FigJam Diagram: Media Profiler — Public Media Profile Generator (expires 2026-04-13)
Public-facing media profiling tool. Any @gmail.com account can sign in — no whitelist.
| Public URL | https://media-profiler.k3s.strommen.systems (any @gmail.com) |
| Internal URL | https://media-profiler.k3s.internal.strommen.systems (no auth, LAN only) |
| Namespace | media-profiler |
| Image | harbor.k3s.internal.strommen.systems/production/media-profiler:sha-2531e38 |
| Port | 8000 (FastAPI) |
| Replicas | 1 |
Note: The internal manifest (
media-profiler.yaml) only defines the internal route. The public URL atmedia-profiler.k3s.strommen.systemsand theoauth2-proxy-open-gmailauthentication chain are defined inkubernetes/apps/public-ingress/public-ingress.yaml(separate manifest).
oauth2-proxy in reverse-proxy mode (intentional exception — not Authentik forwardAuth)@gmail.com account — no whitelistX-Auth-Request-Email header to the app{app="oauth2-proxy-open-gmail"}
public-ingress namespace → oauth2-proxy-open-gmail → media-profiler.media-profiler:8000Auth exception: The cluster migrated to Authentik forwardAuth in 2026-04 for all internal services. Media Profiler deliberately retains
oauth2-proxy-open-gmailbecause it allows unrestricted @gmail.com access without requiring Authentik enrollment. This is by design — do not migrate this to Authentik forwardAuth.
The internal route (
media-profiler.k3s.internal.strommen.systems) bypasses auth entirely — LAN/VPN only.
| Component | Image | Port | Purpose |
|---|---|---|---|
media-profiler |
production/media-profiler:sha-2531e38 |
8000 | FastAPI app |
postgres |
postgres:16-alpine |
5432 | Profile metadata store |
| Volume | Type | Size | Mount | Purpose |
|---|---|---|---|---|
postgres-data |
Longhorn PVC (RWO) | 1Gi | /var/lib/postgresql/data |
PostgreSQL data |
profiles-storage |
Longhorn PVC (RWO) | 256Mi | /app/profiles |
Generated profile files |
| Secret | Keys | Purpose |
|---|---|---|
postgres-credentials |
POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB, DATABASE_URL |
Database access |
postgres-backup-aws-credentials |
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
S3 backup credentials (used by postgres-backup-cronjob.yaml, not the main Deployment) |
Bootstrap:
PW="$(openssl rand -base64 32)"
kubectl create secret generic postgres-credentials -n media-profiler \
--from-literal=POSTGRES_USER=mediaprofiler \
--from-literal=POSTGRES_PASSWORD="${PW}" \
--from-literal=POSTGRES_DB=mediaprofiler \
--from-literal=DATABASE_URL="postgresql://mediaprofiler:${PW}@postgres:5432/mediaprofiler"
kubectl create secret generic postgres-backup-aws-credentials -n media-profiler \
--from-literal=AWS_ACCESS_KEY_ID=<from-terraform-output> \
--from-literal=AWS_SECRET_ACCESS_KEY=<from-terraform-output>
Prometheus metrics at /metrics (port 8000). ServiceMonitor label: release: prometheus.
Health probes:
GET /api/healthGET / (port 8000)Daily PostgreSQL backup via CronJob:
| Schedule | Daily 3:50 AM UTC |
| Method | pg_dump → gzip → S3 k3s-homelab-backups-855878721457/postgres-backups/media-profiler/ |
| Retention | 7 days |
| Manifest | kubernetes/apps/media-profiler/postgres-backup-cronjob.yaml |
kubernetes/apps/media-profiler/
media-profiler.yaml -- Namespace, Deployments, Services, Ingress, PVCs
rbac.yaml -- RBAC for media-profiler ServiceAccount
postgres-backup-cronjob.yaml -- Daily PostgreSQL S3 backup
kubernetes/apps/public-ingress/public-ingress.yaml -- oauth2-proxy-open-gmail IngressRoute (public route)
/metrics