logging: fix oauth2 scope and pin loki to rpi

2026-01-09 07:12:40 -03:00 · 2026-01-09 07:12:40 -03:00 · 9e496cb8d6
commit 9e496cb8d6
parent 3694b8f76e
2 changed files with 61 additions and 7 deletions
--- a/services/logging/loki-helmrelease.yaml
+++ b/services/logging/loki-helmrelease.yaml
@ -54,10 +54,64 @@ spec:
      replicas: 0
    singleBinary:
      replicas: 1
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+                      - rpi4
      persistence:
        enabled: true
        size: 200Gi
        storageClass: asteria
+    gateway:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+                      - rpi4
+    chunksCache:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+                      - rpi4
+    resultsCache:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+                      - rpi4
+    canary:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+                      - rpi4
    service:
      type: ClusterIP
    ingress:
--- a/services/logging/oauth2-proxy.yaml
+++ b/services/logging/oauth2-proxy.yaml
@ -37,13 +37,14 @@ spec:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 90
-              preference:
-                matchExpressions:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
                  - key: hardware
                    operator: In
-                    values: ["rpi5","rpi4"]
+                    values:
+                      - rpi5
+                      - rpi4
      containers:
        - name: oauth2-proxy
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
@ -52,7 +53,7 @@ spec:
            - --provider=oidc
            - --redirect-url=https://logs.bstein.dev/oauth2/callback
            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
-            - --scope=openid profile email groups
+            - --scope=openid profile email
            - --email-domain=*
            - --set-xauthrequest=true
            - --pass-access-token=true
@ -66,7 +67,6 @@ spec:
            - --http-address=0.0.0.0:4180
            - --skip-provider-button=true
            - --skip-jwt-bearer-tokens=true
-            - --oidc-groups-claim=groups
            - --cookie-domain=logs.bstein.dev
          env:
            - name: OAUTH2_PROXY_CLIENT_ID