crypto: update certificate api and component

[PeshekDotDev]

Details

This PR improves how we use the crypto api for certificates, including adding for filtering on the front-end and better typing throughout

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	034a9ab
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/690a4c82ab68010008afb04b

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	034a9ab
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/690a4c82e3835000084ddc82
😎 Deploy Preview	https://deploy-preview-17921--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations canceled.

Name	Link
🔨 Latest commit	034a9ab
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/690a4c82ba392b00084e5bd2

[codecov]

Codecov Report

❌ Patch coverage is 72.72727% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.92%. Comparing base (30f9d19) to head (034a9ab).
⚠️ Report is 9 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/crypto/models.py	64.00%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17921      +/-   ##
==========================================
- Coverage   92.98%   92.92%   -0.06%     
==========================================
  Files         869      869              
  Lines       47962    48016      +54     
==========================================
+ Hits        44596    44618      +22     
- Misses       3366     3398      +32     

Flag	Coverage Δ
e2e	45.16% <60.60%> (-0.09%)	⬇️
integration	23.19% <39.39%> (+<0.01%)	⬆️
unit	91.07% <72.72%> (-0.01%)	⬇️
unit-migrate	91.12% <72.72%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BeryJu]

Add comment about performance implications

[PeshekDotDev]

I've updated them, let me know what you think

[kensternberg-authentik]

I know my grammar queen shouldn't get too sharp on comments, but that's... awkward. Maybe something like?

When allowedKeyTypes is set, only certificates or keypairs with matching key algorithms will be shown. Since certificates must be parsed to extract algorithm details, an instance with many certificates may experience long delays and server performance slowdowns. Avoid setting this field whenever possible.

... which raises the question, @BeryJu: Why isn't that information stored separately from the certificate?

[BeryJu]

that's a good idea, we could cache the key/cert data alongside the cert instead of re-parsing it every time

maybe something to look into rather than just having this warning

[BeryJu]

LGTM with one small nit

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-034a9ab2272630d2bf39e06fadd040e93f9857c2
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-034a9ab2272630d2bf39e06fadd040e93f9857c2

Afterwards, run the upgrade commands from the latest release notes.

[kensternberg-authentik]

I made a suggestion for rewording a comment; that shouldn't delay merging, but if @PeshekDotDev wants to update the comment before the merge, I'd welcome it.

[kensternberg-authentik]

I know my grammar queen shouldn't get too sharp on comments, but that's... awkward. Maybe something like?

When allowedKeyTypes is set, only certificates or keypairs with matching key algorithms will be shown. Since certificates must be parsed to extract algorithm details, an instance with many certificates may experience long delays and server performance slowdowns. Avoid setting this field whenever possible.

... which raises the question, @BeryJu: Why isn't that information stored separately from the certificate?

[PeshekDotDev]

Storing the keytype in the database is something I'm willing to add in a different PR