feat: Cache docker builds

.dockerignore

@@ -1,3 +1,4 @@
 *
 !src
 !Cargo.*
+!.cargo/config.toml

.gitea/workflows/build.yaml

@@ -7,89 +7,9 @@ on:
     tags:
       - v*.*.*
 
-env:
-  OCI_REPO: git.huizinga.dev/dreaded_x/${{ gitea.event.repository.name}}
-
 jobs:
   build:
-    name: Build container and manifests
+    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
-    runs-on: ubuntu-latest
+    secrets: inherit
-    steps:
+    with:
-      - name: Checkout
+      webhook_url: ${{ secrets.WEBHOOK_URL }}
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      # TODO: Actually set an env variable and use it in the application
-      - name: Set version string
-        run: |
-          git describe --always --dirty="-modified"
-
-      - name: Get Git commit timestamps
-        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
-
-      - name: Login to registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.huizinga.dev
-          username: ${{ gitea.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Install kustomize
-        run: |
-          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
-
-      - name: Setup Flux CLI
-        uses: https://github.com/fluxcd/flux2/action@main
-        with:
-          version: v2.5.0
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.OCI_REPO }}
-          tags: |
-            type=edge
-            type=ref,event=branch
-            type=semver,pattern=v{{version}}
-            type=semver,pattern=v{{major}}.{{minor}}
-            type=semver,pattern=v{{major}}
-
-      - name: Build container
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          sbom: true
-          provenance: mode=max
-          tags: ${{ steps.meta.outputs.tags }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-        env:
-          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
-
-      - name: Generate CRDs
-        run: |
-          docker run --rm ${{ env.OCI_REPO }}@${{ steps.build.outputs.imageid }} /crdgen > ./manifests/crds.yaml
-
-      - name: Kustomize manifests
-        run: |
-          ./kustomize build ./manifests | sed "s/\${DIGEST}/${{ steps.build.outputs.digest }}/" > ./manifests.yaml
-
-      - name: Push manifests
-        run: |
-          flux push artifact oci://${{ env.OCI_REPO }}/manifests:${{ gitea.head_ref || gitea.ref_name }} \
-            --path="./manifests.yaml" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git rev-parse HEAD)" \
-            $(echo "${{ steps.meta.outputs.labels }}" | sed -e 's/^/-a /')
-
-          flux tag artifact oci://${{ env.OCI_REPO }}/manifests:${{ gitea.head_ref || gitea.ref_name }} \
-            $(echo "${{ steps.meta.outputs.tags }}" | sed -e 's/^.*:/--tag /')

.pre-commit-config.yaml

@@ -2,7 +2,7 @@ fail_fast: true
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -14,7 +14,7 @@ repos:
       - id: check-merge-conflict
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.31.1
+    rev: typos-dict-v0.13.13
     hooks:
       - id: typos
         args: ["--force-exclude"]
@@ -72,6 +72,6 @@ repos:
         pass_filenames: false
 
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.12.0
+    rev: v2.14.0
     hooks:
       - id: hadolint

Cargo.toml

@@ -5,16 +5,17 @@ edition = "2024"
 default-run = "authelia-controller"
 
 [dependencies]
-color-eyre = "0.6.3"
+color-eyre = "0.6.5"
 dotenvy = "0.15.7"
 futures-util = "0.3.31"
-k8s-openapi = { version = "0.24.0", features = ["v1_31"] }
+git-version = "0.3.9"
-kube = { version = "0.99.0", features = ["derive", "runtime"] }
+k8s-openapi = { version = "0.26.1", features = ["v1_34"] }
-schemars = "0.8.22"
+kube = { version = "2.0.1", features = ["derive", "runtime"] }
-serde = { version = "1.0.219", features = ["derive"] }
+schemars = "1.1.0"
-serde_json = "1.0.140"
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = "1.0.146"
 serde_yaml = "0.9.34"
-thiserror = "2.0.12"
+thiserror = "2.0.17"
-tokio = { version = "1.44.2", features = ["full"] }
+tokio = { version = "1.48.0", features = ["full"] }
-tracing = "0.1.41"
+tracing = "0.1.44"
-tracing-subscriber = { version = "0.3.19", features = ["env-filter", "json"] }
+tracing-subscriber = { version = "0.3.22", features = ["env-filter", "json"] }

Dockerfile

@@ -1,7 +1,7 @@
-FROM rust:1.85 AS base
+FROM rust:1.92 AS base
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-RUN cargo install cargo-chef --locked --version 0.1.71 && \
+RUN cargo install cargo-chef --locked --version 0.1.73 && \
-    cargo install cargo-auditable --locked --version 0.6.6
+    cargo install cargo-auditable --locked --version 0.7.2
 WORKDIR /app
 
 FROM base AS planner
@@ -13,10 +13,13 @@ COPY --from=planner /app/recipe.json recipe.json
 RUN cargo chef cook --release --recipe-path recipe.json
 
 COPY . .
-ENV RUSTC_BOOTSTRAP=1
+ARG RELEASE_VERSION
-RUN cargo auditable build --release
+ENV RELEASE_VERSION=${RELEASE_VERSION}
+RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml
 
-FROM gcr.io/distroless/cc-debian12:nonroot AS runtime
+FROM scratch AS manifests
+COPY --from=builder /crds.yaml /
+
+FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/authelia-controller /authelia-controller
-COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/authelia-controller"]

docker-bake.hcl

@@ -0,0 +1,38 @@
+variable "TAG_BASE" {}
+variable "RELEASE_VERSION" {}
+
+group "default" {
+  targets = ["authelia-controller", "manifests"]
+}
+
+target "docker-metadata-action" {}
+target "cache" {
+  cache-from = [
+    {
+      type = "gha",
+    }
+  ]
+
+  cache-to = [
+    {
+      type = "gha",
+      mode = "max"
+    }
+  ]
+}
+
+target "authelia-controller" {
+  inherits = ["docker-metadata-action", "cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
+  target = "runtime"
+}
+
+target "manifests" {
+  inherits = ["cache"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  target = "manifests"
+  output = [{ type = "cacheonly" }, "manifests"]
+}

manifests/cluster-role-binding.yaml

@@ -2,9 +2,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 subjects:
   - kind: ServiceAccount
     name: authelia-controller
+    namespace: authelia
 roleRef:
   kind: ClusterRole
   name: authelia-controller

manifests/cluster-role.yaml

@@ -2,6 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
+  namespace: authelia
 rules:
   - apiGroups:
       - authelia.huizinga.dev

manifests/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller
@@ -18,12 +19,17 @@ spec:
         kubectl.kubernetes.io/default-container: authelia-controller
     spec:
       serviceAccountName: authelia-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: authelia-controller
-          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
+          image: '{{ index .images "authelia-controller" }}'
           imagePullPolicy: IfNotPresent
-          securityContext: {}
           resources:
             limits:
               cpu: 200m
@@ -34,3 +40,9 @@ spec:
           env:
             - name: RUST_LOG
               value: info,authelia_controller=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL

manifests/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
-  - ./crds.yaml
+  - namespace.yaml
-  - ./service-account.yaml
+  - crds.yaml
-  - ./cluster-role.yaml
+  - service-account.yaml
-  - ./cluster-role-binding.yaml
+  - cluster-role.yaml
-  - ./deployment.yaml
+  - cluster-role-binding.yaml
+  - deployment.yaml

manifests/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia

manifests/service-account.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: authelia-controller
+  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.85"
+channel = "1.92"
 profile = "default"
 components = ["rust-analyzer"]

src/lib.rs

@@ -1,2 +1,5 @@
 pub mod context;
 pub mod resources;
+mod version;
+
+pub use version::VERSION;

src/main.rs

@@ -1,6 +1,7 @@
 use std::sync::Arc;
 use std::time::Duration;
 
+use authelia_controller::VERSION;
 use authelia_controller::context::Context;
 use authelia_controller::resources::AccessControlRule;
 use color_eyre::eyre::Context as _;
@@ -39,7 +40,7 @@ async fn main() -> color_eyre::Result<()> {
         })
         .unwrap_or(Ok(15))?;
 
-    info!("Starting");
+    info!(version = VERSION, "Starting");
 
     let client = Client::try_default().await?;
     let access_control_rules = Api::<AccessControlRule>::all(client.clone());

src/resources/access_control_rule.rs

@@ -29,7 +29,11 @@ enum AccessPolicy {
 )]
 #[kube(
     shortname = "acl",
-    doc = "Custom resource for managing authelia access rules"
+    doc = "Custom resource for managing authelia access rules",
+    printcolumn = r#"{"name":"Domain", "type":"string", "jsonPath":".spec.domain"}"#,
+    printcolumn = r#"{"name":"Policy", "type":"string", "jsonPath":".spec.policy"}"#,
+    printcolumn = r#"{"name":"Subject", "type":"string", "jsonPath":".spec.subject"}"#,
+    printcolumn = r#"{"name":"Age", "type":"date", "jsonPath":".metadata.creationTimestamp"}"#
 )]
 #[serde(rename_all = "camelCase")]
 pub struct AccessControlRuleSpec {
@@ -41,6 +45,7 @@ pub struct AccessControlRuleSpec {
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
     rules: Vec<AccessControlRuleSpec>,
+    default_policy: AccessPolicy,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -56,14 +61,22 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules = rules
+        let rules: Vec<_> = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
-            access_control: AccessControl { rules },
+            access_control: AccessControl {
+                // TODO: Make sure configurable?
+                default_policy: if rules.is_empty() {
+                    AccessPolicy::OneFactor
+                } else {
+                    AccessPolicy::Deny
+                },
+                rules,
+            },
         };
 
         let contents = BTreeMap::from([(

src/version.rs

@@ -0,0 +1,11 @@
+pub const VERSION: &str = get_version();
+
+const fn get_version() -> &'static str {
+    if let Some(version) = std::option_env!("RELEASE_VERSION")
+        && !version.is_empty()
+    {
+        version
+    } else {
+        git_version::git_version!(fallback = "unknown")
+    }
+}