From 90deacd154a44a116497b990fa5a8fd901fa7ae2 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Fri, 17 Apr 2026 15:35:13 -0500
Subject: [PATCH] guacamole: pin guacd + web to rke2-agent2 for NFS recordings
 mount

Synology NFS export at /volume1/kubernetes currently grants mount
permission only to 10.0.56.13 (rke2-agent2). rke2-agent1 gets
"access denied by server". guacd + guacamole web both need the
recordings volume, so co-locating is also efficient. Remove the
nodeSelector once the Synology NFS ACL opens to all cluster nodes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/guacamole/guacamole.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index 569ec68..a3ccccb 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -177,6 +177,13 @@ spec:
         app: guacd
     spec:
       serviceAccountName: guacd-exec
+      # Pinned to rke2-agent2: Synology NFS export at /volume1/kubernetes
+      # currently grants mount permission only to 10.0.56.13. guacd + guacamole
+      # web share the NFS-backed /var/lib/guacamole/recordings, so co-locating
+      # is also efficient. Remove this when the Synology NFS ACL opens to all
+      # cluster nodes.
+      nodeSelector:
+        kubernetes.io/hostname: rke2-agent2
       containers:
         - name: guacd
           image: guacamole/guacd:latest
@@ -256,6 +263,9 @@ spec:
       labels:
         app: guacamole
     spec:
+      # Pinned to rke2-agent2: same reason as guacd (NFS recordings mount).
+      nodeSelector:
+        kubernetes.io/hostname: rke2-agent2
       containers:
         - name: guacamole
           image: guacamole/guacamole:latest