outposts: check ports of deployment in kubernetes outpost controller

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/outposts/controllers/k8s/deployment.py

@@ -18,6 +18,7 @@ from kubernetes.client import (
 
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate
+from authentik.outposts.controllers.k8s.utils import compare_ports
 from authentik.outposts.models import Outpost
 
 if TYPE_CHECKING:
@@ -35,7 +36,10 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         self.outpost = self.controller.outpost
 
     def reconcile(self, current: V1Deployment, reference: V1Deployment):
-        super().reconcile(current, reference)
+        compare_ports(
+            current.spec.template.spec.containers[0].ports,
+            reference.spec.template.spec.containers[0].ports,
+        )
         if current.spec.replicas != reference.spec.replicas:
             raise NeedsUpdate()
         if (
@@ -43,6 +47,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
             != reference.spec.template.spec.containers[0].image
         ):
             raise NeedsUpdate()
+        super().reconcile(current, reference)
 
     def get_pod_meta(self) -> dict[str, str]:
         """Get common object metadata"""

authentik/outposts/controllers/k8s/service.py

@@ -4,8 +4,9 @@ from typing import TYPE_CHECKING
 from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
 
 from authentik.outposts.controllers.base import FIELD_MANAGER
-from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsRecreate
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
+from authentik.outposts.controllers.k8s.utils import compare_ports
 
 if TYPE_CHECKING:
     from authentik.outposts.controllers.kubernetes import KubernetesController
@@ -19,11 +20,7 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
         self.api = CoreV1Api(controller.client)
 
     def reconcile(self, current: V1Service, reference: V1Service):
-        if len(current.spec.ports) != len(reference.spec.ports):
+        compare_ports(current.spec, reference.spec)
-            raise NeedsRecreate()
-        for port in reference.spec.ports:
-            if port not in current.spec.ports:
-                raise NeedsRecreate()
         # run the base reconcile last, as that will probably raise NeedsUpdate
         # after an authentik update. However the ports might have also changed during
         # the update, so this causes the service to be re-created with higher

authentik/outposts/controllers/k8s/utils.py

@@ -1,8 +1,11 @@
 """k8s utils"""
 from pathlib import Path
 
+from kubernetes.client.models.v1_container_port import V1ContainerPort
 from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
 
+from authentik.outposts.controllers.k8s.base import NeedsRecreate
+
 
 def get_namespace() -> str:
     """Get the namespace if we're running in a pod, otherwise default to default"""
@@ -11,3 +14,12 @@ def get_namespace() -> str:
         with open(path, "r", encoding="utf8") as _namespace_file:
             return _namespace_file.read()
     return "default"
+
+
+def compare_ports(current: list[V1ContainerPort], reference: list[V1ContainerPort]):
+    """Compare ports of a list"""
+    if len(current) != len(reference):
+        raise NeedsRecreate()
+    for port in reference:
+        if port not in current:
+            raise NeedsRecreate()