feat: Cache docker builds

.gitea/workflows/build.yaml

@@ -9,8 +9,7 @@ on:
 
 jobs:
   build:
-    uses: dreaded_x/workflows/.gitea/workflows/rust-kubernetes.yaml@66ab50c3ac239dbdd1e42e6276ec2e65b6a79379
+    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
     secrets: inherit
     with:
-      generate_crds: true
       webhook_url: ${{ secrets.WEBHOOK_URL }}

Dockerfile

@@ -1,7 +1,7 @@
 FROM rust:1.92 AS base
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-RUN cargo install cargo-chef --locked --version 0.1.71 && \
-    cargo install cargo-auditable --locked --version 0.6.6
+RUN cargo install cargo-chef --locked --version 0.1.73 && \
+    cargo install cargo-auditable --locked --version 0.7.2
 WORKDIR /app
 
 FROM base AS planner
@@ -15,9 +15,11 @@ RUN cargo chef cook --release --recipe-path recipe.json
 COPY . .
 ARG RELEASE_VERSION
 ENV RELEASE_VERSION=${RELEASE_VERSION}
-RUN cargo auditable build --release
+RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml
+
+FROM scratch AS manifests
+COPY --from=builder /crds.yaml /
 
 FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/authelia-controller /authelia-controller
-COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/authelia-controller"]

docker-bake.hcl

@@ -0,0 +1,38 @@
+variable "TAG_BASE" {}
+variable "RELEASE_VERSION" {}
+
+group "default" {
+  targets = ["authelia-controller", "manifests"]
+}
+
+target "docker-metadata-action" {}
+target "cache" {
+  cache-from = [
+    {
+      type = "gha",
+    }
+  ]
+
+  cache-to = [
+    {
+      type = "gha",
+      mode = "max"
+    }
+  ]
+}
+
+target "authelia-controller" {
+  inherits = ["docker-metadata-action", "cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
+  target = "runtime"
+}
+
+target "manifests" {
+  inherits = ["cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  target = "manifests"
+  output = [{ type = "cacheonly" }, "manifests"]
+}

manifests/cluster-role-binding.yaml

@@ -2,9 +2,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 subjects:
   - kind: ServiceAccount
     name: authelia-controller
+    namespace: authelia
 roleRef:
   kind: ClusterRole
   name: authelia-controller

manifests/cluster-role.yaml

@@ -2,6 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 rules:
   - apiGroups:
       - authelia.huizinga.dev

manifests/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller
@@ -18,12 +19,17 @@ spec:
         kubectl.kubernetes.io/default-container: authelia-controller
     spec:
       serviceAccountName: authelia-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: authelia-controller
-          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
+          image: '{{ index .images "authelia-controller" }}'
           imagePullPolicy: IfNotPresent
-          securityContext: {}
           resources:
             limits:
               cpu: 200m
@@ -34,3 +40,9 @@ spec:
           env:
             - name: RUST_LOG
               value: info,authelia_controller=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL

manifests/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
-  - ./crds.yaml
-  - ./service-account.yaml
-  - ./cluster-role.yaml
-  - ./cluster-role-binding.yaml
-  - ./deployment.yaml
+  - namespace.yaml
+  - crds.yaml
+  - service-account.yaml
+  - cluster-role.yaml
+  - cluster-role-binding.yaml
+  - deployment.yaml

manifests/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia

manifests/service-account.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller

src/resources/access_control_rule.rs

@@ -45,6 +45,7 @@ pub struct AccessControlRuleSpec {
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
     rules: Vec<AccessControlRuleSpec>,
+    default_policy: AccessPolicy,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -60,14 +61,22 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules = rules
+        let rules: Vec<_> = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
-            access_control: AccessControl { rules },
+            access_control: AccessControl {
+                // TODO: Make sure configurable?
+                default_policy: if rules.is_empty() {
+                    AccessPolicy::OneFactor
+                } else {
+                    AccessPolicy::Deny
+                },
+                rules,
+            },
         };
 
         let contents = BTreeMap::from([(