authentik/Dockerfile at main · Polarix-Containers/authentik · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
ARG VERSION=2026.2.2

ARG NODE=24
ARG GO=1.26
ARG PYTHON=3.14
ARG UV=0.11

# clang version is not officially documented, but this is what upstream uses on Debian Trixie
ARG CLANG=19

ARG UID=200001
ARG GID=200001

# Stage 1: Build webui
FROM node:${NODE}-alpine AS node-builder

ARG VERSION

ENV NODE_ENV=production

WORKDIR /work/web

ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/web/package.json /work
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:web /work/web/
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:website /work/website/

RUN apk -U upgrade \
    && apk add libstdc++ \
    && npm update -g npm \
    && rm -rf /var/cache/apk/* \
    && mkdir -p /work/web/node_modules/@goauthentik/api

COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"

RUN npm i \
    && npm run build \
    && npm run build:sfe


# ======================================= #

# Stage 2: Build go proxy
FROM golang:${GO}-alpine AS go-builder

ARG VERSION

ENV CGO_ENABLED=1

WORKDIR /go/src/goauthentik.io

COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt

ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:cmd /go/src/goauthentik.io/cmd
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:authentik/lib /go/src/goauthentik.io/authentik/lib
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/web/static.go /go/src/goauthentik.io/web/static.go
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:internal /go/src/goauthentik.io/internal
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/go.sum /go/src/goauthentik.io/go.sum

RUN apk -U upgrade \
    && apk add build-base libstdc++ \
    && rm -rf /var/cache/apk/*

COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"

RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
    --mount=type=bind,target=/go/src/goauthentik.io/gen-go-api,src=./gen-go-api \
    go mod download \
    && go build -o /go/authentik ./cmd/server

# ======================================= #

# Stage 3: MaxMind GeoIP
FROM  ghcr.io/goauthentik/server:${VERSION} AS geoip

# ======================================= #

# Stage 4: Download uv

FROM ghcr.io/astral-sh/uv:${UV}-python${PYTHON}-alpine AS uv

# ======================================= #

# Stage 5: Base python image
FROM python:${PYTHON}-alpine AS python-base

ARG VERSION

ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
    UV_COMPILE_BYTECODE=true \
    UV_LINK_MODE=copy \
    UV_NATIVE_TLS=true \
    UV_NO_CACHE=true \
    UV_NO_DEV=true \
    UV_NO_MANAGED_PYTHON=true \
    UV_PYTHON_DOWNLOADS=false

WORKDIR /ak-root/

COPY --from=uv /usr/local/bin/uv /usr/local/bin/uvx /bin/

ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:packages/ /ak-root/packages

RUN apk -U upgrade \
    && apk add libstdc++

COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"

# ======================================= #

# Stage 6: Python dependencies
FROM python-base AS python-deps

ARG VERSION
ARG CLANG

# Installing python-kadmin-rs from Pypi instead of building it because fails to build on Python 3.23

ENV PATH="/root/.cargo/bin:$PATH" \
    UV_NO_BINARY_PACKAGE="cryptography lxml xmlsec"

ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/pyproject.toml .
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/uv.lock .

RUN apk add build-base pkgconf libffi-dev git \
        # dependencies not explicitly mentioned in upstream's container
        krb5-server xmlsec-dev \
        # cryptography
        curl \
        # libxml
        libxslt-dev zlib-dev \
        # postgresql
        libpq-dev \
        # python-kadmin-rs
        krb5-dev clang${CLANG}-libclang \
        # xmlsec
        libltdl \
    && curl https://sh.rustup.rs -sSf | sh -s -- -y \
    && uv sync --frozen --no-install-project --no-dev

# ======================================= #

# Stage 7: Run
FROM python-base AS final-image

ARG VERSION
ARG UID
ARG GID

ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

LABEL maintainer="Thien Tran contact@tommytran.io" \
    org.opencontainers.image.version=${VERSION}

WORKDIR /

RUN --network=none \
    addgroup -g ${GID} authentik \
    && adduser -u ${UID} --ingroup authentik --disabled-password --system authentik --home /authentik

RUN apk add libpq libmaxminddb ca-certificates krb5-libs libltdl libxslt \
        # dependencies not explicitly mentioned in upstream's container
        bash coreutils-env xmlsec \
    && rm -rf /var/cache/apk/* \
    && pip3 install --no-cache-dir --upgrade pip \
    && mkdir -p /certs /data /media /blueprints \
    && ln -s /media /data/media \
    && mkdir -p /authentik/.ssh \
    && mkdir -p /ak-root \
    && chown authentik:authentik /certs /media /authentik/.ssh /ak-root

COPY --from=go-builder /go/authentik /bin/authentik
COPY --from=python-deps /ak-root/.venv /ak-root/.venv
COPY --from=node-builder /work/web/dist/ /web/dist/
COPY --from=node-builder /work/web/authentik/ /web/authentik/
COPY --from=geoip /geoip /geoip

ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:authentik /authentik
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/pyproject.toml /
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/uv.lock /
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:schemas /schemas
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:locale /locale
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:tests /tests
ADD --chmod=755 https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/manage.py /
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:blueprints /blueprints
ADD https://github.com/goauthentik/authentik.git#version/${VERSION}:lifecycle/ /lifecycle
ADD https://raw.githubusercontent.com/goauthentik/authentik/refs/tags/version/${VERSION}/authentik/sources/kerberos/krb5.conf /etc/krb5.conf

RUN  ln -s /ak-root/packages /packages

USER authentik

HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

ENTRYPOINT [ "dumb-init", "--", "ak" ]