Skip to content

core: fix transactional app creation failing with read replicas (2025.12) #19087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dominic-r wants to merge 1 commit into from
Closed

core: fix transactional app creation failing with read replicas (2025.12) #19087

dominic-r wants to merge 1 commit into from

Conversation

@dominic-r
Copy link
Member

@dominic-r dominic-r commented Dec 29, 2025

THIS IS A FIX FOR #19086 FOR VERSION 2025.12 SPECIFICALLY TO ALLOW ME TO GET A PRE-BUILT IMAGE FOR MY PRODUCTION AUTHENTIK WITH THE SAME CONFIGURATION AS OTHER BUILT IMAGES

@dominic-r dominic-r requested a review from a team as a code owner December 29, 2025 03:29
@dominic-r dominic-r closed this Dec 29, 2025
@dominic-r dominic-r force-pushed the sdko/fix-transactional-ver-12 branch from 8425f7e to d915d1a Compare December 29, 2025 03:29
@netlify
Copy link

netlify bot commented Dec 29, 2025

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit 8425f7e
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6951f5844e7a930008d2fbc1
😎 Deploy Preview https://deploy-preview-19087--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Dec 29, 2025

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 8425f7e
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6951f584440e5c0008da032d
😎 Deploy Preview https://deploy-preview-19087--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@dominic-r dominic-r reopened this Dec 29, 2025
@netlify
Copy link

netlify bot commented Dec 29, 2025

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit d915d1a
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6951f5b465248f0008a19a6c
😎 Deploy Preview https://deploy-preview-19087--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Dec 29, 2025

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit d915d1a
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6951f5b45b77c60008378c6d
😎 Deploy Preview https://deploy-preview-19087--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov
Copy link

codecov bot commented Dec 29, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.31%. Comparing base (d915d1a) to head (d899170).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@                 Coverage Diff                 @@
##           version-2025.12   #19087      +/-   ##
===================================================
+ Coverage            92.81%   93.31%   +0.50%     
===================================================
  Files                  946      946              
  Lines                52076    52078       +2     
===================================================
+ Hits                 48334    48597     +263     
+ Misses                3742     3481     -261
Flag Coverage Δ
e2e 44.65% <33.33%> (+1.99%) ⬆️
integration 23.45% <33.33%> (+<0.01%) ⬆️
unit 91.58% <100.00%> (+<0.01%) ⬆️
unit-migrate 91.63% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dominic-r
core: fix transactional app creation failing with read replicas
d899170 
When authentik is configured with PostgreSQL read replicas, the
application wizard fails with "Invalid pk - object does not exist"
for the provider field.

The issue occurs in the blueprint validation flow:
1. Provider is created on the primary database (e.g., PK 159)
2. KeyOf.resolve() returns this PK for the application's provider field
3. ApplicationSerializer.is_valid() validates the provider FK
4. DRF's PrimaryKeyRelatedField queries to verify the PK exists
5. FailoverRouter routes this read to a replica
6. Replica can't see the provider - it's uncommitted (validation runs
   inside transaction_rollback())

The fix replaces provider and backchannel_providers fields with
IntegerField when running in blueprint context. This allows the PK
value to pass through without a DB lookup, and using source="provider_id"
assigns directly to the FK's _id field. This is safe because:
- The provider is created in the same blueprint transaction
- The KeyOf reference correctly links them during blueprint apply()
- The blueprint importer handles the actual FK assignment
@dominic-r dominic-r force-pushed the sdko/fix-transactional-ver-12 branch from 2c3a251 to d899170 Compare December 29, 2025 03:38
@dominic-r dominic-r changed the title core: fix transactional app creation failing with read replicas core: fix transactional app creation failing with read replicas (2025.12) Dec 29, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 29, 2025

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-d899170537ed311533c079ad4f1e6ad98a2d9ede
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-d899170537ed311533c079ad4f1e6ad98a2d9ede

Afterwards, run the upgrade commands from the latest release notes.

@dominic-r
Copy link
Member Author

dominic-r commented Dec 29, 2025

Confirming fix works as expected 🎉

@dominic-r dominic-r closed this Dec 29, 2025
@dominic-r dominic-r deleted the sdko/fix-transactional-ver-12 branch December 29, 2025 04:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dominic-r