Setup build

.dockerignore

@@ -1,4 +1,3 @@
 *
 !src
 !Cargo.*
-!.cargo/config.toml

.gitea/workflows/build.yaml

@@ -7,9 +7,89 @@ on:
     tags:
       - v*.*.*
 
+env:
+  OCI_REPO: git.huizinga.dev/dreaded_x/${{ gitea.event.repository.name}}
+
 jobs:
   build:
-    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
+    name: Build container and manifests
-    secrets: inherit
+    runs-on: ubuntu-latest
-    with:
+    steps:
-      webhook_url: ${{ secrets.WEBHOOK_URL }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      # TODO: Actually set an env variable and use it in the application
+      - name: Set version string
+        run: |
+          git describe --always --dirty="-modified"
+
+      - name: Get Git commit timestamps
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.huizinga.dev
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install kustomize
+        run: |
+          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+
+      - name: Setup Flux CLI
+        uses: https://github.com/fluxcd/flux2/action@main
+        with:
+          version: v2.5.0
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.OCI_REPO }}
+          tags: |
+            type=edge
+            type=ref,event=branch
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+
+      - name: Build container
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          sbom: true
+          provenance: mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+
+      - name: Generate CRDs
+        run: |
+          docker run --rm ${{ env.OCI_REPO }}@${{ steps.build.outputs.imageid }} /crdgen > ./manifests/crds.yaml
+
+      - name: Kustomize manifests
+        run: |
+          ./kustomize build ./manifests | sed "s/\${DIGEST}/${{ steps.build.outputs.digest }}/" > ./manifests.yaml
+
+      - name: Push manifests
+        run: |
+          flux push artifact oci://${{ env.OCI_REPO }}/manifests:${{ gitea.head_ref || gitea.ref_name }} \
+            --path="./manifests.yaml" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="$(git rev-parse HEAD)" \
+            $(echo "${{ steps.meta.outputs.labels }}" | sed -e 's/^/-a /')
+
+          flux tag artifact oci://${{ env.OCI_REPO }}/manifests:${{ gitea.head_ref || gitea.ref_name }} \
+            $(echo "${{ steps.meta.outputs.tags }}" | sed -e 's/^.*:/--tag /')

.pre-commit-config.yaml

@@ -2,7 +2,7 @@ fail_fast: true
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -14,7 +14,7 @@ repos:
       - id: check-merge-conflict
 
   - repo: https://github.com/crate-ci/typos
-    rev: typos-dict-v0.13.13
+    rev: v1.31.1
     hooks:
       - id: typos
         args: ["--force-exclude"]
@@ -54,7 +54,7 @@ repos:
       - id: udeps
         name: unused
         description: Check for unused crates
-        entry: cargo +nightly udeps
+        entry: cargo udeps
         args: ["--workspace"]
         language: system
         types: [file]
@@ -72,6 +72,6 @@ repos:
         pass_filenames: false
 
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.14.0
+    rev: v2.12.0
     hooks:
       - id: hadolint

Cargo.toml

@@ -5,17 +5,16 @@ edition = "2024"
 default-run = "authelia-controller"
 
 [dependencies]
-color-eyre = "0.6.5"
+color-eyre = "0.6.3"
 dotenvy = "0.15.7"
 futures-util = "0.3.31"
-git-version = "0.3.9"
+k8s-openapi = { version = "0.24.0", features = ["v1_31"] }
-k8s-openapi = { version = "0.26.1", features = ["v1_34"] }
+kube = { version = "0.99.0", features = ["derive", "runtime"] }
-kube = { version = "2.0.1", features = ["derive", "runtime"] }
+schemars = "0.8.22"
-schemars = "1.1.0"
+serde = { version = "1.0.219", features = ["derive"] }
-serde = { version = "1.0.228", features = ["derive"] }
+serde_json = "1.0.140"
-serde_json = "1.0.146"
 serde_yaml = "0.9.34"
-thiserror = "2.0.17"
+thiserror = "2.0.12"
-tokio = { version = "1.48.0", features = ["full"] }
+tokio = { version = "1.44.2", features = ["full"] }
-tracing = "0.1.44"
+tracing = "0.1.41"
-tracing-subscriber = { version = "0.3.22", features = ["env-filter", "json"] }
+tracing-subscriber = { version = "0.3.19", features = ["env-filter", "json"] }

Dockerfile

@@ -1,7 +1,7 @@
-FROM rust:1.92 AS base
+FROM rust:1.85 AS base
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-RUN cargo install cargo-chef --locked --version 0.1.73 && \
+RUN cargo install cargo-chef --locked --version 0.1.71 && \
-    cargo install cargo-auditable --locked --version 0.7.2
+    cargo install cargo-auditable --locked --version 0.6.6
 WORKDIR /app
 
 FROM base AS planner
@@ -13,13 +13,10 @@ COPY --from=planner /app/recipe.json recipe.json
 RUN cargo chef cook --release --recipe-path recipe.json
 
 COPY . .
-ARG RELEASE_VERSION
+ENV RUSTC_BOOTSTRAP=1
-ENV RELEASE_VERSION=${RELEASE_VERSION}
+RUN cargo auditable build --release
-RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml
 
-FROM scratch AS manifests
+FROM gcr.io/distroless/cc-debian12:nonroot AS runtime
-COPY --from=builder /crds.yaml /
-
-FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/authelia-controller /authelia-controller
+COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/authelia-controller"]

docker-bake.hcl

@@ -1,38 +0,0 @@
-variable "TAG_BASE" {}
-variable "RELEASE_VERSION" {}
-
-group "default" {
-  targets = ["authelia-controller", "manifests"]
-}
-
-target "docker-metadata-action" {}
-target "cache" {
-  cache-from = [
-    {
-      type = "gha",
-    }
-  ]
-
-  cache-to = [
-    {
-      type = "gha",
-      mode = "max"
-    }
-  ]
-}
-
-target "authelia-controller" {
-  inherits = ["docker-metadata-action", "cache"]
-  context = "./"
-  dockerfile = "Dockerfile"
-  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
-  target = "runtime"
-}
-
-target "manifests" {
-  inherits = ["cache"]
-  context = "./"
-  dockerfile = "Dockerfile"
-  target = "manifests"
-  output = [{ type = "cacheonly" }, "manifests"]
-}

manifests/cluster-role-binding.yaml

@@ -2,11 +2,9 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
-  namespace: authelia
 subjects:
   - kind: ServiceAccount
     name: authelia-controller
-    namespace: authelia
 roleRef:
   kind: ClusterRole
   name: authelia-controller

manifests/cluster-role.yaml

@@ -2,7 +2,6 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
-  namespace: authelia
 rules:
   - apiGroups:
       - authelia.huizinga.dev
@@ -16,11 +15,6 @@ rules:
       - ""
     resources:
       - secrets
-    verbs:
-      - "*"
-  - apiGroups:
-      - "apps"
-    resources:
       - deployments
     verbs:
       - "*"

manifests/deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: authelia-controller
-  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller
@@ -19,17 +18,12 @@ spec:
         kubectl.kubernetes.io/default-container: authelia-controller
     spec:
       serviceAccountName: authelia-controller
-      securityContext:
+      securityContext: {}
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
       containers:
         - name: authelia-controller
-          image: '{{ index .images "authelia-controller" }}'
+          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
           imagePullPolicy: IfNotPresent
+          securityContext: {}
           resources:
             limits:
               cpu: 200m
@@ -40,9 +34,3 @@ spec:
           env:
             - name: RUST_LOG
               value: info,authelia_controller=debug
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            capabilities:
-              drop:
-                - ALL

manifests/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: lldap
 resources:
-  - namespace.yaml
+  - ./crds.yaml
-  - crds.yaml
+  - ./service-account.yaml
-  - service-account.yaml
+  - ./cluster-role.yaml
-  - cluster-role.yaml
+  - ./cluster-role-binding.yaml
-  - cluster-role-binding.yaml
+  - ./deployment.yaml
-  - deployment.yaml

manifests/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authelia

manifests/service-account.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: authelia-controller
-  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.92"
+channel = "1.85"
 profile = "default"
 components = ["rust-analyzer"]

src/lib.rs

@@ -1,5 +1,2 @@
 pub mod context;
 pub mod resources;
-mod version;
-
-pub use version::VERSION;

src/main.rs

@@ -1,7 +1,6 @@
 use std::sync::Arc;
 use std::time::Duration;
 
-use authelia_controller::VERSION;
 use authelia_controller::context::Context;
 use authelia_controller::resources::AccessControlRule;
 use color_eyre::eyre::Context as _;
@@ -40,7 +39,7 @@ async fn main() -> color_eyre::Result<()> {
         })
         .unwrap_or(Ok(15))?;
 
-    info!(version = VERSION, "Starting");
+    info!("Starting");
 
     let client = Client::try_default().await?;
     let access_control_rules = Api::<AccessControlRule>::all(client.clone());

src/resources/access_control_rule.rs

@@ -29,23 +29,17 @@ enum AccessPolicy {
 )]
 #[kube(
     shortname = "acl",
-    doc = "Custom resource for managing authelia access rules",
+    doc = "Custom resource for managing authelia access rules"
-    printcolumn = r#"{"name":"Domain", "type":"string", "jsonPath":".spec.domain"}"#,
-    printcolumn = r#"{"name":"Policy", "type":"string", "jsonPath":".spec.policy"}"#,
-    printcolumn = r#"{"name":"Subject", "type":"string", "jsonPath":".spec.subject"}"#,
-    printcolumn = r#"{"name":"Age", "type":"date", "jsonPath":".metadata.creationTimestamp"}"#
 )]
 #[serde(rename_all = "camelCase")]
 pub struct AccessControlRuleSpec {
     domain: String,
     policy: AccessPolicy,
-    subject: Option<String>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
     rules: Vec<AccessControlRuleSpec>,
-    default_policy: AccessPolicy,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -61,22 +55,14 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules: Vec<_> = rules
+        let rules = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
-            access_control: AccessControl {
+            access_control: AccessControl { rules },
-                // TODO: Make sure configurable?
-                default_policy: if rules.is_empty() {
-                    AccessPolicy::OneFactor
-                } else {
-                    AccessPolicy::Deny
-                },
-                rules,
-            },
         };
 
         let contents = BTreeMap::from([(
@@ -86,7 +72,6 @@ impl AccessControlRule {
 
         let secret = Secret {
             metadata: ObjectMeta {
-                name: Some(ctx.secret_name.clone()),
                 ..Default::default()
             },
             string_data: Some(contents),

src/version.rs

@@ -1,11 +0,0 @@
-pub const VERSION: &str = get_version();
-
-const fn get_version() -> &'static str {
-    if let Some(version) = std::option_env!("RELEASE_VERSION")
-        && !version.is_empty()
-    {
-        version
-    } else {
-        git_version::git_version!(fallback = "unknown")
-    }
-}

yaml/rule-test-2.yaml

@@ -5,4 +5,3 @@ metadata:
 spec:
   domain: "test-2.domain"
   policy: one_factor
-  subject: group:lldap_admin