fix: add http service to authentik

charts/operator/templates/clusterrolebinding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "homelab-operator.fullname" . }}
+  name: '{{ include "homelab-operator.fullname" . }}'
 subjects:
-- kind: ServiceAccount
+  - kind: ServiceAccount
-  name: {{ include "homelab-operator.serviceAccountName" . }}
+    name: '{{ include "homelab-operator.serviceAccountName" . }}'
-  namespace: {{ .Release.Namespace }}
+    namespace: "{{ .Release.Namespace }}"
 roleRef:
   kind: ClusterRole
-  name: {{ include "homelab-operator.fullname" . }}
+  name: '{{ include "homelab-operator.fullname" . }}'
   apiGroup: rbac.authorization.k8s.io

charts/operator/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "homelab-operator.fullname" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "homelab-operator.labels" . | nindent 4 }}
 spec:

charts/operator/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "homelab-operator.serviceAccountName" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "homelab-operator.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

images/operator/Dockerfile

@@ -1,6 +1,8 @@
 FROM node:23-slim@sha256:86191b94d2a163be41f3dc7fe5e5fcaca8ba2f1be7275d98a06343483c17414a
 RUN corepack enable
+WORKDIR /app
 COPY package.json pnpm-lock.yaml ./
+COPY patches ./patches
 RUN pnpm install --frozen-lockfile --prod
 COPY . .
 CMD ["node", "src/index.ts"]

images/operator/package.json

@@ -49,7 +49,7 @@
       "sqlite3"
     ],
     "patchedDependencies": {
-      "@kubernetes/client-node": "patches/@kubernetes__client-node.patch"
+      "@kubernetes/client-node": "./patches/@kubernetes__client-node.patch"
     }
   },
   "scripts": {

images/operator/src/resources/homelab/authentik-server/authentik-server.ts

@@ -18,6 +18,7 @@ import { RepoService } from '#bootstrap/repos/repos.ts';
 import { DestinationRule } from '#resources/istio/destination-rule/destination-rule.ts';
 import { NotReadyError } from '#utils/errors.ts';
 import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
+import { HttpService } from '../http-service/http-service.ts';
 
 const specSchema = z.object({
   environment: z.string(),
@@ -44,6 +45,7 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
   #initSecret: Secret<InitSecretData>;
   #service: Service;
   #helmRelease: HelmRelease;
+  #httpService: HttpService;
   #externalHttpService: ExternalHttpService;
   #destinationRule: DestinationRule;
 
@@ -72,6 +74,8 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
     this.#destinationRule.on('changed', this.queueReconcile);
 
     this.#externalHttpService = resourceService.get(ExternalHttpService, this.name, this.namespace);
+
+    this.#httpService = resourceService.get(HttpService, this.name, this.namespace);
   }
 
   public get service() {
@@ -253,6 +257,22 @@ class AuthentikServer extends CustomResource<typeof specSchema> {
       },
     });
 
+    await this.#httpService.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        environment: this.spec.environment,
+        subdomain: this.spec.subdomain || 'authentik',
+        destination: {
+          host: this.#service.hostname,
+          port: {
+            number: 80,
+          },
+        },
+      },
+    });
+
     await this.#externalHttpService.ensure({
       metadata: {
         ownerReferences: [this.ref],

images/operator/src/resources/homelab/oidc-client/oidc-client.ts

@@ -79,7 +79,7 @@ class OIDCClient extends CustomResource<typeof specSchema> {
       clientId: this.name,
       configuration: new URL(`/application/o/${this.appName}/.well-known/openid-configuration`, url).toString(),
       configurationIssuer: new URL(`/application/o/${this.appName}/`, url).toString(),
-      authorization: new URL(`/application/o/${this.appName}/authorize/`, url).toString(),
+      authorization: new URL(`/application/o/authorize/`, url).toString(),
       token: new URL(`/application/o/${this.appName}/token/`, url).toString(),
       userinfo: new URL(`/application/o/${this.appName}/userinfo/`, url).toString(),
       endSession: new URL(`/application/o/${this.appName}/end-session/`, url).toString(),

images/operator/src/resources/homelab/postgres-cluster/postgres-cluster.ts

@@ -108,7 +108,7 @@ class PostgresCluster extends CustomResource<typeof specSchema> {
             containers: [
               {
                 name: this.name,
-                image: 'postgres:17',
+                image: 'pgvector/pgvector:pg17-trixie',
                 ports: [{ containerPort: 5432, name: 'postgres' }],
                 env: [
                   { name: 'POSTGRES_PASSWORD', valueFrom: { secretKeyRef: { name: secretName, key: 'password' } } },

skaffold.yaml

@@ -4,10 +4,9 @@ metadata:
   name: homelab-operator
 
 build:
-  cluster: {}
   artifacts:
-    - image: homelaboperator
+    - image: zot.olsen.cloud/homelaboperator
-      context: .
+      context: ./images/operator
       docker:
         dockerfile: Dockerfile
 
@@ -16,9 +15,10 @@ manifests:
     releases:
       - name: homelab-operator
         chartPath: charts/operator
+        namespace: homelab
         setValueTemplates:
-          image.repository: '{{.IMAGE_REPO_homelaboperator}}'
+          image.repository: "zot.local/homelaboperator"
-          image.tag: '{{.IMAGE_TAG_homelaboperator}}'
+          image.tag: "{{.IMAGE_TAG_zot_olsen_cloud_homelaboperator}}"
 
 deploy:
   # Use kubectl to apply the manifests.