From fd0c5d011b58428aa3886c251dde4660a5244f70 Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Wed, 10 Jun 2026 18:41:59 +0200
Subject: [PATCH] fix(infra): single replica for portal/operator (per-pod OIDC
 sessions)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nuxt-oidc-auth stores sessions in per-pod memory. With 2 replicas, any
request balanced to the pod that didn't handle the login 401s — in practice
roughly half of all operator API calls failed after sign-in. One replica
until sessions move to shared storage (nitro storage on the dezky-data
Redis), then scale back up. Already scaled live; this pins the manifests so
the next deploy doesn't undo it.
---
 infrastructure/production/fleet/apps/operator.yaml | 6 +++++-
 infrastructure/production/fleet/apps/portal.yaml   | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/infrastructure/production/fleet/apps/operator.yaml b/infrastructure/production/fleet/apps/operator.yaml
index 8028e93..f16422e 100644
--- a/infrastructure/production/fleet/apps/operator.yaml
+++ b/infrastructure/production/fleet/apps/operator.yaml
@@ -13,7 +13,11 @@ metadata:
     app.kubernetes.io/name: operator
     app.kubernetes.io/part-of: dezky
 spec:
-  replicas: 2
+  # Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
+  # keeps sessions in per-pod memory, so with >1 replica every request that
+  # lands on the pod that did NOT handle the login gets 401. TODO: nitro
+  # session storage on the dezky-data Redis, then scale back up.
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: operator
diff --git a/infrastructure/production/fleet/apps/portal.yaml b/infrastructure/production/fleet/apps/portal.yaml
index a6de2fb..a533040 100644
--- a/infrastructure/production/fleet/apps/portal.yaml
+++ b/infrastructure/production/fleet/apps/portal.yaml
@@ -10,7 +10,11 @@ metadata:
     app.kubernetes.io/name: portal
     app.kubernetes.io/part-of: dezky
 spec:
-  replicas: 2
+  # Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
+  # keeps sessions in per-pod memory, so with >1 replica every request that
+  # lands on the pod that did NOT handle the login gets 401. TODO: nitro
+  # session storage on the dezky-data Redis, then scale back up.
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: portal