From 2d4098e480480bbbe03fe3a76ff82ae77d516700 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 1 Mar 2026 16:28:36 -0800 Subject: [PATCH] Fix authentik 2026.2.0 migration ordering bug (#275) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Patch `authentik_rbac/0010` migration to depend on `authentik_core/0056`, fixing non-deterministic ordering that crashes startup with `FieldError: Cannot resolve keyword 'group_id'` - Upstream bug: goauthentik/authentik#19616, #20634 — no fix released yet - Document the issue in the lessons-learned table ## Deployment and Testing - [ ] CI builds container image - [ ] Deploy from branch: `argocd app set authentik --revision fix/authentik-migration-ordering && argocd app sync authentik` - [ ] Pods reach Running/Ready without crash-looping - [ ] `kubectl logs` show 0056 migrating before 0010 - [ ] authentik UI loads at authentik.ops.eblu.me - [ ] `mise run services-check` - [ ] After merge: `argocd app set authentik --revision main && argocd app sync authentik` Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/275 --- containers/authentik/authentik-django.nix | 8 ++++++++ .../fix-authentik-migration-ordering.bugfix.md | 1 + .../authentik/authentik-python-backend-derivation.md | 1 + 3 files changed, 10 insertions(+) create mode 100644 docs/changelog.d/fix-authentik-migration-ordering.bugfix.md diff --git a/containers/authentik/authentik-django.nix b/containers/authentik/authentik-django.nix index a00ea85..ebb7548 100644 --- a/containers/authentik/authentik-django.nix +++ b/containers/authentik/authentik-django.nix @@ -136,6 +136,14 @@ pkgs.stdenv.mkDerivation { --replace-fail 'Path("web/dist/assets/icons/icon_left_brand.png")' \ 'Path("${webuiPath}/dist/assets/icons/icon_left_brand.png")' + # Migration ordering: 0010 removes Role.group_id, but 0056 needs it + # for data migration. Upstream bug in authentik 2026.2.0. + # https://github.com/goauthentik/authentik/issues/19616 + substituteInPlace ${sp}/authentik/rbac/migrations/0010_remove_role_group_alter_role_name.py \ + --replace-fail \ + '("authentik_rbac", "0009_remove_initialpermissions_mode"),' \ + '("authentik_rbac", "0009_remove_initialpermissions_mode"), ("authentik_core", "0056_user_roles"),' + # Lifecycle bash script: use Nix store bash (no /usr/bin/env in containers) substituteInPlace ${sp}/lifecycle/ak \ --replace-fail '#!/usr/bin/env -S bash' '#!${pkgs.bash}/bin/bash' diff --git a/docs/changelog.d/fix-authentik-migration-ordering.bugfix.md b/docs/changelog.d/fix-authentik-migration-ordering.bugfix.md new file mode 100644 index 0000000..5a39fd6 --- /dev/null +++ b/docs/changelog.d/fix-authentik-migration-ordering.bugfix.md @@ -0,0 +1 @@ +Fix authentik 2026.2.0 startup crash caused by Django migration ordering bug (`FieldError: Cannot resolve keyword 'group_id'`). Patch ensures `authentik_core/0056` runs before `authentik_rbac/0010`. diff --git a/docs/how-to/authentik/authentik-python-backend-derivation.md b/docs/how-to/authentik/authentik-python-backend-derivation.md index 47b3ed8..44ec65c 100644 --- a/docs/how-to/authentik/authentik-python-backend-derivation.md +++ b/docs/how-to/authentik/authentik-python-backend-derivation.md @@ -65,6 +65,7 @@ Build issues encountered and resolved: | `xargs grep` exit code 123 under `pipefail` | Wrap pipeline in `{ ... \|\| true; }` — grep returning 1 (no match) causes xargs to return 123 | | `grep -aoE` includes filename prefix in output | Use `grep -aohE` (`-h` suppresses filenames) to get clean store paths | | autoPatchelfHook can't find libraries | `buildInputs` in main derivation must include all libraries that `.so` files link against | +| `FieldError: Cannot resolve keyword 'group_id'` on startup | Django migration ordering bug: `authentik_rbac/0010` (drops `Role.group_id`) can run before `authentik_core/0056` (reads it). Add explicit dependency via `substituteInPlace` on the migration file. Upstream [#19616](https://github.com/goauthentik/authentik/issues/19616) | The `uv sync` completes in ~3.5 minutes. Dynamic reference discovery finds 19 unique store paths and strips all of them. After stripping, `remove-references-to` mangles hashes to `eeee...` bytes — about 40 files still "contain" `/nix/store/` strings but with invalid hashes, which is expected and harmless. `autoPatchelfHook` in the main derivation resolves all NEEDED entries with 0 unsatisfied dependencies.