feat: vertical slice application -> provider -> binding (#4 )

Co-authored-by: Timo Behrendt <t.behrendt@t00n.de> Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>
ci: fix Makefile test (#10 )
2026-05-25 17:14:35 +02:00 · 2026-05-25 13:21:26 +02:00
7 changed files with 36 additions and 6 deletions
@@ -1,6 +1,7 @@
 *

 !pkg
+!internal
 !controller.go
 !main.go
 !go.mod
@@ -20,7 +20,7 @@ codegen:
 test: test-unit test-coverage

 test-unit:
-	go test . -coverprofile=coverage.out
+	go test ./... -coverprofile=coverage.out

 test-coverage:
 	go tool gcov2lcov -infile coverage.out > lcov.info
@@ -34,9 +34,11 @@ spec:
  invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
  # The external host of your application.
  external_host: https://example.t00n.de
+  # The ID of the outpost, which at current point in time can only be retrieved from Authentik directly. In this example: "Proxy-Forward-Auth-Auto"
+  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```

-The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
+The ProxyProvider will be created in Authentik and assigned to the configured outpost.

 ### Application

@@ -54,8 +56,6 @@ spec:
  slug: application-example
  # The ID of the provider, which can be retrieved from e.g. the ProxyPRovider via "kubectl get pp proxy-provider-example -o jsonpath='{.status.pk}'"
  provider: 105
-  # The ID of the outpost, which at current point in time, can only be retrieved from Authentik directly. This value can also not be updated.
-  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```

 ### PolicyBinding
@@ -16,6 +16,9 @@ spec:
        - name: PK
          type: string
          jsonPath: .status.pk
+        - name: Outpost
+          type: string
+          jsonPath: .spec.outpost
      schema:
        openAPIV3Schema:
          type: object
@@ -31,11 +34,15 @@ spec:
                  type: string
                external_host:
                  type: string
+                outpost:
+                  type: string
+                  format: uuid
              required:
                - name
                - authorization_flow
                - invalidation_flow
                - external_host
+                - outpost
            status:
              type: object
              properties:
@@ -9,4 +9,4 @@ spec:
  authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
  invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
  external_host: https://example.t00n.de
-  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
+  outpost: ce8f74c0-88cd-47fe-96f5-d6507b739ceb
@@ -212,9 +212,13 @@ func (c *ProxyProviderController) reconcileUpdate(ctx context.Context, pp *v1alp
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
 	}
-
 	pp.Status.PK = strconv.Itoa(int(resp.Pk))

+	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeAdd)
+	if err != nil {
+		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
+	}
+
 	return c.updateProxyProviderStatus(ctx, pp)
 }

@@ -123,6 +123,7 @@ func TestController_syncHandler_update(t *testing.T) {
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}

+	var outpostPartialUpdateCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
@@ -130,6 +131,20 @@ func TestController_syncHandler_update(t *testing.T) {
 		proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
+		outpostRetrieve: outpostRetrieveHandler(t, nil),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			outpostPartialUpdateCalled = true
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			if !slices.Contains(body.Providers, 42) {
+				t.Fatalf("patched providers = %v, want to contain 42", body.Providers)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 	})
 	t.Cleanup(server.Close)

@@ -140,6 +155,9 @@ func TestController_syncHandler_update(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
+	if !outpostPartialUpdateCalled {
+		t.Fatal("expected Authentik outpost partial update call")
+	}

 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "42" {
Author	SHA1	Message	Date
t.behrendt	26bd576690	feat: vertical slice application -> provider -> binding (#4 ) CD / Create tag (push) Successful in 11s Details CD / Build and push (amd64) (push) Successful in 1m32s Details CD / Create manifest (push) Successful in 7s Details Co-authored-by: Timo Behrendt <t.behrendt@t00n.de> Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>	2026-05-25 17:14:35 +02:00
t.behrendt	2a091df8b9	ci: fix Makefile test (#10 ) CD / Build and push (amd64) (push) Successful in 1m31s Details CD / Create tag (push) Successful in 12s Details CD / Create manifest (push) Successful in 19s Details Reviewed-on: #10 Co-authored-by: Timo Behrendt <t.behrendt@t00n.de> Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>	2026-05-25 13:21:26 +02:00