fix(cluster): replace InventTree setup job with env var SSO config

agentydragon · agentydragon · commit 2e900bc05361 · 2026-02-19T18:54:31.000-08:00
InvenTree supports INVENTREE_* env vars as setting overrides — no need
for a Job that polls the API. Adds INVENTREE_LOGIN_ENABLE_SSO and
INVENTREE_LOGIN_ENABLE_SSO_REG to HelmRelease env, deletes setup-job.yaml.

Also adds nix cache initialization TODO to plan.md.
diff --git a/cluster/docs/plan.md b/cluster/docs/plan.md
@@ -104,6 +104,15 @@ are not found"`. Added `kubectl wait --for=condition=Established` before Cilium
 - [ ] **Gatus: remove direct HTTPRoute** — Once Authentik proxy outpost is confirmed working,
       remove the direct HTTPRoute from `k8s/gatus/` (proxy route in `authentik-proxy-routes/`
       takes over)
+- [ ] **Nix cache: initialize Attic cache** — Attic server is running but has no caches
+      created (empty `cache` table). `cache.allegedly.works/nix-cache-info` returns 404
+      because Attic serves that endpoint per-cache at `/<name>/nix-cache-info`. Fix: run
+      `atticadm make-token` to generate an admin JWT, then `attic cache create main` and
+      `attic cache configure main --public`. Either add an init Job to the chart/kustomization
+      or run interactively once. The `atticadm` binary may not be in the current image
+      (`ghcr.io/zhaofengli/attic:latest`) — check and potentially use a different tag or
+      generate the token from the JWT secret directly. Gatus probe should use
+      `cache.allegedly.works/main/nix-cache-info` once cache exists.
 - [ ] **Deploy headscale**, test with a device
 - [ ] **OpenClaw: eliminate one-time token entry** — currently the user must retrieve
       the auto-generated gateway token (`kubectl get secret openclaw-gateway-token ...`)
diff --git a/cluster/k8s/applications/inventree/helmrelease.yaml b/cluster/k8s/applications/inventree/helmrelease.yaml
@@ -67,10 +67,12 @@ spec:
     plugins:
       enabled: true
 
-    # Auto-enable rai_plugin without requiring a UI toggle.
-    # INVENTREE_PLUGINS_MANDATORY makes the plugin always active (like builtin mandatory plugins).
     env:
+      # Auto-enable rai_plugin (always active, like builtin mandatory plugins)
       INVENTREE_PLUGINS_MANDATORY: "raiplugin"
+      # SSO settings (env vars override DB, read-only in UI)
+      INVENTREE_LOGIN_ENABLE_SSO: "true"
+      INVENTREE_LOGIN_ENABLE_SSO_REG: "true"
 
     # Pin server to Proxmox nodes (PVE)
     nodeSelector:
diff --git a/cluster/k8s/applications/inventree/kustomization.yaml b/cluster/k8s/applications/inventree/kustomization.yaml
@@ -5,4 +5,3 @@ resources:
   - postgres-service.yaml
   - helmrelease.yaml
   - httproute.yaml
-  - setup-job.yaml
diff --git a/cluster/k8s/applications/inventree/setup-job.yaml b/cluster/k8s/applications/inventree/setup-job.yaml
