feat: Cache docker builds

.cargo/config.toml

@@ -1,2 +0,0 @@
-[env]
-RUSTC_BOOTSTRAP = "1"

.gitea/workflows/build.yaml

@@ -9,8 +9,7 @@ on:
 
 jobs:
   build:
-    uses: dreaded_x/workflows/.gitea/workflows/rust-kubernetes.yaml@66ab50c3ac239dbdd1e42e6276ec2e65b6a79379
+    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
     secrets: inherit
     with:
-      generate_crds: true
       webhook_url: ${{ secrets.WEBHOOK_URL }}

.pre-commit-config.yaml

@@ -2,7 +2,7 @@ fail_fast: true
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -14,7 +14,7 @@ repos:
       - id: check-merge-conflict
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.31.1
+    rev: typos-dict-v0.13.13
     hooks:
       - id: typos
         args: ["--force-exclude"]
@@ -72,6 +72,6 @@ repos:
         pass_filenames: false
 
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.12.0
+    rev: v2.14.0
     hooks:
       - id: hadolint

Cargo.toml

@@ -5,17 +5,17 @@ edition = "2024"
 default-run = "authelia-controller"
 
 [dependencies]
-color-eyre = "0.6.3"
+color-eyre = "0.6.5"
 dotenvy = "0.15.7"
 futures-util = "0.3.31"
 git-version = "0.3.9"
-k8s-openapi = { version = "0.24.0", features = ["v1_31"] }
-kube = { version = "0.99.0", features = ["derive", "runtime"] }
-schemars = "0.8.22"
-serde = { version = "1.0.219", features = ["derive"] }
-serde_json = "1.0.140"
+k8s-openapi = { version = "0.26.1", features = ["v1_34"] }
+kube = { version = "2.0.1", features = ["derive", "runtime"] }
+schemars = "1.1.0"
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = "1.0.146"
 serde_yaml = "0.9.34"
-thiserror = "2.0.12"
-tokio = { version = "1.44.2", features = ["full"] }
-tracing = "0.1.41"
-tracing-subscriber = { version = "0.3.19", features = ["env-filter", "json"] }
+thiserror = "2.0.17"
+tokio = { version = "1.48.0", features = ["full"] }
+tracing = "0.1.44"
+tracing-subscriber = { version = "0.3.22", features = ["env-filter", "json"] }

Dockerfile

@@ -1,7 +1,7 @@
-FROM rust:1.86 AS base
+FROM rust:1.92 AS base
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-RUN cargo install cargo-chef --locked --version 0.1.71 && \
-    cargo install cargo-auditable --locked --version 0.6.6
+RUN cargo install cargo-chef --locked --version 0.1.73 && \
+    cargo install cargo-auditable --locked --version 0.7.2
 WORKDIR /app
 
 FROM base AS planner
@@ -15,9 +15,11 @@ RUN cargo chef cook --release --recipe-path recipe.json
 COPY . .
 ARG RELEASE_VERSION
 ENV RELEASE_VERSION=${RELEASE_VERSION}
-RUN cargo auditable build --release
+RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml
 
-FROM gcr.io/distroless/cc-debian12:nonroot AS runtime
+FROM scratch AS manifests
+COPY --from=builder /crds.yaml /
+
+FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/authelia-controller /authelia-controller
-COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/authelia-controller"]

docker-bake.hcl

@@ -0,0 +1,38 @@
+variable "TAG_BASE" {}
+variable "RELEASE_VERSION" {}
+
+group "default" {
+  targets = ["authelia-controller", "manifests"]
+}
+
+target "docker-metadata-action" {}
+target "cache" {
+  cache-from = [
+    {
+      type = "gha",
+    }
+  ]
+
+  cache-to = [
+    {
+      type = "gha",
+      mode = "max"
+    }
+  ]
+}
+
+target "authelia-controller" {
+  inherits = ["docker-metadata-action", "cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
+  target = "runtime"
+}
+
+target "manifests" {
+  inherits = ["cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  target = "manifests"
+  output = [{ type = "cacheonly" }, "manifests"]
+}

manifests/cluster-role-binding.yaml

@@ -2,9 +2,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 subjects:
   - kind: ServiceAccount
     name: authelia-controller
+    namespace: authelia
 roleRef:
   kind: ClusterRole
   name: authelia-controller

manifests/cluster-role.yaml

@@ -2,6 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 rules:
   - apiGroups:
       - authelia.huizinga.dev

manifests/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller
@@ -18,12 +19,17 @@ spec:
         kubectl.kubernetes.io/default-container: authelia-controller
     spec:
       serviceAccountName: authelia-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: authelia-controller
-          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
+          image: '{{ index .images "authelia-controller" }}'
           imagePullPolicy: IfNotPresent
-          securityContext: {}
           resources:
             limits:
               cpu: 200m
@@ -34,3 +40,9 @@ spec:
           env:
             - name: RUST_LOG
               value: info,authelia_controller=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL

manifests/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
-  - ./crds.yaml
-  - ./service-account.yaml
-  - ./cluster-role.yaml
-  - ./cluster-role-binding.yaml
-  - ./deployment.yaml
+  - namespace.yaml
+  - crds.yaml
+  - service-account.yaml
+  - cluster-role.yaml
+  - cluster-role-binding.yaml
+  - deployment.yaml

manifests/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia

manifests/service-account.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.86"
+channel = "1.92"
 profile = "default"
 components = ["rust-analyzer"]

src/lib.rs

@@ -1,4 +1,3 @@
-#![feature(let_chains)]
 pub mod context;
 pub mod resources;
 mod version;

src/resources/access_control_rule.rs

@@ -45,6 +45,7 @@ pub struct AccessControlRuleSpec {
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
     rules: Vec<AccessControlRuleSpec>,
+    default_policy: AccessPolicy,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -60,14 +61,22 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules = rules
+        let rules: Vec<_> = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
-            access_control: AccessControl { rules },
+            access_control: AccessControl {
+                // TODO: Make sure configurable?
+                default_policy: if rules.is_empty() {
+                    AccessPolicy::OneFactor
+                } else {
+                    AccessPolicy::Deny
+                },
+                rules,
+            },
         };
 
         let contents = BTreeMap::from([(