feat: Cache docker builds

feat: Default access policy one factor if no rules
chore: Remove ./ from kustomization for consistency
2025-12-23 03:38:36 +01:00 · 2025-12-23 03:38:36 +01:00 · 2025-12-23 01:38:44 +01:00 · 2025-12-23 01:38:44 +01:00
8 changed files with 55 additions and 11 deletions
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -6,9 +6,23 @@ group "default" {
 }

 target "docker-metadata-action" {}
+target "cache" {
+  cache-from = [
+    {
+      type = "gha",
+    }
+  ]
+
+  cache-to = [
+    {
+      type = "gha",
+      mode = "max"
+    }
+  ]
+}

 target "authelia-controller" {
-  inherits = ["docker-metadata-action"]
+  inherits = ["docker-metadata-action", "cache"]
  context = "./"
  dockerfile = "Dockerfile"
  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
@@ -16,6 +30,7 @@ target "authelia-controller" {
 }

 target "manifests" {
+  inherits = ["cache"]
  context = "./"
  dockerfile = "Dockerfile"
  target = "manifests"
--- a/manifests/cluster-role-binding.yaml
+++ b/manifests/cluster-role-binding.yaml
@@ -2,9 +2,11 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: authelia-controller
+  namespace: authelia
 subjects:
  - kind: ServiceAccount
    name: authelia-controller
+    namespace: authelia
 roleRef:
  kind: ClusterRole
  name: authelia-controller
--- a/manifests/cluster-role.yaml
+++ b/manifests/cluster-role.yaml
@@ -2,6 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: authelia-controller
+  namespace: authelia
 rules:
  - apiGroups:
      - authelia.huizinga.dev
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: authelia-controller
+  namespace: authelia
  labels:
    app: authelia-controller
    app.kubernetes.io/name: authelia-controller
@@ -18,12 +19,17 @@ spec:
        kubectl.kubernetes.io/default-container: authelia-controller
    spec:
      serviceAccountName: authelia-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: authelia-controller
          image: '{{ index .images "authelia-controller" }}'
          imagePullPolicy: IfNotPresent
-          securityContext: {}
          resources:
            limits:
              cpu: 200m
@@ -34,3 +40,9 @@ spec:
          env:
            - name: RUST_LOG
              value: info,authelia_controller=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
-  - ./crds.yaml
-  - ./service-account.yaml
-  - ./cluster-role.yaml
-  - ./cluster-role-binding.yaml
-  - ./deployment.yaml
+  - namespace.yaml
+  - crds.yaml
+  - service-account.yaml
+  - cluster-role.yaml
+  - cluster-role-binding.yaml
+  - deployment.yaml
--- a/manifests/namespace.yaml
+++ b/manifests/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
--- a/manifests/service-account.yaml
+++ b/manifests/service-account.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: authelia-controller
+  namespace: authelia
  labels:
    app: authelia-controller
    app.kubernetes.io/name: authelia-controller
--- a/src/resources/access_control_rule.rs
+++ b/src/resources/access_control_rule.rs
@@ -45,6 +45,7 @@ pub struct AccessControlRuleSpec {
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
    rules: Vec<AccessControlRuleSpec>,
+    default_policy: AccessPolicy,
 }

 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -60,14 +61,22 @@ impl AccessControlRule {
        debug!("Updating acl");
        rules.sort_by_cached_key(|rule| rule.name_any());

-        let rules = rules
+        let rules: Vec<_> = rules
            .iter()
            .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
            .map(|rule| rule.spec.clone())
            .collect();

        let top = TopLevel {
-            access_control: AccessControl { rules },
+            access_control: AccessControl {
+                // TODO: Make sure configurable?
+                default_policy: if rules.is_empty() {
+                    AccessPolicy::OneFactor
+                } else {
+                    AccessPolicy::Deny
+                },
+                rules,
+            },
        };

        let contents = BTreeMap::from([(
Author	SHA1	Message	Date
Dreaded_X	83cf48b2a9	feat: Cache docker builds All checks were successful Build and deploy / build (push) Successful in 7m51s Details	2025-12-23 03:38:36 +01:00
Dreaded_X	fc9f34939b	feat: Default access policy one factor if no rules	2025-12-23 03:38:36 +01:00
Dreaded_X	c80024972c	chore: Remove ./ from kustomization for consistency All checks were successful Build and deploy / build (push) Successful in 10m13s Details	2025-12-23 01:38:44 +01:00
Dreaded_X	eed5b44916	feat: Create namespace and set it explicitly	2025-12-23 01:38:44 +01:00