rebase

Update website/docs/install-config/configuration/configuration.mdx
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2026-05-07 07:32:23 +02:00 · 2025-07-24 13:03:19 -05:00 · 2025-07-24 12:59:17 -05:00 · 2025-07-24 12:59:17 -05:00 · 2025-07-24 12:59:17 -05:00 · 2025-07-24 12:59:17 -05:00
3 changed files with 101 additions and 0 deletions
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@@ -367,6 +367,8 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
    # See https://github.com/goauthentik/authentik/issues/14320
    pool_options = False

+    conn_options = config.get_dict_from_b64_json("postgresql.conn_options", default={})
+
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
@@ -381,6 +383,7 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
                "pool": pool_options,
+                **conn_options,
            },
            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
@@ -410,8 +413,14 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        if conn_max_age is not UNSET:
            db["default"]["CONN_MAX_AGE"] = conn_max_age

+    all_replica_conn_options = config.get_dict_from_b64_json(
+        "postgresql.replica_conn_options",
+        default={},
+    )
+
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
+
        for setting, current_value in db["default"].items():
            if isinstance(current_value, dict):
                continue
@@ -420,12 +429,23 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
            )
            if override is not UNSET:
                _database[setting] = override
+
+        for option in conn_options.keys():
+            _database["OPTIONS"].pop(option, None)
+
        for setting in db["default"]["OPTIONS"].keys():
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database["OPTIONS"][setting] = override
+
+        _database["OPTIONS"].update(all_replica_conn_options)
+        replica_conn_options = config.get_dict_from_b64_json(
+            f"postgresql.read_replicas.{replica}.conn_options", default={}
+        )
+        _database["OPTIONS"].update(replica_conn_options)
+
        db[f"replica_{replica}"] = _database
    return db

--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@@ -494,6 +494,65 @@ class TestConfig(TestCase):
            },
        )

+    def test_db_conn_options(self):
+        config = ConfigLoader()
+        config.set(
+            "postgresql.conn_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "connect_timeout": "10",
+                    }
+                ).encode()
+            ).decode(),
+        )
+        config.set("postgresql.read_replicas.0.host", "bar")
+
+        conf = django_db_config(config)
+
+        self.assertEqual(
+            conf["default"]["OPTIONS"]["connect_timeout"],
+            "10",
+        )
+        self.assertNotIn("connect_timeout", conf["replica_0"]["OPTIONS"])
+
+    def test_db_conn_options_read_replicas(self):
+        config = ConfigLoader()
+        config.set(
+            "postgresql.replica_conn_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "connect_timeout": "10",
+                    }
+                ).encode()
+            ).decode(),
+        )
+        config.set("postgresql.read_replicas.0.host", "bar")
+        config.set("postgresql.read_replicas.1.host", "bar")
+        config.set(
+            "postgresql.read_replicas.1.conn_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "connect_timeout": "20",
+                    }
+                ).encode()
+            ).decode(),
+        )
+
+        conf = django_db_config(config)
+
+        self.assertNotIn("connect_timeout", conf["default"]["OPTIONS"])
+        self.assertEqual(
+            conf["replica_0"]["OPTIONS"]["connect_timeout"],
+            "10",
+        )
+        self.assertEqual(
+            conf["replica_1"]["OPTIONS"]["connect_timeout"],
+            "20",
+        )
+
    # FIXME: Temporarily force pool to be deactivated.
    # See https://github.com/goauthentik/authentik/issues/14320
    # def test_db_pool(self):
--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@@ -84,6 +84,7 @@ The `AUTHENTIK_POSTGRESQL__HOST`, `AUTHENTIK_POSTGRESQL__PORT`, `AUTHENTIK_POSTG
 Configure SSL/TLS to secure the connection to your PostgreSQL server.

 - `AUTHENTIK_POSTGRESQL__SSLMODE`: Controls the SSL verification mode. Defaults to `verify-ca`.
+
    - `disable`: No SSL is used.
    - `allow`: Use SSL if available, but don't perform verification.
    - `prefer`: Attempt an SSL connection first, fall back to non-SSL if it fails.
@@ -104,6 +105,7 @@ For more details, see [Django's PostgreSQL documentation](https://docs.djangopro
 These settings control connection persistence and behavior, which is particularly important when using a connection pooler like PgBouncer.

 - `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`: The maximum age of a database connection in seconds.
+
    - `0` (default): Connections are closed after each request.
    - greater than `0`: Enables persistent connections, with the value defining the maximum lifetime.
    - `None`: Unlimited persistence. Use with caution, especially with connection poolers.
@@ -121,6 +123,14 @@ These settings control connection persistence and behavior, which is particularl

    This can only be set before authentik is started for the first time. If you specify a custom schema, it must already exist in the database, and the user that authentik connects with must have permissions to access it. The `search_path` for the database user must also be configured to include this schema.

+- `AUTHENTIK_POSTGRESQL__CONN_OPTIONS`
+
+    Arbitrary `libpq` parameter key words for the database connection. A list of parameter key words can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
+
+    - Parameters passed with this setting will override those passed with other settings.
+    - These parameters are not applied to read replicas.
+    - Parameter keywords should be formatted as a base64-encoded JSON dictionary.
+
 ### Read Replicas

 You can configure additional read replica databases to distribute database load and improve performance. When read replicas are configured, authentik automatically routes query operations between the primary database (for writes) and read replica databases (for queries). By default, the primary database won't be used for queries when read replicas are available. If you want the primary database to also handle queries, add it as a read replica.
@@ -141,6 +151,16 @@ The same PostgreSQL settings as described above are used for each read replica.
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_MAX_AGE`
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_HEALTH_CHECKS`
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__DISABLE_SERVER_SIDE_CURSORS`
+- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_OPTIONS`
+
+Additionally, you can set arbitrary connection parameters on all read replicas with:
+
+- `AUTHENTIK_POSTGRESQL__REPLICA_CONN_OPTIONS`
+
+    Arbitrary `libpq` parameter key words for all read replicas database connections. A list of options can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
+
+    - Parameters passed with this setting will override those passed with other settings.
+    - Parameter key words should be formatted as a base64-encoded JSON dictionary.

 ### Using a PostgreSQL Connection Pooler

@@ -345,6 +365,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
 - `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`

    Placeholders:
+
    - `%(type)s`: Outpost type; proxy, ldap, etc
    - `%(version)s`: Current version; 2021.4.1
    - `%(build_hash)s`: Build hash if you're running a beta version
@@ -356,6 +377,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
    Configure the automatic discovery of integrations. Defaults to `true`.

    By default, the following is discovered:
+
    - Kubernetes in-cluster config
    - Kubeconfig
    - Existence of a docker socket
Author	SHA1	Message	Date
Tana M Berry	eab28d0ad6	rebase	2025-07-24 13:03:19 -05:00
Marc 'risson' Schmitt	a1ee3ca278	Update website/docs/install-config/configuration/configuration.mdx Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-07-24 12:59:17 -05:00
Marc 'risson' Schmitt	d9db8ac044	Update website/docs/install-config/configuration/configuration.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-07-24 12:59:17 -05:00
Marc 'risson' Schmitt	c9c0674711	Update website/docs/install-config/configuration/configuration.mdx Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-07-24 12:59:17 -05:00
Marc 'risson' Schmitt	93c2bb7e9f	add tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-07-24 12:59:17 -05:00
Marc 'risson' Schmitt	0bbadf3194	rework a bit Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-07-24 12:59:17 -05:00
Duncan Tasker	9f97a65094	ran make lint, updated documentation	2025-07-24 12:59:17 -05:00
Duncan Tasker	c2a41940bc	fix order of option parsing, allowed user to add options to replicas not specified in the default config	2025-07-24 12:59:17 -05:00
Duncan Tasker	f30120e88a	searches both default replica path and replica conn opts path when assigning replica specific options	2025-07-24 12:59:17 -05:00
Duncan Tasker	4582183da4	added global replica options and per replica options	2025-07-24 12:59:17 -05:00
Staz M	d8cf464f3c	config: Allow for setting custom SQL connection string options. This allows for setting additional settings on the PostgresSQL connection string, such as `host`, and `target_session_attrs`.	2025-07-24 12:59:17 -05:00