authentik: custom-image overlay to fix the 1.4s login-flow query (SLOW-1a)

The login flow's identification stage runs a bare select_subclasses() that
LEFT-JOINs every Source subtype table — ~1.4s server-side on every cold login
(verified live: 1527ms vs 14ms). Narrow it to only the subtypes that render a UI
login button (oauth/saml/plex/telegram/kerberos — not the sync-only ldap/scim),
via django-model-utils string accessors so no import is needed. Byte-identical
output, ~100x faster, robust to adding new login source types.

Shipped as a thin overlay over the official image (mirrors the diun/excalidraw
precedent): stacks/authentik/Dockerfile (FROM ghcr.io/goauthentik/server:2026.2.4
+ a guarded sed) built by .github/workflows/build-authentik.yml -> ghcr.io/
viktorbarzin/authentik-server:2026.2.4-patch1. The values repoint + Keel freeze
land in a follow-up commit once the image is built. Upstream bug still present in
main (no fix/PR) — drop this overlay once upstream narrows the query.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.github/workflows/build-authentik.yml

@@ -0,0 +1,39 @@
+name: Build Custom Authentik Image
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr.
+# Thin SLOW-1a overlay over the official authentik server (narrows the login
+# identification stage's select_subclasses() to the login-capable source subtypes;
+# see stacks/authentik/Dockerfile). Rebuild only when the Dockerfile changes — on
+# every authentik bump, edit the FROM tag + the patchN suffix here + the image tag
+# in modules/authentik/values.yaml together.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/authentik/Dockerfile'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/authentik
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1
+            ghcr.io/viktorbarzin/authentik-server:latest

stacks/authentik/Dockerfile

@@ -0,0 +1,32 @@
+# SLOW-1a overlay over the official authentik server image.
+#
+# The login flow's identification stage renders each enabled source's UI login
+# button. Upstream authentik/stages/identification/stage.py does:
+#     current_stage.sources.filter(enabled=True).order_by("name").select_subclasses()
+# The bare no-arg select_subclasses() (django-model-utils InheritanceManager)
+# LEFT-JOINs EVERY Source subtype table; on the cold-login hot path that is ~1.5s
+# (verified live on 2026.2.4: 1527ms vs 14ms). Passing only the subtypes that
+# actually render a UI login button — every concrete Source type that overrides
+# ui_login_button: oauth/saml/plex/telegram/kerberos, NOT the sync-only ldap/scim —
+# is ~100x faster and BYTE-IDENTICAL output (verified: concrete types + rendered
+# buttons match). django-model-utils accepts the lowercase subclass *accessor
+# names* as strings, so no new import is needed (no circular-import risk) — the
+# patch is a single, reviewable line edit.
+#
+# RE-VERIFY ON EVERY AUTHENTIK BUMP: bump the FROM tag below AND the image tag in
+# modules/authentik/values.yaml together. The grep guards fail the build LOUDLY if
+# the upstream target line moved. If a future authentik version adds a NEW
+# login-capable source type, add its lowercase accessor to the list below.
+# Upstream: the bare select_subclasses() is still present in main (no fix/PR as of
+# 2026-06-28) — drop this overlay once upstream narrows the query.
+FROM ghcr.io/goauthentik/server:2026.2.4
+
+USER root
+RUN set -eux; \
+    F=/authentik/stages/identification/stage.py; \
+    grep -q 'order_by("name").select_subclasses()' "$F"; \
+    sed -i 's/order_by("name")\.select_subclasses()/order_by("name").select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")/' "$F"; \
+    grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \
+    PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \
+    rm -f /authentik/stages/identification/__pycache__/stage.*.pyc
+USER authentik