c95
Update install/authentik-install.sh
MickLesk Jun 2, 2026
6e6eeb0
Update install/authentik-install.sh
MickLesk Jun 2, 2026
f33dacf
Update ct/authentik.sh
MickLesk Jun 2, 2026
3ab1a0f
Update ct/authentik.sh
MickLesk Jun 2, 2026
7b63f05
Update ct/authentik.sh
MickLesk Jun 2, 2026
bc8848f
Update install/authentik-install.sh
MickLesk Jun 2, 2026
2bd183f
update rust
thieneret Jun 2, 2026
928c54f
Update install/authentik-install.sh
MickLesk Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 125 additions & 7 deletions ct/authentik.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
APP="authentik"
var_tags="${var_tags:-auth}"
var_cpu="${var_cpu:-4}"
var_ram="${var_ram:-4096}"
var_ram="${var_ram:-8192}"
var_disk="${var_disk:-16}"
var_os="${var_os:-debian}"
var_version="${var_version:-13}"
Expand All @@ -30,12 +30,21 @@ function update_script() {
exit
fi

CUR_VERSION="$(<"$HOME/.authentik")"
IFS='.' read -ra PARTS <<< "${CUR_VERSION#version/}"
MAJOR=${PARTS[0]}
MINOR=${PARTS[1]}
Comment on lines +33 to +36
Copy link
Copy Markdown
Member

@CrazyWolf13 CrazyWolf13 Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CUR_VERSION="$(<"$HOME/.authentik")"
IFS='.' read -ra PARTS <<< "${CUR_VERSION#version/}"
MAJOR=${PARTS[0]}
MINOR=${PARTS[1]}
IFS='.' read -r MAJOR MINOR PATCH <<< "${$(<"$HOME/.authentik")#version/}"

Not tested, but possibly cleaner.

Copy link
Copy Markdown
Contributor Author

@thieneret thieneret Jun 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not working:

-bash: ${$(< "$HOME/.authentik")#version/}: bad substitution

Copy link
Copy Markdown
Member

@CrazyWolf13 CrazyWolf13 Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

read -r MAJOR MINOR PATCH <<< "$(sed 's/^version\///; s/\./ /g' "$HOME/.authentik")" ?


msg_info "Update dependencies"
ensure_dependencies crossbuild-essential-amd64 gcc-x86-64-linux-gnu cmake clang libunwind-18-dev
msg_ok "Update dependencies"

NODE_VERSION="24" setup_nodejs
setup_go
UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
setup_rust
RUST_PROFILE="minimal" RUST_TOOLCHAIN="1.95.0" setup_rust
Comment thread
MickLesk marked this conversation as resolved.
Outdated

Copy link
Copy Markdown
Member

@MickLesk MickLesk Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we add here setup_yq too if something broke in bashrc during update?

Copy link
Copy Markdown
Contributor Author

@thieneret thieneret Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add it?

AUTHENTIK_VERSION="version/2026.2.3"
AUTHENTIK_VERSION="version/2026.5.2"
XMLSEC_VERSION="1.3.11"

if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then
Expand Down Expand Up @@ -71,7 +80,13 @@ function update_script() {

CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"

msg_info "Updating web"
msg_info "Configure rust"
Comment thread
MickLesk marked this conversation as resolved.
Outdated
cd /opt/authentik
$STD rustup install
$STD rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)"
msg_ok "Configure rust"
Comment thread
MickLesk marked this conversation as resolved.
Outdated

msg_info "Updating web"
cd /opt/authentik/web
export NODE_ENV="production"
$STD npm install
Expand All @@ -89,6 +104,14 @@ function update_script() {
$STD go build -o /opt/authentik/radius ./cmd/radius
msg_ok "Updated go proxy"

msg_info "Building worker"
export AWS_LC_FIPS_SYS_CC="clang"
cd /opt/authentik
$STD cargo build --package authentik --no-default-features --features core --locked --release --jobs 1
Comment thread
MickLesk marked this conversation as resolved.
cp ./target/release/authentik /opt/authentik/authentik-worker
rm -r ./target
msg_ok "Buildt worker"
Comment thread
MickLesk marked this conversation as resolved.
Outdated

msg_info "Updating python server"
export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
export UV_COMPILE_BYTECODE="1"
Expand All @@ -100,6 +123,103 @@ function update_script() {
$STD uv sync --frozen --no-install-project --no-dev
chown -R authentik:authentik /opt/authentik
msg_ok "Updated python server"

if [[ $MAJOR == 2026 && $MINOR -lt 5 ]]; then
msg_info "Updating Worker and Server config"
cp /etc/authentik/config.yml /etc/authentik/config.bak
yq -i ".postgresql.conn_max_age = 0" /etc/authentik/config.yml
yq -i ".postgresql.conn_health_checks = false" /etc/authentik/config.yml
yq -i ".listen.debug_tokio = \"[::]:6669\"" /etc/authentik/config.yml
yq -i ".log.rust_log.console_subscriber = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.h2 = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.hyper_util = \"warn\"" /etc/authentik/config.yml
yq -i ".log.rust_log.mio = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.notify = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.reqwest = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.runtime = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.rustls = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.sqlx = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.sqlx_postgres = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.tokio = \"info\"" /etc/authentik/config.yml
yq -i ".log.rust_log.tungstenite = \"info\"" /etc/authentik/config.yml
yq -i ".web.workers = 2" /etc/authentik/config.yml
mv /etc/default/authentik /etc/default/authentik.bak
cat <<EOF >/etc/default/authentik-server
TMPDIR=/dev/shm/
UV_LINK_MODE=copy
UV_PYTHON_DOWNLOADS=0
UV_NATIVE_TLS=1
VENV_PATH=/opt/authentik/.venv
PYTHONDONTWRITEBYTECODE=1
PYTHONUNBUFFERED=1
PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
DJANGO_SETTINGS_MODULE=authentik.root.settings
PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
AUTHENTIK_LISTEN__HTTP="[::]:9000"
AUTHENTIK_LISTEN__HTTPS="[::]:9443"
AUTHENTIK_LISTEN__METRICS="[::]:9300"
EOF
cat <<EOF >/etc/default/authentik-worker
TMPDIR=/dev/shm/
UV_LINK_MODE=copy
UV_PYTHON_DOWNLOADS=0
UV_NATIVE_TLS=1
VENV_PATH=/opt/authentik/.venv
PYTHONDONTWRITEBYTECODE=1
PYTHONUNBUFFERED=1
PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
DJANGO_SETTINGS_MODULE=authentik.root.settings
PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
AUTHENTIK_LISTEN__HTTP="[::]:8000"
AUTHENTIK_LISTEN__HTTPS="[::]:8443"
AUTHENTIK_LISTEN__METRICS="[::]:8300"
EOF
msg_ok "Updated Worker and Server config!"
msg_warn "Please check /etc/default/authentik-worker and /etc/default/authentik-server config files for port configurations!"
Copy link
Copy Markdown
Member

@CrazyWolf13 CrazyWolf13 Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does one need to review the port after an update?

Copy link
Copy Markdown
Contributor Author

@thieneret thieneret Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, the port configuration was read from the /etc/authentik/config.yml file. The http, https, and metrics ports are valid for both the worker and the server. This is not a problem in a docker environment, since they run in two separate containers, but in our case they cause a conflict. During testing, I found that this conflict prevents the services from starting in some cases, so I created separate environment files for both the worker and the server, where the ports are overridden. If the user has modified the default ports, they must be transferred to the new environment file.

Copy link
Copy Markdown
Member

@CrazyWolf13 CrazyWolf13 Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay I see. So essentially the ports stay the same unless the user customized them?

Also then there was an error in the script as port was noted to be 9000?

Copy link
Copy Markdown
Contributor Author

@thieneret thieneret Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default http port is 9000, through which the service can be accessed. The default https port is 9443, through which the service can be accessed securely. However, as I wrote in the pull request description, starting with version 2026.5.2, the initial settings can only be made via https 9443, so at the end of the script I changed the port to 9443 and I would recommend changing this on the website as well. After the initial settings, the service can also be accessed via http 9000.

Copy link
Copy Markdown
Member

@MickLesk MickLesk Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add this into PR Description? Its marked as "breaking change" so the users can look about it and see the recent big changes and why ?

Copy link
Copy Markdown
Contributor Author

@thieneret thieneret Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's in the description, although not as detailed as here.
If you feel it's necessary, I can elaborate there as well.


msg_info "Updating services"
cat <<EOF >/etc/systemd/system/authentik-server.service
[Unit]
Description=authentik Go Server (API Gateway)
After=network.target
Wants=postgresql.service

[Service]
User=authentik
Group=authentik
ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
Comment thread
MickLesk marked this conversation as resolved.
ExecStart=/opt/authentik/authentik-server
WorkingDirectory=/opt/authentik/
Restart=always
RestartSec=5
EnvironmentFile=/etc/default/authentik-server

[Install]
WantedBy=multi-user.target
EOF

cat <<EOF >/etc/systemd/system/authentik-worker.service
[Unit]
Description=authentik Worker
After=network.target postgresql.service

[Service]
User=authentik
Group=authentik
Type=simple
EnvironmentFile=/etc/default/authentik-worker
ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
Comment thread
MickLesk marked this conversation as resolved.
ExecStart=/opt/authentik/authentik-worker worker
WorkingDirectory=/opt/authentik
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
msg_ok "Updated services"
Comment thread
MickLesk marked this conversation as resolved.
fi
fi

msg_info "Starting Services"
Expand Down Expand Up @@ -150,7 +270,5 @@ description

msg_ok "Completed successfully!\n"
echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
echo -e "${INFO}${YW} Initial setup URL:${CL}"
echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}"
echo -e "${INFO}${YW} Access it using the following URL:${CL}"
echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}"
echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:9443${CL}"
66 changes: 51 additions & 15 deletions install/authentik-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,6 @@ $STD apt install -y \
libltdl-dev \
libpq5 \
libmaxminddb0 \
libkrb5-3 \
libkdb5-10 \
libkadm5clnt-mit12 \
libkadm5clnt7t64-heimdal \
libltdl7 \
Expand All @@ -44,19 +42,24 @@ $STD apt install -y \
libtool \
libtool-bin \
gcc \
crossbuild-essential-amd64 \
gcc-x86-64-linux-gnu \
cmake \
clang \
libunwind-18-dev \
git
msg_ok "Installed Dependencies"

NODE_VERSION="24" setup_nodejs
setup_yq
setup_go
RUST_PROFILE="minimal" RUST_TOOLCHAIN="1.95.0" setup_rust
UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
setup_rust
Comment thread
CrazyWolf13 marked this conversation as resolved.
PG_VERSION="17" setup_postgresql
PG_DB_NAME="authentik" PG_DB_USER="authentik" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db

XMLSEC_VERSION="1.3.11"
AUTHENTIK_VERSION="version/2026.2.3"
AUTHENTIK_VERSION="version/2026.5.2"
fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec"
fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary"
Expand All @@ -68,25 +71,32 @@ $STD make -j $(nproc)
$STD make check
$STD make install
$STD ldconfig
msg_ok "xmlsec installed"
msg_ok "Setup xmlsec"

msg_info "Configure rust"
Comment thread
MickLesk marked this conversation as resolved.
Outdated
cd /opt/authentik
$STD rustup install
$STD rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)"
msg_ok "Configure rust"
Comment thread
MickLesk marked this conversation as resolved.
Outdated

msg_info "Setup web"
Comment thread
MickLesk marked this conversation as resolved.
Outdated
cd /opt/authentik/web
export NODE_ENV="production"
$STD npm install
$STD npm run build
$STD npm run build:sfe
msg_ok "Web installed"
msg_ok "Setup web"

msg_info "Setup go proxy"
Comment thread
MickLesk marked this conversation as resolved.
Outdated
cd /opt/authentik
export CGO_ENABLED="1"
export CC="x86_64-linux-gnu-gcc"
$STD go mod download
$STD go build -o /opt/authentik/authentik-server ./cmd/server
$STD go build -o /opt/authentik/ldap ./cmd/ldap
$STD go build -o /opt/authentik/rac ./cmd/rac
$STD go build -o /opt/authentik/radius ./cmd/radius
msg_ok "Go proxy installed"
msg_ok "Setup go proxy"

cat <<EOF >/usr/local/etc/GeoIP.conf
AccountID ChangeME
Expand All @@ -99,17 +109,24 @@ EOF

echo "#39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf" | crontab -

msg_info "Building worker"
export AWS_LC_FIPS_SYS_CC="clang"
cd /opt/authentik
$STD cargo build --package authentik --no-default-features --features core --locked --release --jobs 1
cp ./target/release/authentik /opt/authentik/authentik-worker
rm -r ./target
msg_ok "Building worker"
Comment thread
MickLesk marked this conversation as resolved.
Outdated

msg_info "Setup python server"
Comment thread
MickLesk marked this conversation as resolved.
Outdated
export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
export UV_COMPILE_BYTECODE="1"
export UV_LINK_MODE="copy"
export UV_NATIVE_TLS="1"
export RUSTUP_PERMIT_COPY_RENAME="true"
export UV_PYTHON_INSTALL_DIR="/usr/local/bin"
cd /opt/authentik
$STD uv sync --frozen --no-install-project --no-dev
cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf
msg_ok "Installed python server"
msg_ok "Setup python server"

msg_info "Creating authentik config"
mkdir -p /etc/authentik
Expand All @@ -125,7 +142,22 @@ yq -i ".storage.file.path = \"/opt/authentik-data\"" /etc/authentik/config.yml
yq -i ".disable_startup_analytics = \"true\"" /etc/authentik/config.yml
$STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik
chown -R authentik:authentik /opt/authentik
cat <<EOF >/etc/default/authentik
cat <<EOF >/etc/default/authentik-server
TMPDIR=/dev/shm/
UV_LINK_MODE=copy
UV_PYTHON_DOWNLOADS=0
UV_NATIVE_TLS=1
VENV_PATH=/opt/authentik/.venv
PYTHONDONTWRITEBYTECODE=1
PYTHONUNBUFFERED=1
PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
DJANGO_SETTINGS_MODULE=authentik.root.settings
PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
AUTHENTIK_LISTEN__HTTP="[::]:9000"
AUTHENTIK_LISTEN__HTTPS="[::]:9443"
AUTHENTIK_LISTEN__METRICS="[::]:9300"
EOF
cat <<EOF >/etc/default/authentik-worker
TMPDIR=/dev/shm/
UV_LINK_MODE=copy
UV_PYTHON_DOWNLOADS=0
Expand All @@ -136,6 +168,9 @@ PYTHONUNBUFFERED=1
PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
DJANGO_SETTINGS_MODULE=authentik.root.settings
PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
AUTHENTIK_LISTEN__HTTP="[::]:8000"
AUTHENTIK_LISTEN__HTTPS="[::]:8443"
AUTHENTIK_LISTEN__METRICS="[::]:8300"
EOF
cat <<EOF >/etc/default/authentik_ldap
AUTHENTIK_HOST="https://127.0.0.1:9443"
Expand All @@ -152,7 +187,7 @@ AUTHENTIK_HOST="https://127.0.0.1:9443"
AUTHENTIK_INSECURE="true"
AUTHENTIK_TOKEN="token-generated-by-authentik"
EOF
msg_ok "authentik config created"
msg_ok "Created authentik config"

msg_info "Creating services"
cat <<EOF >/etc/systemd/system/authentik-server.service
Expand All @@ -164,12 +199,12 @@ Wants=postgresql.service
[Service]
User=authentik
Group=authentik
EnvironmentFile=/etc/default/authentik-server
ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
ExecStart=/opt/authentik/authentik-server
WorkingDirectory=/opt/authentik/
Restart=always
RestartSec=5
EnvironmentFile=/etc/default/authentik

[Install]
WantedBy=multi-user.target
Expand All @@ -184,8 +219,9 @@ After=network.target postgresql.service
User=authentik
Group=authentik
Type=simple
EnvironmentFile=/etc/default/authentik
ExecStart=/usr/local/bin/uv run python -m manage worker --pid-file /dev/shm/authentik-worker.pid
EnvironmentFile=/etc/default/authentik-worker
ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
ExecStart=/opt/authentik/authentik-worker worker
WorkingDirectory=/opt/authentik
Restart=always
RestartSec=5
Expand Down Expand Up @@ -250,7 +286,7 @@ EnvironmentFile=/etc/default/authentik_radius
[Install]
WantedBy=multi-user.target
EOF
msg_ok "Services created"
msg_ok "Created services"

motd_ssh
customize
Expand Down
Loading