feat: allow proxy provider to reference an outpost to be added to

.dockerignore

@@ -1,7 +1,6 @@
 *
 
 !pkg
-!internal
 !controller.go
 !main.go
 !go.mod

.gitea/workflows/cd.yaml

@@ -28,9 +28,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Login to Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
@@ -41,7 +41,7 @@ jobs:
           echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
           echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
       - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           file: ./Dockerfile
@@ -90,7 +90,7 @@ jobs:
           echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
 
       - name: Login to Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}

Makefile

@@ -20,7 +20,7 @@ codegen:
 test: test-unit test-coverage
 
 test-unit:
-	go test ./... -coverprofile=coverage.out
+	go test . -coverprofile=coverage.out
 
 test-coverage:
 	go tool gcov2lcov -infile coverage.out > lcov.info

README.md

@@ -34,11 +34,9 @@ spec:
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   # The external host of your application.
   external_host: https://example.t00n.de
-  # The ID of the outpost, which at current point in time can only be retrieved from Authentik directly. In this example: "Proxy-Forward-Auth-Auto"
-  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```
 
-The ProxyProvider will be created in Authentik and assigned to the configured outpost.
+The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
 
 ### Application
 
@@ -56,6 +54,8 @@ spec:
   slug: application-example
   # The ID of the provider, which can be retrieved from e.g. the ProxyPRovider via "kubectl get pp proxy-provider-example -o jsonpath='{.status.pk}'"
   provider: 105
+  # The ID of the outpost, which at current point in time, can only be retrieved from Authentik directly. This value can also not be updated.
+  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```
 
 ### PolicyBinding

artifacts/crd/proxyProvider.yaml

@@ -16,9 +16,6 @@ spec:
         - name: PK
           type: string
           jsonPath: .status.pk
-        - name: Outpost
-          type: string
-          jsonPath: .spec.outpost
       schema:
         openAPIV3Schema:
           type: object
@@ -34,15 +31,11 @@ spec:
                   type: string
                 external_host:
                   type: string
-                outpost:
-                  type: string
-                  format: uuid
               required:
                 - name
                 - authorization_flow
                 - invalidation_flow
                 - external_host
-                - outpost
             status:
               type: object
               properties:

artifacts/examples/proxyProvider.yaml

@@ -9,4 +9,4 @@ spec:
   authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   external_host: https://example.t00n.de
-  outpost: ce8f74c0-88cd-47fe-96f5-d6507b739ceb
+  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f

go.mod

@@ -7,9 +7,9 @@ godebug default=go1.26
 require (
 	goauthentik.io/api/v3 v3.2026020.16
 	golang.org/x/time v0.15.0
-	k8s.io/api v0.36.1
-	k8s.io/apimachinery v0.36.1
-	k8s.io/client-go v0.36.1
+	k8s.io/api v0.36.0
+	k8s.io/apimachinery v0.36.0
+	k8s.io/client-go v0.36.0
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676
 	sigs.k8s.io/structured-merge-diff/v6 v6.4.0

go.sum

@@ -123,20 +123,14 @@ k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec h1:xf12Yh3ltN4fnNyP0CyyM0TwNVnZDfL
 k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec/go.mod h1:C+fcNlNQ9TcKHspN+DD7UybdfnjDAGyBjfCd6W7ogbY=
 k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
 k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
-k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
-k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
 k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42 h1:rWdGOTor3z0WSyZcRl9ms4dn9Cw9CqmNBqXuf2z0k1k=
 k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42/go.mod h1:hiubQ6UTHIdr0bS8ExXOJEywFVOoudnldm/l/NiNVlA=
 k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
 k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
-k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
-k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940 h1:n5t5Jx3VpLdiAGxIvIHsZDmsExtZVwghUPLM3wFi6Go=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940/go.mod h1:0e7OLwg7kdXISVFwn7ishFdvxfVgi7wsqHqsQPHl61w=
 k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
 k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
-k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
-k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676 h1:ahjrVu/DBcaAhw/GcblfaOvvQ2wi8kqXWvn62nud3UU=

pkg/controllers/proxyprovider/controller.go

@@ -212,12 +212,8 @@ func (c *ProxyProviderController) reconcileUpdate(ctx context.Context, pp *v1alp
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
 	}
-	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 
-	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeAdd)
-	if err != nil {
-		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
-	}
+	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 
 	return c.updateProxyProviderStatus(ctx, pp)
 }

pkg/controllers/proxyprovider/controller_test.go

@@ -123,7 +123,6 @@ func TestController_syncHandler_update(t *testing.T) {
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 
-	var outpostPartialUpdateCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
@@ -131,20 +130,6 @@ func TestController_syncHandler_update(t *testing.T) {
 		proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
-		outpostRetrieve: outpostRetrieveHandler(t, nil),
-		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
-			outpostPartialUpdateCalled = true
-			var body struct {
-				Providers []int32 `json:"providers"`
-			}
-			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
-				t.Fatalf("decode outpost patch body: %v", err)
-			}
-			if !slices.Contains(body.Providers, 42) {
-				t.Fatalf("patched providers = %v, want to contain 42", body.Providers)
-			}
-			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
-		},
 	})
 	t.Cleanup(server.Close)
 
@@ -155,9 +140,6 @@ func TestController_syncHandler_update(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
-	if !outpostPartialUpdateCalled {
-		t.Fatal("expected Authentik outpost partial update call")
-	}
 
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "42" {