chore: Update dependencies

.gitea/workflows/build.yaml

@@ -9,7 +9,8 @@ on:
 
 jobs:
   build:
-    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
+    uses: dreaded_x/workflows/.gitea/workflows/rust-kubernetes.yaml@66ab50c3ac239dbdd1e42e6276ec2e65b6a79379
     secrets: inherit
     with:
+      generate_crds: true
       webhook_url: ${{ secrets.WEBHOOK_URL }}

Dockerfile

@@ -1,7 +1,7 @@
 FROM rust:1.92 AS base
 ENV CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
-RUN cargo install cargo-chef --locked --version 0.1.73 && \
-    cargo install cargo-auditable --locked --version 0.7.2
+RUN cargo install cargo-chef --locked --version 0.1.71 && \
+    cargo install cargo-auditable --locked --version 0.6.6
 WORKDIR /app
 
 FROM base AS planner
@@ -15,11 +15,9 @@ RUN cargo chef cook --release --recipe-path recipe.json
 COPY . .
 ARG RELEASE_VERSION
 ENV RELEASE_VERSION=${RELEASE_VERSION}
-RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml
-
-FROM scratch AS manifests
-COPY --from=builder /crds.yaml /
+RUN cargo auditable build --release
 
 FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/authelia-controller /authelia-controller
+COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/authelia-controller"]

docker-bake.hcl

@@ -1,38 +0,0 @@
-variable "TAG_BASE" {}
-variable "RELEASE_VERSION" {}
-
-group "default" {
-  targets = ["authelia-controller", "manifests"]
-}
-
-target "docker-metadata-action" {}
-target "cache" {
-  cache-from = [
-    {
-      type = "gha",
-    }
-  ]
-
-  cache-to = [
-    {
-      type = "gha",
-      mode = "max"
-    }
-  ]
-}
-
-target "authelia-controller" {
-  inherits = ["docker-metadata-action", "cache"]
-  context = "./"
-  dockerfile = "Dockerfile"
-  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
-  target = "runtime"
-}
-
-target "manifests" {
-  inherits = ["cache"]
-  context = "./"
-  dockerfile = "Dockerfile"
-  target = "manifests"
-  output = [{ type = "cacheonly" }, "manifests"]
-}

manifests/cluster-role-binding.yaml

@@ -2,11 +2,9 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
-  namespace: authelia
 subjects:
   - kind: ServiceAccount
     name: authelia-controller
-    namespace: authelia
 roleRef:
   kind: ClusterRole
   name: authelia-controller

manifests/cluster-role.yaml

@@ -2,7 +2,6 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: authelia-controller
-  namespace: authelia
 rules:
   - apiGroups:
       - authelia.huizinga.dev

manifests/deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: authelia-controller
-  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller
@@ -19,17 +18,12 @@ spec:
         kubectl.kubernetes.io/default-container: authelia-controller
     spec:
       serviceAccountName: authelia-controller
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
+      securityContext: {}
       containers:
         - name: authelia-controller
-          image: '{{ index .images "authelia-controller" }}'
+          image: git.huizinga.dev/dreaded_x/authelia-controller@${DIGEST}
           imagePullPolicy: IfNotPresent
+          securityContext: {}
           resources:
             limits:
               cpu: 200m
@@ -40,9 +34,3 @@ spec:
           env:
             - name: RUST_LOG
               value: info,authelia_controller=debug
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            capabilities:
-              drop:
-                - ALL

manifests/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: authelia
 resources:
-  - namespace.yaml
-  - crds.yaml
-  - service-account.yaml
-  - cluster-role.yaml
-  - cluster-role-binding.yaml
-  - deployment.yaml
+  - ./crds.yaml
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./deployment.yaml

manifests/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authelia

manifests/service-account.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: authelia-controller
-  namespace: authelia
   labels:
     app: authelia-controller
     app.kubernetes.io/name: authelia-controller

src/resources/access_control_rule.rs

@@ -45,7 +45,6 @@ pub struct AccessControlRuleSpec {
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct AccessControl {
     rules: Vec<AccessControlRuleSpec>,
-    default_policy: AccessPolicy,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
@@ -61,22 +60,14 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules: Vec<_> = rules
+        let rules = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
-            access_control: AccessControl {
-                // TODO: Make sure configurable?
-                default_policy: if rules.is_empty() {
-                    AccessPolicy::OneFactor
-                } else {
-                    AccessPolicy::Deny
-                },
-                rules,
-            },
+            access_control: AccessControl { rules },
         };
 
         let contents = BTreeMap::from([(