fix(prometheus): extend startup timeout

infrastructure/terraform/authentik/applications.tf

@@ -40,7 +40,7 @@ module "oauth2-audiobookshelf" {
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
   client_id          = module.secret_audiobookshelf.fields["OIDC_CLIENT_ID"]
   client_secret      = module.secret_audiobookshelf.fields["OIDC_CLIENT_SECRET"]
-  additional_property_mappings = formatlist(authentik_scope_mapping.audiobookshelf.id)
+  additional_property_mappings = formatlist(authentik_property_mapping_provider_scope.audiobookshelf.id)
   redirect_uris      = ["https://audiobooks.exelent.click/auth/openid/callback", "audiobookshelf://oauth"]
 }
 
@@ -53,8 +53,8 @@ module "oauth2-mealie" {
   newtab             = true
   group              = "Selfhosted"
   auth_groups        = [authentik_group.users.id]
-  client_type        = "public"
   authorization_flow = resource.authentik_flow.provider-authorization-implicit-consent.uuid
   client_id          = module.secret_mealie.fields["OIDC_CLIENT_ID"]
+  client_secret      = module.secret_mealie.fields["OIDC_CLIENT_SECRET"]
   redirect_uris      = ["https://mealie.exelent.click/login"]
 }

infrastructure/terraform/authentik/customization.tf

@@ -1,4 +1,4 @@
-resource "authentik_scope_mapping" "audiobookshelf" {
+resource "authentik_property_mapping_provider_scope" "audiobookshelf" {
   name       = "OAuth Mapping: OpenID 'audiobookshelf'"
   scope_name = "groups"
   expression = <<EOF

infrastructure/terraform/authentik/oauth2_application/main.tf

@@ -10,7 +10,7 @@ data "authentik_certificate_key_pair" "generated" {
   name = "authentik Self-signed Certificate"
 }
 
-data "authentik_scope_mapping" "scopes" {
+data "authentik_property_mapping_provider_scope" "scopes" {
   managed_list = [
     "goauthentik.io/providers/oauth2/scope-email",
     "goauthentik.io/providers/oauth2/scope-openid",
@@ -30,7 +30,7 @@ resource "authentik_provider_oauth2" "oauth2-application" {
   authorization_flow         = var.authorization_flow
   signing_key                = data.authentik_certificate_key_pair.generated.id
   client_type                = var.client_type
-  property_mappings          = concat(data.authentik_scope_mapping.scopes.ids, var.additional_property_mappings)
+  property_mappings          = concat(data.authentik_property_mapping_provider_scope.scopes.ids, var.additional_property_mappings)
   redirect_uris              = var.redirect_uris
 }
 

kubernetes/apps/default/mealie/app/externalsecret.yaml

@@ -31,6 +31,7 @@ spec:
         OIDC_AUTH_ENABLED: "True"
         OIDC_CONFIGURATION_URL: "https://sso.exelent.click/application/o/mealie/.well-known/openid-configuration"
         OIDC_CLIENT_ID: "{{ .OIDC_CLIENT_ID }}"
+        OIDC_CLIENT_SECRET: "{{ .OIDC_CLIENT_SECRET }}"
         OIDC_ADMIN_GROUP: Infrastructure
         OIDC_AUTO_REDIRECT: "True"
         OIDC_PROVIDER_NAME: Authentik

kubernetes/apps/observability/grafana/app/helmrelease.yaml

@@ -158,7 +158,6 @@ spec:
             url: http://thanos-query-frontend.observability.svc.cluster.local:10902
             jsonData:
               prometheusType: Thanos
-              timeInterval: 1m
           - name: Loki
             type: loki
             uid: loki

kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml

@@ -111,12 +111,16 @@ spec:
       thanosServiceMonitor:
         enabled: true
       prometheusSpec:
+        image:
+          registry: quay.io
+          repository: prometheus/prometheus
+          tag: v3.0.1
+        maximumStartupDurationSeconds: 1000
         podMetadata:
           annotations:
             secret.reloader.stakater.com/reload: &secret thanos-objstore-config
         replicas: 2
         replicaExternalLabelName: __replica__
-        scrapeInterval: 1m # Must match interval in Grafana Helm chart
         ruleSelectorNilUsesHelmValues: false
         serviceMonitorSelectorNilUsesHelmValues: false
         podMonitorSelectorNilUsesHelmValues: false