outposts: Create separate metrics service in Kubernetes (#21229)

* outposts: create separate metrics service Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix service monitor plumbing Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add some static tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make metrics service ClusterIP Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update service monitor when labels mismatch Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2026-06-17 19:09:11 +03:00 · 2026-03-29 22:51:10 +01:00
parent 416dd0cf86
commit 1848c6c380
8 changed files with 90 additions and 7 deletions
@@ -58,6 +58,9 @@ class BaseController:
        self.connection = connection
        self.logger = get_logger()
        self.deployment_ports = []
        self.metrics_ports = [
            DeploymentPort(9300, "http-metrics", "tcp"),
        ]
    def up(self):
        """Called by scheduled task to reconcile deployment/service/etc"""
@@ -2,7 +2,7 @@
 from typing import TYPE_CHECKING
-from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
+from kubernetes.client import CoreV1Api, V1ObjectMeta, V1Service, V1ServicePort, V1ServiceSpec
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
@@ -84,3 +84,47 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
            reference,
            field_manager=FIELD_MANAGER,
        )
 class MetricsServiceReconciler(ServiceReconciler):
    @property
    def noop(self) -> bool:
        return self.is_embedded
    @staticmethod
    def reconciler_name() -> str:
        return "service-metrics"
    @property
    def name(self):
        name_suffix = "-metrics"
        name = super().name
        return name[: 63 - len(name_suffix)] + name_suffix
    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
        meta: V1ObjectMeta = super().get_object_meta(**kwargs)
        meta.labels["goauthentik.io/service-type"] = "metrics"
        return meta
    def get_reference_object(self) -> V1Service:
        """Get deployment object for outpost"""
        meta = self.get_object_meta(name=self.name)
        ports = []
        for port in self.controller.metrics_ports:
            ports.append(
                V1ServicePort(
                    name=port.name,
                    port=port.port,
                    protocol=port.protocol.upper(),
                    target_port=port.inner_port or port.port,
                )
            )
        selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
        return V1Service(
            metadata=meta,
            spec=V1ServiceSpec(
                ports=ports,
                selector=selector_labels,
                type="ClusterIP",
            ),
        )
@@ -8,6 +8,8 @@ from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.service import MetricsServiceReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
@@ -55,6 +57,10 @@ class PrometheusServiceMonitor:
    metadata: PrometheusServiceMonitorMetadata
    spec: PrometheusServiceMonitorSpec
    def to_dict(self):
        """`to_dict` to conform to how the kubernetes client converts objects to dicts"""
        return asdict(self)
 CRD_NAME = "servicemonitors.monitoring.coreos.com"
 CRD_GROUP = "monitoring.coreos.com"
@@ -74,6 +80,11 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
    def reconciler_name() -> str:
        return "prometheus servicemonitor"
    def reconcile(self, current: PrometheusServiceMonitor, reference: PrometheusServiceMonitor):
        if current.spec.selector.matchLabels != reference.spec.selector.matchLabels:
            raise NeedsUpdate()
        super().reconcile(current, reference)
    @property
    def noop(self) -> bool:
        if not self._crd_exists():
@@ -108,7 +119,9 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
                    )
                ],
                selector=PrometheusServiceMonitorSpecSelector(
-                    matchLabels=self.get_object_meta(name=self.name).labels,
+                    matchLabels=MetricsServiceReconciler(self.controller)
                    .get_object_meta(name=self.name)
                    .labels,
                ),
            ),
        )
@@ -18,7 +18,7 @@ from authentik.outposts.controllers.base import BaseClient, BaseController, Cont
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
-from authentik.outposts.controllers.k8s.service import ServiceReconciler
+from authentik.outposts.controllers.k8s.service import MetricsServiceReconciler, ServiceReconciler
 from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.models import (
    KubernetesServiceConnection,
@@ -74,6 +74,7 @@ class KubernetesController(BaseController):
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
            ServiceReconciler.reconciler_name(): ServiceReconciler,
            MetricsServiceReconciler.reconciler_name(): MetricsServiceReconciler,
            PrometheusServiceMonitorReconciler.reconciler_name(): (
                PrometheusServiceMonitorReconciler
            ),
@@ -82,6 +83,7 @@ class KubernetesController(BaseController):
            SecretReconciler.reconciler_name(),
            DeploymentReconciler.reconciler_name(),
            ServiceReconciler.reconciler_name(),
            MetricsServiceReconciler.reconciler_name(),
            PrometheusServiceMonitorReconciler.reconciler_name(),
        ]
@@ -1,11 +1,16 @@
 """Kubernetes controller tests"""
 from unittest.mock import MagicMock, patch
 from django.test import TestCase
 from kubernetes.client import ApiClient
 from yaml import SafeLoader, load_all
 from authentik.blueprints.tests import reconcile_app
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
@@ -28,7 +33,7 @@ class KubernetesControllerTests(TestCase):
            self.integration,
            # Pass something not-none as client so we don't
            # attempt to connect to K8s as that's not needed
-            client=self,
+            client=ApiClient(),
        )
        rec = DeploymentReconciler(controller)
        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
@@ -42,3 +47,18 @@ class KubernetesControllerTests(TestCase):
        controller.outpost.config = _cfg
        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
        self.assertLess(len(rec.name), 64)
    def test_static(self):
        self.controller = KubernetesController(
            self.outpost,
            self.integration,
            # Pass something not-none as client so we don't
            # attempt to connect to K8s as that's not needed
            client=ApiClient(),
        )
        with patch.object(
            PrometheusServiceMonitorReconciler, "_crd_exists", MagicMock(return_value=True)
        ):
            manifest = self.controller.get_static_deployment()
        manifests = list(load_all(manifest, Loader=SafeLoader))
        self.assertEqual(len(manifests), 5)
@@ -15,7 +15,6 @@ class ProxyKubernetesController(KubernetesController):
        super().__init__(outpost, connection)
        self.deployment_ports = [
            DeploymentPort(9000, "http", "tcp"),
            DeploymentPort(9300, "http-metrics", "tcp"),
            DeploymentPort(9443, "https", "tcp"),
        ]
        self.reconcilers[IngressReconciler.reconciler_name()] = IngressReconciler
@@ -46,7 +46,7 @@ class TestProxyKubernetes(TestCase):
        self.controller = ProxyKubernetesController(outpost, service_connection)
        manifest = self.controller.get_static_deployment()
-        self.assertEqual(len(list(yaml.load_all(manifest, Loader=yaml.SafeLoader))), 4)
+        self.assertEqual(len(list(yaml.load_all(manifest, Loader=yaml.SafeLoader))), 5)
    @pytest.mark.timeout(120, func_only=True)
    def test_kubernetes_controller_ingress(self):
@@ -9,7 +9,8 @@ This integration has the advantage over manual deployments of automatic updates
 This integration creates the following objects:
 - Deployment for the outpost container
- Service
+- Service for protocol access
 - Service for metrics access
 - Secret to store the token
 - Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
 - Ingress (only Proxy outposts)
@@ -32,6 +33,7 @@ The following outpost settings are used:
    - 'secret'
    - 'deployment'
    - 'service'
    - 'service-metrics'
    - 'prometheus servicemonitor'
    - 'ingress'
    - 'traefik middleware'