ci: deploy job to inherit secrets

Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

.dockerignore

@@ -1,6 +1,7 @@
 *
 
 !pkg
+!internal
 !controller.go
 !main.go
 !go.mod

.gitea/workflows/cd.yaml

@@ -10,48 +10,15 @@ on:
       - "**/*.go"
       - "Dockerfile"
       - "Makefile"
+  pull_request:
+    branches:
+      - main
   workflow_dispatch:
 
 env:
   DOCKER_REGISTRY: gitea.t000-n.de
 
 jobs:
-  build_and_push:
-    name: Build and push
-    strategy:
-      matrix:
-        arch: [amd64]
-    runs-on:
-      - ubuntu-latest
-      - linux_${{ matrix.arch }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - name: Login to Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - name: Get Metadata
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
-      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/${{ matrix.arch }}
-          push: true
-          provenance: false
-          build-args: GOARCH=${{ matrix.arch }}
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-${{ matrix.arch }}
-
   create_tag:
     name: Create tag
     runs-on: ubuntu-latest
@@ -73,32 +40,21 @@ jobs:
         run: |
           echo "tag=${{ steps.tag.outputs.new-tag }}" >> $GITHUB_OUTPUT
 
-  create_manifest:
-    name: Create manifest
-    needs:
-      - build_and_push
-      - create_tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Get Metadata
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
-
-      - name: Login to Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+  build_and_push_image:
+    needs: create_tag
+    uses: https://gitea.t000-n.de/t.behrendt/gitea-workflows/.gitea/workflows/build-container.yaml@0.1.1
     with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+      registry: gitea.t000-n.de/t.behrendt
+      registry-user: ${{ secrets.REGISTRY_USER }}
+      registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+      repo-name: authentik-kubernetes-operator
+      tag: ${{ needs.create_tag.outputs.tag }}
 
-      - name: Create manifest
-        run: |
-          docker manifest create ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }} \
-            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-amd64
-
-          docker manifest push ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }}
+  deploy:
+    needs: build_and_push_image
+    uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/workflows/deploy.yaml@1.1.0
+    with:
+      k8s_dir: ./k8s
+      skip_helm_deployment: true
+      skip_shared_secrets_deployment: true
+    secrets: inherit

Makefile

@@ -20,7 +20,7 @@ codegen:
 test: test-unit test-coverage
 
 test-unit:
-	go test . -coverprofile=coverage.out
+	go test ./... -coverprofile=coverage.out
 
 test-coverage:
 	go tool gcov2lcov -infile coverage.out > lcov.info

README.md

@@ -34,9 +34,11 @@ spec:
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   # The external host of your application.
   external_host: https://example.t00n.de
+  # The ID of the outpost, which at current point in time can only be retrieved from Authentik directly. In this example: "Proxy-Forward-Auth-Auto"
+  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```
 
-The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
+The ProxyProvider will be created in Authentik and assigned to the configured outpost.
 
 ### Application
 
@@ -54,8 +56,6 @@ spec:
   slug: application-example
   # The ID of the provider, which can be retrieved from e.g. the ProxyPRovider via "kubectl get pp proxy-provider-example -o jsonpath='{.status.pk}'"
   provider: 105
-  # The ID of the outpost, which at current point in time, can only be retrieved from Authentik directly. This value can also not be updated.
-  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```
 
 ### PolicyBinding

artifacts/crd/proxyProvider.yaml

@@ -16,6 +16,9 @@ spec:
         - name: PK
           type: string
           jsonPath: .status.pk
+        - name: Outpost
+          type: string
+          jsonPath: .spec.outpost
       schema:
         openAPIV3Schema:
           type: object
@@ -31,11 +34,15 @@ spec:
                   type: string
                 external_host:
                   type: string
+                outpost:
+                  type: string
+                  format: uuid
               required:
                 - name
                 - authorization_flow
                 - invalidation_flow
                 - external_host
+                - outpost
             status:
               type: object
               properties:

artifacts/examples/proxyProvider.yaml

@@ -9,4 +9,4 @@ spec:
   authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   external_host: https://example.t00n.de
-  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
+  outpost: ce8f74c0-88cd-47fe-96f5-d6507b739ceb

k8s/test.yaml

@@ -0,0 +1 @@
+---

pkg/controllers/proxyprovider/controller.go

@@ -212,9 +212,13 @@ func (c *ProxyProviderController) reconcileUpdate(ctx context.Context, pp *v1alp
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
 	}
-
 	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 
+	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeAdd)
+	if err != nil {
+		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
+	}
+
 	return c.updateProxyProviderStatus(ctx, pp)
 }
 

pkg/controllers/proxyprovider/controller_test.go

@@ -123,6 +123,7 @@ func TestController_syncHandler_update(t *testing.T) {
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 
+	var outpostPartialUpdateCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
@@ -130,6 +131,20 @@ func TestController_syncHandler_update(t *testing.T) {
 		proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
+		outpostRetrieve: outpostRetrieveHandler(t, nil),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			outpostPartialUpdateCalled = true
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			if !slices.Contains(body.Providers, 42) {
+				t.Fatalf("patched providers = %v, want to contain 42", body.Providers)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 	})
 	t.Cleanup(server.Close)
 
@@ -140,6 +155,9 @@ func TestController_syncHandler_update(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
+	if !outpostPartialUpdateCalled {
+		t.Fatal("expected Authentik outpost partial update call")
+	}
 
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "42" {