root: always use persistent database connections

[rissson]

Details

Ideally this would avoid re-opening a database connection for every database query, even when not using pg_bouncer.

Upside: we're avoiding creating connections for every database query.

Downside: we would always have, at most, N connections open, N being the number of workers, once every worker has been hit with a web request. Also, if something breaks, the connection is not re-created automatically, if I understand correctly.

We could also set CONN_HEALTH_CHECKS to true to mitigate that last bit, which will check the connection health once per web request.

Finally, this may help with auto-rotating secrets, in which case the connection would stay opened and healthy from when the password has been changed on postgres' side, until it reaches authentik.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)
• The translation files have been updated (make i18n-extract)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	a21e5d9
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/64de07b8e6db440008c8e690
😎 Deploy Preview	https://deploy-preview-6560--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.02% ⚠️

Comparison is base (594e031) 92.48% compared to head (a21e5d9) 92.46%.
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6560      +/-   ##
==========================================
- Coverage   92.48%   92.46%   -0.02%     
==========================================
  Files         561      561              
  Lines       27081    27080       -1     
==========================================
- Hits        25044    25037       -7     
- Misses       2037     2043       +6     

Flag	Coverage Δ
e2e	51.61% <ø> (+0.01%)	⬆️
integration	26.57% <ø> (+0.01%)	⬆️
unit	89.27% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
authentik/root/settings.py	89.32% <ø> (+0.68%)	⬆️

... and 4 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-always-disable-persistent-db-connections-1692273370-a21e5d9
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-always-disable-persistent-db-connections-1692273370-a21e5d9-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-always-disable-persistent-db-connections-1692273370-a21e5d9

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-always-disable-persistent-db-connections-1692273370-a21e5d9-arm64

Afterwards, run the upgrade commands from the latest release notes.

[BeryJu]

Looks good, allthough I think we should also set CONN_HEALTH_CHECKS as you already mentioned (I'm not 100% sure about the performance impact of both of these changes, I'm estimating it'll lower the avg% for response time but could worse then p99 (especially when the password rotation does happen)

[rissson]

we should also set CONN_HEALTH_CHECKS

Done.

I'm not 100% sure about the performance impact of both of these changes, I'm estimating it'll lower the avg% for response time but could worse then p99 (especially when the password rotation does happen)

I've updated the description to better differentiate web request and database queries. As the check only happens once per web request, and only if the database is queried, it shouldn't be a lot of overhead, and certainly less than re-creating a brand new connection to the database.

Also, for reference, the check made by django to see if the connection is alive is SELECT 1