feat: Add security context

fix: Outdated glibc
chore: Renamed credentials secret in deployment
2025-12-22 23:38:20 +01:00 · 2025-12-22 23:38:19 +01:00 · 2025-12-22 23:38:19 +01:00 · 2025-12-22 23:38:19 +01:00
4 changed files with 45 additions and 10 deletions
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -9,8 +9,7 @@ on:

 jobs:
  build:
-    uses: dreaded_x/workflows/.gitea/workflows/rust-kubernetes.yaml@66ab50c3ac239dbdd1e42e6276ec2e65b6a79379
+    uses: infra/workflows/.gitea/workflows/docker.yaml@956337b9bd5e72a93d3a57513cd421e7554dd61d
    secrets: inherit
    with:
-      generate_crds: true
      webhook_url: ${{ secrets.WEBHOOK_URL }}
--- a/8
+++ b/8
@@ -15,9 +15,11 @@ RUN cargo chef cook --release --recipe-path recipe.json
 COPY . .
 ARG RELEASE_VERSION
 ENV RELEASE_VERSION=${RELEASE_VERSION}
-RUN cargo auditable build --release
+RUN cargo auditable build --release && /app/target/release/crdgen > /crds.yaml

-FROM gcr.io/distroless/cc-debian12:nonroot AS runtime
+FROM scratch AS manifests
+COPY --from=builder /crds.yaml /
+
+FROM gcr.io/distroless/cc-debian13:nonroot AS runtime
 COPY --from=builder /app/target/release/lldap-controller /lldap-controller
-COPY --from=builder /app/target/release/crdgen /crdgen
 CMD ["/lldap-controller"]
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -0,0 +1,23 @@
+variable "TAG_BASE" {}
+variable "RELEASE_VERSION" {}
+
+group "default" {
+  targets = ["lldap-controller", "manifests"]
+}
+
+target "docker-metadata-action" {}
+
+target "lldap-controller" {
+  inherits = ["docker-metadata-action"]
+  context = "./"
+  dockerfile = "Dockerfile"
+  tags = [for tag in target.docker-metadata-action.tags : "${TAG_BASE}:${tag}"]
+  target = "runtime"
+}
+
+target "manifests" {
+  context = "./"
+  dockerfile = "Dockerfile"
+  target = "manifests"
+  output = [{ type = "cacheonly" }, "manifests"]
+}
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -18,12 +18,17 @@ spec:
        kubectl.kubernetes.io/default-container: lldap-controller
    spec:
      serviceAccountName: lldap-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: lldap-controller
-          image: git.huizinga.dev/dreaded_x/lldap-controller@${DIGEST}
+          image: '{{ index .images "lldap-controller" }}'
          imagePullPolicy: IfNotPresent
-          securityContext: {}
          resources:
            limits:
              cpu: 200m
@@ -43,10 +48,16 @@ spec:
            - name: LLDAP_USERNAME
              value: admin
            - name: LLDAP_PASSWORD_FILE
-              value: /secrets/credentials/lldap-ldap-user-pass
+              value: /secrets/credentials/admin-pass
            - name: LLDAP_BIND_DN
              value: uid={username},ou=people,dc=huizinga,dc=dev
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
      volumes:
        - name: credentials
          secret:
-            secretName: lldap-credentials
+            secretName: credentials
Author	SHA1	Message	Date
Dreaded_X	c01501794d	feat: Add security context Some checks failed Build and deploy / build (push) Failing after 5m7s Details	2025-12-22 23:38:20 +01:00
Dreaded_X	19ab3e7da2	fix: Outdated glibc	2025-12-22 23:38:19 +01:00
Dreaded_X	1d03948fec	chore: Renamed credentials secret in deployment	2025-12-22 23:38:19 +01:00
Dreaded_X	257a341145	feat: Update to new workflow	2025-12-22 23:38:19 +01:00