ab/homelab
1
1
Fork 1
Code Pull Requests 143 Actions Packages Wiki Activity
Files
a5e390714dacb4d21c112ff340b20926a9127456
homelab/k8s/core/authentik/outpost-selector-fix.yaml
Ultradesu 4151deca72
All checks were successful
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s
Details
Check with kubeconform / lint (push) Successful in 9s
Details
Auto-update README / Generate README and Create MR (push) Successful in 8s
Details
Authentik hostfix
2026-03-20 09:37:05 +00:00

82 lines
2.6 KiB
YAML
Raw Blame History

## Workaround for authentik bug: embedded outpost controller creates
## a Service with selectors that don't match the pod labels it sets.
## Remove this after upgrading to a version with the fix.
apiVersion: v1
kind: ServiceAccount
metadata:
name: outpost-selector-fix
namespace: authentik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: outpost-selector-fix
namespace: authentik
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: outpost-selector-fix
namespace: authentik
subjects:
- kind: ServiceAccount
name: outpost-selector-fix
namespace: authentik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: outpost-selector-fix
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: outpost-selector-fix
namespace: authentik
spec:
schedule: "*/5 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 3
concurrencyPolicy: Replace
jobTemplate:
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: outpost-selector-fix
restartPolicy: OnFailure
containers:
- name: fix
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- |
SVC="ak-outpost-authentik-embedded-outpost"
# check if endpoints are populated
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
if [ -n "$ADDRS" ]; then
echo "Endpoints OK ($ADDRS), nothing to fix"
exit 0
fi
echo "No endpoints for $SVC, patching selector..."
kubectl patch svc "$SVC" -n authentik --type=json -p '[
{"op":"remove","path":"/spec/selector/app.kubernetes.io~1component"},
{"op":"replace","path":"/spec/selector/app.kubernetes.io~1name","value":"authentik-outpost-proxy"}
]'
echo "Patched. Verifying..."
sleep 2
ADDRS=$(kubectl get endpoints "$SVC" -n authentik -o jsonpath='{.subsets[*].addresses[*].ip}' 2>/dev/null)
if [ -n "$ADDRS" ]; then
echo "Fix confirmed, endpoints: $ADDRS"
else
echo "WARNING: still no endpoints after patch"
exit 1
fi
View Git Blame Copy Permalink