Compare commits
10 Commits
7735f363f0
..
0.4.5
| Author | SHA1 | Date | |
|---|---|---|---|
 t.behrendt
|
02432eaec4
|
||
|
t.behrendt
|
1c0ef88c8e
|
||
|
t.behrendt
|
f97cf9070e
|
||
|
t.behrendt
|
e87344958c
|
||
 renovate-bot
|
f5114b26fb | ||
|
renovate-bot
|
78cb50d3a6 | ||
|
renovate-bot
|
eaa8f2eb98 | ||
|
renovate-bot
|
fd75e6314e | ||
|
t.behrendt
|
26bd576690 | ||
|
t.behrendt
|
2a091df8b9 |
@@ -1,6 +1,7 @@
|
||||
*
|
||||
|
||||
!pkg
|
||||
!internal
|
||||
!controller.go
|
||||
!main.go
|
||||
!go.mod
|
||||
|
||||
+21
-64
@@ -10,48 +10,15 @@ on:
|
||||
- "**/*.go"
|
||||
- "Dockerfile"
|
||||
- "Makefile"
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
DOCKER_REGISTRY: gitea.t000-n.de
|
||||
|
||||
jobs:
|
||||
build_and_push:
|
||||
name: Build and push
|
||||
strategy:
|
||||
matrix:
|
||||
arch: [amd64]
|
||||
runs-on:
|
||||
- ubuntu-latest
|
||||
- linux_${{ matrix.arch }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
||||
- name: Login to Registry
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ${{ env.DOCKER_REGISTRY }}
|
||||
username: ${{ secrets.REGISTRY_USER }}
|
||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
- name: Get Metadata
|
||||
id: meta
|
||||
run: |
|
||||
echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
|
||||
echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
||||
with:
|
||||
context: .
|
||||
file: ./Dockerfile
|
||||
platforms: linux/${{ matrix.arch }}
|
||||
push: true
|
||||
provenance: false
|
||||
build-args: GOARCH=${{ matrix.arch }}
|
||||
tags: |
|
||||
${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-${{ matrix.arch }}
|
||||
|
||||
create_tag:
|
||||
name: Create tag
|
||||
runs-on: ubuntu-latest
|
||||
@@ -73,32 +40,22 @@ jobs:
|
||||
run: |
|
||||
echo "tag=${{ steps.tag.outputs.new-tag }}" >> $GITHUB_OUTPUT
|
||||
|
||||
create_manifest:
|
||||
name: Create manifest
|
||||
needs:
|
||||
- build_and_push
|
||||
- create_tag
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
build_and_push_image:
|
||||
needs: create_tag
|
||||
uses: https://gitea.t000-n.de/t.behrendt/gitea-workflows/.gitea/workflows/build-container.yaml@0.1.1
|
||||
with:
|
||||
registry: gitea.t000-n.de/t.behrendt
|
||||
registry-user: ${{ secrets.REGISTRY_USER }}
|
||||
registry-password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
repo-name: authentik-kubernetes-operator
|
||||
tag: ${{ needs.create_tag.outputs.tag }}
|
||||
|
||||
- name: Get Metadata
|
||||
id: meta
|
||||
run: |
|
||||
echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
|
||||
echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Login to Registry
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ${{ env.DOCKER_REGISTRY }}
|
||||
username: ${{ secrets.REGISTRY_USER }}
|
||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
|
||||
- name: Create manifest
|
||||
run: |
|
||||
docker manifest create ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }} \
|
||||
${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-amd64
|
||||
|
||||
docker manifest push ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }}
|
||||
deploy:
|
||||
needs: build_and_push_image
|
||||
uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/workflows/deploy.yaml@1.1.0
|
||||
with:
|
||||
k8s_dir: ./k8s
|
||||
namespace: authentik-kubernetes-operator
|
||||
skip_helm_deployment: true
|
||||
skip_shared_secrets_deployment: true
|
||||
secrets: inherit
|
||||
|
||||
@@ -20,7 +20,7 @@ codegen:
|
||||
test: test-unit test-coverage
|
||||
|
||||
test-unit:
|
||||
go test . -coverprofile=coverage.out
|
||||
go test ./... -coverprofile=coverage.out
|
||||
|
||||
test-coverage:
|
||||
go tool gcov2lcov -infile coverage.out > lcov.info
|
||||
|
||||
@@ -34,9 +34,11 @@ spec:
|
||||
invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
|
||||
# The external host of your application.
|
||||
external_host: https://example.t00n.de
|
||||
# The ID of the outpost, which at current point in time can only be retrieved from Authentik directly. In this example: "Proxy-Forward-Auth-Auto"
|
||||
outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
|
||||
```
|
||||
|
||||
The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
|
||||
The ProxyProvider will be created in Authentik and assigned to the configured outpost.
|
||||
|
||||
### Application
|
||||
|
||||
@@ -54,8 +56,6 @@ spec:
|
||||
slug: application-example
|
||||
# The ID of the provider, which can be retrieved from e.g. the ProxyPRovider via "kubectl get pp proxy-provider-example -o jsonpath='{.status.pk}'"
|
||||
provider: 105
|
||||
# The ID of the outpost, which at current point in time, can only be retrieved from Authentik directly. This value can also not be updated.
|
||||
outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
|
||||
```
|
||||
|
||||
### PolicyBinding
|
||||
|
||||
@@ -16,6 +16,9 @@ spec:
|
||||
- name: PK
|
||||
type: string
|
||||
jsonPath: .status.pk
|
||||
- name: Outpost
|
||||
type: string
|
||||
jsonPath: .spec.outpost
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
@@ -31,11 +34,15 @@ spec:
|
||||
type: string
|
||||
external_host:
|
||||
type: string
|
||||
outpost:
|
||||
type: string
|
||||
format: uuid
|
||||
required:
|
||||
- name
|
||||
- authorization_flow
|
||||
- invalidation_flow
|
||||
- external_host
|
||||
- outpost
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
|
||||
@@ -9,4 +9,4 @@ spec:
|
||||
authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
|
||||
invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
|
||||
external_host: https://example.t00n.de
|
||||
outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
|
||||
outpost: ce8f74c0-88cd-47fe-96f5-d6507b739ceb
|
||||
|
||||
@@ -7,9 +7,9 @@ godebug default=go1.26
|
||||
require (
|
||||
goauthentik.io/api/v3 v3.2026020.16
|
||||
golang.org/x/time v0.15.0
|
||||
k8s.io/api v0.36.0
|
||||
k8s.io/apimachinery v0.36.0
|
||||
k8s.io/client-go v0.36.0
|
||||
k8s.io/api v0.36.1
|
||||
k8s.io/apimachinery v0.36.1
|
||||
k8s.io/client-go v0.36.1
|
||||
k8s.io/klog/v2 v2.140.0
|
||||
k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676
|
||||
sigs.k8s.io/structured-merge-diff/v6 v6.4.0
|
||||
|
||||
@@ -123,14 +123,20 @@ k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec h1:xf12Yh3ltN4fnNyP0CyyM0TwNVnZDfL
|
||||
k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec/go.mod h1:C+fcNlNQ9TcKHspN+DD7UybdfnjDAGyBjfCd6W7ogbY=
|
||||
k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
|
||||
k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
|
||||
k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
|
||||
k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
|
||||
k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42 h1:rWdGOTor3z0WSyZcRl9ms4dn9Cw9CqmNBqXuf2z0k1k=
|
||||
k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42/go.mod h1:hiubQ6UTHIdr0bS8ExXOJEywFVOoudnldm/l/NiNVlA=
|
||||
k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
|
||||
k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
|
||||
k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
|
||||
k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
|
||||
k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940 h1:n5t5Jx3VpLdiAGxIvIHsZDmsExtZVwghUPLM3wFi6Go=
|
||||
k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940/go.mod h1:0e7OLwg7kdXISVFwn7ishFdvxfVgi7wsqHqsQPHl61w=
|
||||
k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
|
||||
k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
|
||||
k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
|
||||
k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
|
||||
k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
|
||||
k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
|
||||
k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676 h1:ahjrVu/DBcaAhw/GcblfaOvvQ2wi8kqXWvn62nud3UU=
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
---
|
||||
@@ -212,9 +212,13 @@ func (c *ProxyProviderController) reconcileUpdate(ctx context.Context, pp *v1alp
|
||||
if err != nil {
|
||||
return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
|
||||
}
|
||||
|
||||
pp.Status.PK = strconv.Itoa(int(resp.Pk))
|
||||
|
||||
err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeAdd)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
|
||||
}
|
||||
|
||||
return c.updateProxyProviderStatus(ctx, pp)
|
||||
}
|
||||
|
||||
|
||||
@@ -123,6 +123,7 @@ func TestController_syncHandler_update(t *testing.T) {
|
||||
pp.Status.PK = "42"
|
||||
pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
|
||||
|
||||
var outpostPartialUpdateCalled bool
|
||||
server := newAuthentikTestServer(t, authentikTestHandlers{
|
||||
allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
|
||||
writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
|
||||
@@ -130,6 +131,20 @@ func TestController_syncHandler_update(t *testing.T) {
|
||||
proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
|
||||
writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
|
||||
},
|
||||
outpostRetrieve: outpostRetrieveHandler(t, nil),
|
||||
outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
|
||||
outpostPartialUpdateCalled = true
|
||||
var body struct {
|
||||
Providers []int32 `json:"providers"`
|
||||
}
|
||||
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
||||
t.Fatalf("decode outpost patch body: %v", err)
|
||||
}
|
||||
if !slices.Contains(body.Providers, 42) {
|
||||
t.Fatalf("patched providers = %v, want to contain 42", body.Providers)
|
||||
}
|
||||
writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
|
||||
},
|
||||
})
|
||||
t.Cleanup(server.Close)
|
||||
|
||||
@@ -140,6 +155,9 @@ func TestController_syncHandler_update(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatalf("syncHandler() error = %v", err)
|
||||
}
|
||||
if !outpostPartialUpdateCalled {
|
||||
t.Fatal("expected Authentik outpost partial update call")
|
||||
}
|
||||
|
||||
got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
|
||||
if got.Status.PK != "42" {
|
||||
|
||||
Reference in New Issue
Block a user