Compare commits
4 Commits
auto-updat
...
auto-updat
| Author | SHA1 | Date | |
|---|---|---|---|
|
a5e390714d | ||
|
4151deca72 | ||
| c3e0064412 | |||
| 8a4401fe0b |
@@ -14,8 +14,8 @@ spec:
|
||||
{{ .client_id }}
|
||||
OIDC_CLIENT_SECRET: |-
|
||||
{{ .client_secret }}
|
||||
OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-ng-web/
|
||||
OIDC_REDIRECT_URL: https://music.hexor.cy/auth/callback
|
||||
OIDC_ISSUER_URL: https://idm.hexor.cy/application/o/furumi-dev/
|
||||
OIDC_REDIRECT_URL: https://music-dev.hexor.cy/auth/callback
|
||||
OIDC_SESSION_SECRET: |-
|
||||
{{ .session_secret }}
|
||||
PG_STRING: |-
|
||||
|
||||
@@ -33,7 +33,7 @@ spec:
|
||||
- name: FURUMI_AGENT_OLLAMA_URL
|
||||
value: "http://ollama.ollama.svc:11434"
|
||||
- name: FURUMI_AGENT_OLLAMA_MODEL
|
||||
value: "qwen3:14b"
|
||||
value: "qwen3.5:9b"
|
||||
- name: FURUMI_AGENT_POLL_INTERVAL_SECS
|
||||
value: "10"
|
||||
- name: RUST_LOG
|
||||
|
||||
@@ -5,6 +5,7 @@ resources:
|
||||
- app.yaml
|
||||
- external-secrets.yaml
|
||||
- https-middleware.yaml
|
||||
- outpost-selector-fix.yaml
|
||||
# - worker-restart.yaml
|
||||
|
||||
helmCharts:
|
||||
|
||||
81
k8s/core/authentik/outpost-selector-fix.yaml
Normal file
81
k8s/core/authentik/outpost-selector-fix.yaml
Normal file
@@ -0,0 +1,81 @@
|
||||
## Workaround for authentik bug: embedded outpost controller creates
|
||||
## a Service with selectors that don't match the pod labels it sets.
|
||||
## Remove this after upgrading to a version with the fix.
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
verbs: ["get", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints"]
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: outpost-selector-fix
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: outpost-selector-fix
|
||||
namespace: authentik
|
||||
spec:
|
||||
schedule: "*/5 * * * *"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 3
|
||||
concurrencyPolicy: Replace
|
||||
jobTemplate:
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 300
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: outpost-selector-fix
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: fix
|
||||
image: bitnami/kubectl:latest
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
SVC="ak-outpost-authentik-embedded-outpost"
|
||||
# check if endpoints are populated
|
||||
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
|
||||
if [ -n "$ADDRS" ]; then
|
||||
echo "Endpoints OK ($ADDRS), nothing to fix"
|
||||
exit 0
|
||||
fi
|
||||
echo "No endpoints for $SVC, patching selector..."
|
||||
kubectl patch svc "$SVC" -n authentik --type=json -p '[
|
||||
{"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
|
||||
{"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
|
||||
]'
|
||||
echo "Patched. Verifying..."
|
||||
sleep 2
|
||||
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
|
||||
if [ -n "$ADDRS" ]; then
|
||||
echo "Fix confirmed, endpoints: $ADDRS"
|
||||
else
|
||||
echo "WARNING: still no endpoints after patch"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user