diff --git a/authentik/outposts/controllers/k8s/deployment.py b/authentik/outposts/controllers/k8s/deployment.py index 9c9aefc70..47353f94c 100644 --- a/authentik/outposts/controllers/k8s/deployment.py +++ b/authentik/outposts/controllers/k8s/deployment.py @@ -18,6 +18,7 @@ from kubernetes.client import ( from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate +from authentik.outposts.controllers.k8s.utils import compare_ports from authentik.outposts.models import Outpost if TYPE_CHECKING: @@ -35,7 +36,10 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]): self.outpost = self.controller.outpost def reconcile(self, current: V1Deployment, reference: V1Deployment): - super().reconcile(current, reference) + compare_ports( + current.spec.template.spec.containers[0].ports, + reference.spec.template.spec.containers[0].ports, + ) if current.spec.replicas != reference.spec.replicas: raise NeedsUpdate() if ( @@ -43,6 +47,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]): != reference.spec.template.spec.containers[0].image ): raise NeedsUpdate() + super().reconcile(current, reference) def get_pod_meta(self) -> dict[str, str]: """Get common object metadata""" diff --git a/authentik/outposts/controllers/k8s/service.py b/authentik/outposts/controllers/k8s/service.py index 12b50c222..d84d64ea6 100644 --- a/authentik/outposts/controllers/k8s/service.py +++ b/authentik/outposts/controllers/k8s/service.py @@ -4,8 +4,9 @@ from typing import TYPE_CHECKING from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec from authentik.outposts.controllers.base import FIELD_MANAGER -from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsRecreate +from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler +from authentik.outposts.controllers.k8s.utils import compare_ports if TYPE_CHECKING: from authentik.outposts.controllers.kubernetes import KubernetesController @@ -19,11 +20,7 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]): self.api = CoreV1Api(controller.client) def reconcile(self, current: V1Service, reference: V1Service): - if len(current.spec.ports) != len(reference.spec.ports): - raise NeedsRecreate() - for port in reference.spec.ports: - if port not in current.spec.ports: - raise NeedsRecreate() + compare_ports(current.spec, reference.spec) # run the base reconcile last, as that will probably raise NeedsUpdate # after an authentik update. However the ports might have also changed during # the update, so this causes the service to be re-created with higher diff --git a/authentik/outposts/controllers/k8s/utils.py b/authentik/outposts/controllers/k8s/utils.py index ed9663064..ad158e7e8 100644 --- a/authentik/outposts/controllers/k8s/utils.py +++ b/authentik/outposts/controllers/k8s/utils.py @@ -1,8 +1,11 @@ """k8s utils""" from pathlib import Path +from kubernetes.client.models.v1_container_port import V1ContainerPort from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME +from authentik.outposts.controllers.k8s.base import NeedsRecreate + def get_namespace() -> str: """Get the namespace if we're running in a pod, otherwise default to default""" @@ -11,3 +14,12 @@ def get_namespace() -> str: with open(path, "r", encoding="utf8") as _namespace_file: return _namespace_file.read() return "default" + + +def compare_ports(current: list[V1ContainerPort], reference: list[V1ContainerPort]): + """Compare ports of a list""" + if len(current) != len(reference): + raise NeedsRecreate() + for port in reference: + if port not in current: + raise NeedsRecreate()