Authentik hostfix

k8s/apps/furumi-dev/app.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: furumi-dev
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: furumi-dev
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/furumi-dev
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true

k8s/apps/furumi-dev/external-secrets.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: furumi-ng-creds
+spec:
+  target:
+    name: furumi-ng-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        OIDC_CLIENT_ID: |-
+          {{ .client_id }}
+        OIDC_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
+        OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
+        OIDC_SESSION_SECRET: |-
+          {{ .session_secret }}
+        PG_STRING: |-
+          postgres://furumi_dev:{{ .pg_pass }}@psql.psql.svc:5432/furumi_dev
+  data:
+    - secretKey: client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[0].value
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[1].value
+    - secretKey: session_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 960735e6-2cc9-4b68-9bd3-e6786e5a0cd6
+        property: fields[2].value
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[17].value

k8s/apps/furumi-dev/ingress.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: admin-strip
+spec:
+  stripPrefix:
+    prefixes:
+      - /admin
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-tls-ingress
+  annotations:
+    ingressClassName: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+    - host: music-dev.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-dev-web-player
+                port:
+                  number: 8080
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: furumi-dev-admin-ingress
+  annotations:
+    ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.middlewares: furumi-server-admin-strip@kubernetescrd,kube-system-https-redirect@kubernetescrd
+spec:
+  rules:
+    - host: music-dev.hexor.cy
+      http:
+        paths:
+          - path: /admin
+            pathType: Prefix
+            backend:
+              service:
+                name: furumi-dev-metadata-agent
+                port:
+                  number: 8090
+  tls:
+    - secretName: furumi-tls
+      hosts:
+        - '*.hexor.cy'

k8s/apps/furumi-dev/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - service.yaml
+  - external-secrets.yaml
+  - ingress.yaml
+  - web-player.yaml
+  - metadata-agent.yaml

k8s/apps/furumi-dev/metadata-agent.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-dev-metadata-agent
+  labels:
+    app: furumi-dev-metadata-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-dev-metadata-agent
+  template:
+    metadata:
+      labels:
+        app: furumi-dev-metadata-agent
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-dev-metadata-agent
+          image: ultradesu/furumi-metadata-agent:dev
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_AGENT_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_AGENT_INBOX_DIR
+              value: "/inbox"
+            - name: FURUMI_AGENT_STORAGE_DIR
+              value: "/media"
+            - name: FURUMI_AGENT_OLLAMA_URL
+              value: "http://ollama.ollama.svc:11434"
+            - name: FURUMI_AGENT_OLLAMA_MODEL
+              value: "qwen3:14b"
+            - name: FURUMI_AGENT_POLL_INTERVAL_SECS
+              value: "10"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: admin-ui
+              containerPort: 8090
+              protocol: TCP
+          volumeMounts:
+            - name: library
+              mountPath: /media
+            - name: inbox
+              mountPath: /inbox
+      volumes:
+        - name: library
+          hostPath:
+            path: /k8s/furumi-dev/library
+            type: DirectoryOrCreate
+        - name: inbox
+          hostPath:
+            path: /k8s/furumi-dev/inbox
+            type: DirectoryOrCreate
+

k8s/apps/furumi-dev/service.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-dev-metadata-agent
+  labels:
+    app: furumi-dev-metadata-agent
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-dev-metadata-agent
+  ports:
+    - name: admin-ui
+      protocol: TCP
+      port: 8090
+      targetPort: 8090
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: furumi-dev-web-player
+  labels:
+    app: furumi-dev-web-player
+spec:
+  type: ClusterIP
+  selector:
+    app: furumi-dev-web-player
+  ports:
+    - name: web-ui
+      protocol: TCP
+      port: 8080
+      targetPort: 8080

k8s/apps/furumi-dev/web-player.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: furumi-dev-web-player
+  labels:
+    app: furumi-dev-web-player
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: furumi-dev-web-player
+  template:
+    metadata:
+      labels:
+        app: furumi-dev-web-player
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: furumi-dev-web-player
+          image: ultradesu/furumi-web-player:dev
+          imagePullPolicy: Always
+          env:
+            - name: FURUMI_PLAYER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_ID
+            - name: FURUMI_PLAYER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_CLIENT_SECRET
+            - name: FURUMI_PLAYER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_ISSUER_URL
+            - name: FURUMI_PLAYER_OIDC_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_REDIRECT_URL
+            - name: FURUMI_PLAYER_OIDC_SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: OIDC_SESSION_SECRET
+            - name: FURUMI_PLAYER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-creds
+                  key: PG_STRING
+            - name: FURUMI_PLAYER_STORAGE_DIR
+              value: "/media"
+            - name: RUST_LOG
+              value: "info"
+          ports:
+            - name: web-ui
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: music
+              mountPath: /media
+      volumes:
+        - name: music
+          hostPath:
+            path: /k8s/furumi-dev/library
+            type: DirectoryOrCreate
+

k8s/apps/furumi-server/metadata-agent.yaml

@@ -33,7 +33,7 @@ spec:
             - name: FURUMI_AGENT_OLLAMA_URL
               value: "http://ollama.ollama.svc:11434"
             - name: FURUMI_AGENT_OLLAMA_MODEL
-              value: "qwen3:14b"
+              value: "qwen3.5:9b"
             - name: FURUMI_AGENT_POLL_INTERVAL_SECS
               value: "10"
             - name: RUST_LOG

k8s/core/authentik/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - https-middleware.yaml
+  - outpost-selector-fix.yaml
 # - worker-restart.yaml
 
 helmCharts:

k8s/core/authentik/outpost-selector-fix.yaml

@@ -0,0 +1,81 @@
+## Workaround for authentik bug: embedded outpost controller creates
+## a Service with selectors that don't match the pod labels it sets.
+## Remove this after upgrading to a version with the fix.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+subjects:
+  - kind: ServiceAccount
+    name: outpost-selector-fix
+    namespace: authentik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: outpost-selector-fix
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+spec:
+  schedule: "* * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 300
+      template:
+        spec:
+          serviceAccountName: outpost-selector-fix
+          restartPolicy: OnFailure
+          containers:
+            - name: fix
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  SVC="ak-outpost-authentik-embedded-outpost"
+                  # check if endpoints are populated
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Endpoints OK ($ADDRS), nothing to fix"
+                    exit 0
+                  fi
+                  echo "No endpoints for $SVC, patching selector..."
+                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
+                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
+                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
+                  ]'
+                  echo "Patched. Verifying..."
+                  sleep 2
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Fix confirmed, endpoints: $ADDRS"
+                  else
+                    echo "WARNING: still no endpoints after patch"
+                    exit 1
+                  fi