From 87346a1aa6edc24674803bc68dbf2aeaad8aa460 Mon Sep 17 00:00:00 2001
From: Dreaded_X <tim@huizinga.dev>
Date: Fri, 18 Apr 2025 02:29:41 +0200
Subject: [PATCH] Setup build

---
 .dockerignore                       |  4 ++
 .gitea/workflows/build.yaml         | 91 +++++++++++++++++++++++++++++
 Dockerfile                          | 21 +++++++
 manifests/cluster-role-binding.yaml | 11 ++++
 manifests/cluster-role.yaml         | 20 +++++++
 manifests/deployment.yaml           | 36 ++++++++++++
 manifests/kustomization.yaml        |  9 +++
 manifests/service-account.yaml      |  8 +++
 8 files changed, 200 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 .gitea/workflows/build.yaml
 create mode 100644 Dockerfile
 create mode 100644 manifests/cluster-role-binding.yaml
 create mode 100644 manifests/cluster-role.yaml
 create mode 100644 manifests/deployment.yaml
 create mode 100644 manifests/kustomization.yaml
 create mode 100644 manifests/service-account.yaml

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..c579be0
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,4 @@
+*
+!queries
+!src
+!Cargo.*
diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
new file mode 100644
index 0000000..e8fa1b0
--- /dev/null
+++ b/.gitea/workflows/build.yaml
@@ -0,0 +1,91 @@
+name: Build and deploy
+on:
+  push:
+    branches:
+      - master
+      - feature/**
+    tags:
+      - v*.*.*
+
+env:
+  OCI_REPO: git.huizinga.dev/dreaded_x/${{ gitea.event.repository.name}}
+
+jobs:
+  build:
+    name: Build container and manifests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      # TODO: Actually set an env variable and use it in the application
+      - name: Set version string
+        run: |
+          git describe --always --dirty="-modified"
+
+      - name: Get Git commit timestamps
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.huizinga.dev
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install kustomize
+        run: |
+          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+
+      - name: Setup Flux CLI
+        uses: https://github.com/fluxcd/flux2/action@main
+        with:
+          version: v2.5.0
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.OCI_REPO }}
+          tags: |
+            type=edge
+            type=ref,event=branch
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+
+      - name: Build container
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          sbom: true
+          provenance: mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+
+      - name: Kustomize manifests
+        run: |
+          ./kustomize build ./manifests | sed "s/\${DIGEST}/${{ steps.build.outputs.digest }}/" > ./manifests.yaml
+
+      - name: Push manifests
+        run: |
+          flux push artifact oci://$OCI_REPO/manifests:${{ gitea.head_ref || gitea.ref_name }} \
+            --path="./manifests.yaml" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git rev-parse HEAD)" \
+            $(echo "${{ steps.meta.outputs.labels }}" | sed -e 's/^/-a /')
+
+          flux tag artifact oci://$OCI_REPO/manifests:${{ gitea.head_ref || gitea.ref_name }} \
+            $(echo "${{ steps.meta.outputs.tags }}" | sed -e 's/^.*:/--tag /')
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e0430bc
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,21 @@
+FROM rust:1.85 AS base
+ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
+RUN cargo install cargo-chef --locked --version 0.1.71 && \
+    cargo install cargo-auditable --locked --version 0.6.6
+WORKDIR /app
+
+FROM base AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM base AS builder
+COPY --from=planner /app/recipe.json recipe.json
+RUN cargo chef cook --release --recipe-path recipe.json
+
+COPY . .
+ENV RUSTC_BOOTSTRAP=1
+RUN cargo auditable build --release
+
+FROM gcr.io/distroless/cc-debian12:nonroot AS runtime
+COPY --from=builder /app/target/release/authelia-controller /authelia-controller
+CMD ["/authelia-controller"]
diff --git a/manifests/cluster-role-binding.yaml b/manifests/cluster-role-binding.yaml
new file mode 100644
index 0000000..6cc8b54
--- /dev/null
+++ b/manifests/cluster-role-binding.yaml
@@ -0,0 +1,11 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: authelia-controller
+subjects:
+  - kind: ServiceAccount
+    name: authelia-controller
+roleRef:
+  kind: ClusterRole
+  name: authelia-controller
+  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/cluster-role.yaml b/manifests/cluster-role.yaml
new file mode 100644
index 0000000..b786dd3
--- /dev/null
+++ b/manifests/cluster-role.yaml
@@ -0,0 +1,20 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: authelia-controller
+rules:
+  - apiGroups:
+      - authelia.huizinga.dev
+    resources:
+      - accesscontrolrules
+      - accesscontrolrules/status
+      - accesscontrolrules/finalizers
+    verbs:
+      - "*"
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - deployments
+    verbs:
+      - "*"
diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
new file mode 100644
index 0000000..4a9f01e
--- /dev/null
+++ b/manifests/deployment.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia-controller
+  labels:
+    app: authelia-controller
+    app.kubernetes.io/name: authelia-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authelia-controller
+  template:
+    metadata:
+      labels:
+        app: authelia-controller
+      annotations:
+        kubectl.kubernetes.io/default-container: authelia-controller
+    spec:
+      serviceAccountName: authelia-controller
+      securityContext: {}
+      containers:
+        - name: authelia-controller
+          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
+          imagePullPolicy: IfNotPresent
+          securityContext: {}
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          env:
+            - name: RUST_LOG
+              value: info,authelia_controller=debug
diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml
new file mode 100644
index 0000000..a02d6c5
--- /dev/null
+++ b/manifests/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: lldap
+resources:
+  - ./crds.yaml
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./deployment.yaml
diff --git a/manifests/service-account.yaml b/manifests/service-account.yaml
new file mode 100644
index 0000000..81cb08a
--- /dev/null
+++ b/manifests/service-account.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: authelia-controller
+  labels:
+    app: authelia-controller
+    app.kubernetes.io/name: authelia-controller
+automountServiceAccountToken: true