Authentik hostfix

2026-03-20 09:39:13 +00:00 · 2026-03-20 09:37:05 +00:00
3 changed files with 82 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -16,7 +16,6 @@ ArgoCD homelab project
 | **authentik** | [![authentik](https://ag.hexor.cy/api/badge?name=authentik&revision=true)](https://ag.hexor.cy/applications/argocd/authentik) |
 | **cert-manager** | [![cert-manager](https://ag.hexor.cy/api/badge?name=cert-manager&revision=true)](https://ag.hexor.cy/applications/argocd/cert-manager) |
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
-| **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
@@ -38,9 +37,6 @@ ArgoCD homelab project

 | Application | Status |
 | :--- | :---: |
-| **comfyui** | [![comfyui](https://ag.hexor.cy/api/badge?name=comfyui&revision=true)](https://ag.hexor.cy/applications/argocd/comfyui) |
-| **furumi-dev** | [![furumi-dev](https://ag.hexor.cy/api/badge?name=furumi-dev&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-dev) |
-| **furumi-server** | [![furumi-server](https://ag.hexor.cy/api/badge?name=furumi-server&revision=true)](https://ag.hexor.cy/applications/argocd/furumi-server) |
 | **gitea** | [![gitea](https://ag.hexor.cy/api/badge?name=gitea&revision=true)](https://ag.hexor.cy/applications/argocd/gitea) |
 | **greece-notifier** | [![greece-notifier](https://ag.hexor.cy/api/badge?name=greece-notifier&revision=true)](https://ag.hexor.cy/applications/argocd/greece-notifier) |
 | **hexound** | [![hexound](https://ag.hexor.cy/api/badge?name=hexound&revision=true)](https://ag.hexor.cy/applications/argocd/hexound) |
@@ -49,9 +45,6 @@ ArgoCD homelab project
 | **jellyfin** | [![jellyfin](https://ag.hexor.cy/api/badge?name=jellyfin&revision=true)](https://ag.hexor.cy/applications/argocd/jellyfin) |
 | **k8s-secrets** | [![k8s-secrets](https://ag.hexor.cy/api/badge?name=k8s-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
 | **khm** | [![khm](https://ag.hexor.cy/api/badge?name=khm&revision=true)](https://ag.hexor.cy/applications/argocd/khm) |
-| **lidarr** | [![lidarr](https://ag.hexor.cy/api/badge?name=lidarr&revision=true)](https://ag.hexor.cy/applications/argocd/lidarr) |
-| **matrix** | [![matrix](https://ag.hexor.cy/api/badge?name=matrix&revision=true)](https://ag.hexor.cy/applications/argocd/matrix) |
-| **mtproxy** | [![mtproxy](https://ag.hexor.cy/api/badge?name=mtproxy&revision=true)](https://ag.hexor.cy/applications/argocd/mtproxy) |
 | **n8n** | [![n8n](https://ag.hexor.cy/api/badge?name=n8n&revision=true)](https://ag.hexor.cy/applications/argocd/n8n) |
 | **ollama** | [![ollama](https://ag.hexor.cy/api/badge?name=ollama&revision=true)](https://ag.hexor.cy/applications/argocd/ollama) |
 | **paperless** | [![paperless](https://ag.hexor.cy/api/badge?name=paperless&revision=true)](https://ag.hexor.cy/applications/argocd/paperless) |
--- a/k8s/core/authentik/kustomization.yaml
+++ b/k8s/core/authentik/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - https-middleware.yaml
+  - outpost-selector-fix.yaml
 # - worker-restart.yaml

 helmCharts:
--- a/k8s/core/authentik/outpost-selector-fix.yaml
+++ b/k8s/core/authentik/outpost-selector-fix.yaml
@@ -0,0 +1,81 @@
+## Workaround for authentik bug: embedded outpost controller creates
+## a Service with selectors that don't match the pod labels it sets.
+## Remove this after upgrading to a version with the fix.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "patch"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+subjects:
+  - kind: ServiceAccount
+    name: outpost-selector-fix
+    namespace: authentik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: outpost-selector-fix
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: outpost-selector-fix
+  namespace: authentik
+spec:
+  schedule: "* * * * *"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 300
+      template:
+        spec:
+          serviceAccountName: outpost-selector-fix
+          restartPolicy: OnFailure
+          containers:
+            - name: fix
+              image: bitnami/kubectl:latest
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  SVC="ak-outpost-authentik-embedded-outpost"
+                  # check if endpoints are populated
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Endpoints OK ($ADDRS), nothing to fix"
+                    exit 0
+                  fi
+                  echo "No endpoints for $SVC, patching selector..."
+                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
+                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
+                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
+                  ]'
+                  echo "Patched. Verifying..."
+                  sleep 2
+                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
+                  if [ -n "$ADDRS" ]; then
+                    echo "Fix confirmed, endpoints: $ADDRS"
+                  else
+                    echo "WARNING: still no endpoints after patch"
+                    exit 1
+                  fi
Author	SHA1	Message	Date
Ultradesu	887ea72a2e	Authentik hostfix All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 8s Details Check with kubeconform / lint (push) Successful in 7s Details Auto-update README / Generate README and Create MR (push) Successful in 11s Details	2026-03-20 09:39:13 +00:00
Ultradesu	4151deca72	Authentik hostfix All checks were successful Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s Details Check with kubeconform / lint (push) Successful in 9s Details Auto-update README / Generate README and Create MR (push) Successful in 8s Details	2026-03-20 09:37:05 +00:00