authentik: custom-image overlay to fix the 1.4s login-flow query (SLOW-1a)

The login flow's identification stage runs a bare select_subclasses() that LEFT-JOINs every Source subtype table — ~1.4s server-side on every cold login (verified live: 1527ms vs 14ms). Narrow it to only the subtypes that render a UI login button (oauth/saml/plex/telegram/kerberos — not the sync-only ldap/scim), via django-model-utils string accessors so no import is needed. Byte-identical output, ~100x faster, robust to adding new login source types. Shipped as a thin overlay over the official image (mirrors the diun/excalidraw precedent): stacks/authentik/Dockerfile (FROM ghcr.io/goauthentik/server:2026.2.4 + a guarded sed) built by .github/workflows/build-authentik.yml -> ghcr.io/ viktorbarzin/authentik-server:2026.2.4-patch1. The values repoint + Keel freeze land in a follow-up commit once the image is built. Upstream bug still present in main (no fix/PR) — drop this overlay once upstream narrows the query. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 10:42:58 +00:00 · 2026-06-28 10:42:58 +00:00 · 7ec64ed5ff
commit 7ec64ed5ff
parent 12a45fa94e
2 changed files with 71 additions and 0 deletions
--- a/.github/workflows/build-authentik.yml
+++ b/.github/workflows/build-authentik.yml
@ -0,0 +1,39 @@
+name: Build Custom Authentik Image
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr.
+# Thin SLOW-1a overlay over the official authentik server (narrows the login
+# identification stage's select_subclasses() to the login-capable source subtypes;
+# see stacks/authentik/Dockerfile). Rebuild only when the Dockerfile changes — on
+# every authentik bump, edit the FROM tag + the patchN suffix here + the image tag
+# in modules/authentik/values.yaml together.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/authentik/Dockerfile'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/authentik
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1
+            ghcr.io/viktorbarzin/authentik-server:latest