From f0a8c30ce9712ddee4e8ce4bc0556626335ad6e0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 8 Aug 2021 14:01:39 +0200
Subject: [PATCH] outposts: create different service when using embedded
 outpost

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/controllers/k8s/base.py    |  5 +++
 authentik/outposts/controllers/k8s/service.py | 33 ++++++++++++++++++-
 authentik/outposts/managed.py                 |  1 -
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/authentik/outposts/controllers/k8s/base.py b/authentik/outposts/controllers/k8s/base.py
index 96c2f9464..4a2126b45 100644
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@@ -40,6 +40,11 @@ class KubernetesObjectReconciler(Generic[T]):
         self.namespace = controller.outpost.config.kubernetes_namespace
         self.logger = get_logger().bind(type=self.__class__.__name__)
 
+    @property
+    def is_embedded(self) -> bool:
+        """Return true if the current outpost is embedded"""
+        return self.controller.outpost.managed != ""
+
     @property
     def noop(self) -> bool:
         """Return true if this object should not be created/updated/deleted in this cluster"""
diff --git a/authentik/outposts/controllers/k8s/service.py b/authentik/outposts/controllers/k8s/service.py
index c2d7d015a..efec9b694 100644
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@@ -3,7 +3,7 @@ from typing import TYPE_CHECKING
 
 from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
 
-from authentik.outposts.controllers.base import FIELD_MANAGER
+from authentik.outposts.controllers.base import FIELD_MANAGER, DeploymentPort
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 
@@ -26,8 +26,39 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
             if port not in current.spec.ports:
                 raise NeedsUpdate()
 
+    def get_embedded_reference_object(self) -> V1Service:
+        """Get Service for embedded outpost"""
+        selector_labels = {
+            "app.kubernetes.io/name": "authentik",
+            "app.kubernetes.io/component": "server",
+        }
+        meta = self.get_object_meta(name=self.name)
+        ports = []
+        for port in [
+            DeploymentPort(9000, "http", "tcp"),
+            DeploymentPort(9443, "https", "tcp"),
+        ]:
+            ports.append(
+                V1ServicePort(
+                    name=port.name,
+                    port=port.port,
+                    protocol=port.protocol.upper(),
+                    target_port=port.inner_port or port.port,
+                )
+            )
+        return V1Service(
+            metadata=meta,
+            spec=V1ServiceSpec(
+                ports=ports,
+                selector=selector_labels,
+                type=self.controller.outpost.config.kubernetes_service_type,
+            ),
+        )
+
     def get_reference_object(self) -> V1Service:
         """Get deployment object for outpost"""
+        if self.is_embedded:
+            return self.get_embedded_reference_object()
         meta = self.get_object_meta(name=self.name)
         ports = []
         for port in self.controller.deployment_ports:
diff --git a/authentik/outposts/managed.py b/authentik/outposts/managed.py
index c74d4f313..e5f915b2a 100644
--- a/authentik/outposts/managed.py
+++ b/authentik/outposts/managed.py
@@ -38,7 +38,6 @@ class OutpostManager(ObjectManager):
                         authentik_host="",
                         kubernetes_disabled_components=[
                             "deployment",
-                            "service",
                             "secret",
                         ],
                     )