From ca025690e09db968a1886ca8d6c799ded398cdd4 Mon Sep 17 00:00:00 2001
From: Philipp Kolberg <philipp.kolberg@t-online.de>
Date: Sat, 28 Oct 2023 22:29:55 +0200
Subject: [PATCH] Allow specifying the service's ipFamilyPolicy and ipFamilies

---
 authentik/outposts/controllers/k8s/service.py        | 8 ++++++++
 authentik/outposts/models.py                         | 2 ++
 authentik/providers/proxy/controllers/k8s/ingress.py | 6 +++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/authentik/outposts/controllers/k8s/service.py b/authentik/outposts/controllers/k8s/service.py
index 374e94274..c9b28d240 100644
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@@ -32,6 +32,12 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
         # priority than being updated.
         if current.spec.selector != reference.spec.selector:
             raise NeedsUpdate()
+        if current.spec.type != reference.spec.type:
+            raise NeedsUpdate()
+        if current.spec.ipFamilyPolicy != reference.spec.ipFamilyPolicy:
+            raise NeedsUpdate()
+        if current.spec.ipFamilies != reference.spec.ipFamilies:
+            raise NeedsUpdate()
         super().reconcile(current, reference)
 
     def get_reference_object(self) -> V1Service:
@@ -60,6 +66,8 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
                 ports=ports,
                 selector=selector_labels,
                 type=self.controller.outpost.config.kubernetes_service_type,
+                ip_family_policy=self.controller.outpost.config.kubernetes_service_ip_family_policy,
+                ip_families=self.controller.outpost.config.kubernetes_service_ip_families,
             ),
         )
 
diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py
index f876a0cf3..ac81bcf4e 100644
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -73,6 +73,8 @@ class OutpostConfig:
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
     kubernetes_ingress_class_name: Optional[str] = field(default=None)
     kubernetes_service_type: str = field(default="ClusterIP")
+    kubernetes_service_ip_family_policy: Optional[str] = field(default="SingleStack")
+    kubernetes_service_ip_families: list[str] = field(default_factory=list)
     kubernetes_disabled_components: list[str] = field(default_factory=list)
     kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
     kubernetes_json_patches: Optional[dict[str, list[dict[str, Any]]]] = field(default=None)
diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index e0cc54dba..a8eb967d0 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -159,13 +159,13 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             rules.append(rule)
         tls_config = None
         if tls_hosts:
-            tls_config = V1IngressTLS(
+            tls_config = [V1IngressTLS(
                 hosts=tls_hosts,
                 secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
-            )
+            )]
         spec = V1IngressSpec(
             rules=rules,
-            tls=[tls_config],
+            tls=tls_config,
         )
         if self.controller.outpost.config.kubernetes_ingress_class_name:
             spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name