From 9e496cb8d6189d3722d5653b41fcf3ec30b5b982 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 9 Jan 2026 07:12:40 -0300 Subject: [PATCH] logging: fix oauth2 scope and pin loki to rpi --- services/logging/loki-helmrelease.yaml | 54 ++++++++++++++++++++++++++ services/logging/oauth2-proxy.yaml | 14 +++---- 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/services/logging/loki-helmrelease.yaml b/services/logging/loki-helmrelease.yaml index cba22e3..136ae8c 100644 --- a/services/logging/loki-helmrelease.yaml +++ b/services/logging/loki-helmrelease.yaml @@ -54,10 +54,64 @@ spec: replicas: 0 singleBinary: replicas: 1 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 persistence: enabled: true size: 200Gi storageClass: asteria + gateway: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 + chunksCache: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 + resultsCache: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 + canary: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 service: type: ClusterIP ingress: diff --git a/services/logging/oauth2-proxy.yaml b/services/logging/oauth2-proxy.yaml index ac6accc..29d29d6 100644 --- a/services/logging/oauth2-proxy.yaml +++ b/services/logging/oauth2-proxy.yaml @@ -37,13 +37,14 @@ spec: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 90 - preference: - matchExpressions: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: - key: hardware operator: In - values: ["rpi5","rpi4"] + values: + - rpi5 + - rpi4 containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 @@ -52,7 +53,7 @@ spec: - --provider=oidc - --redirect-url=https://logs.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - - --scope=openid profile email groups + - --scope=openid profile email - --email-domain=* - --set-xauthrequest=true - --pass-access-token=true @@ -66,7 +67,6 @@ spec: - --http-address=0.0.0.0:4180 - --skip-provider-button=true - --skip-jwt-bearer-tokens=true - - --oidc-groups-claim=groups - --cookie-domain=logs.bstein.dev env: - name: OAUTH2_PROXY_CLIENT_ID