## Workaround for authentik bug: embedded outpost controller creates
## a Service with selectors that don't match the pod labels it sets.
## Remove this after upgrading to a version with the fix.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: outpost-selector-fix
  namespace: authentik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: outpost-selector-fix
  namespace: authentik
rules:
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "patch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: outpost-selector-fix
  namespace: authentik
subjects:
  - kind: ServiceAccount
    name: outpost-selector-fix
    namespace: authentik
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: outpost-selector-fix
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: outpost-selector-fix
  namespace: authentik
spec:
  schedule: "*/5 * * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  concurrencyPolicy: Replace
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 300
      template:
        spec:
          serviceAccountName: outpost-selector-fix
          restartPolicy: OnFailure
          containers:
            - name: fix
              image: bitnami/kubectl:latest
              command:
                - /bin/sh
                - -c
                - |
                  SVC="ak-outpost-authentik-embedded-outpost"
                  # check if endpoints are populated
                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
                  if [ -n "$ADDRS" ]; then
                    echo "Endpoints OK ($ADDRS), nothing to fix"
                    exit 0
                  fi
                  echo "No endpoints for $SVC, patching selector..."
                  kubectl patch svc "$SVC" -n authentik --type=json -p '[
                    {"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
                    {"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
                  ]'
                  echo "Patched. Verifying..."
                  sleep 2
                  ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
                  if [ -n "$ADDRS" ]; then
                    echo "Fix confirmed, endpoints: $ADDRS"
                  else
                    echo "WARNING: still no endpoints after patch"
                    exit 1
                  fi