Add COPY instruction for migration directory to Dockerfile to fix
build failure. The migration crate is a path dependency required
by the main barycenter package.
Fixes Docker build error:
error: failed to get `migration` as a dependency of package `barycenter`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace raw SQL CREATE TABLE statements with proper SeaORM migration
system. This eliminates verbose SQL logs on startup and provides
proper migration tracking and rollback support.
Changes:
- Add sea-orm-migration dependency and migration crate
- Create initial migration (m20250101_000001) with all 8 tables
- Update storage::init() to only connect to database
- Run migrations automatically in main.rs on startup
- Remove unused detect_backend() function and imports
The migration system properly handles both SQLite and PostgreSQL
backends with appropriate type handling (e.g., BIGSERIAL vs INTEGER
for auto-increment columns).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add support for valueFrom in environment variables for both main
container and user-sync init container. This enables injecting
values from secrets, configMaps, fieldRefs, and resourceFieldRefs
instead of only hardcoded values.
Updated deployment template to use toYaml for env rendering,
allowing full Kubernetes env var specifications. Added comprehensive
documentation and examples in values.yaml.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add --config flag to both main container and user-sync init container
to explicitly specify the mounted config file path at /app/config/config.toml.
This fixes deserialization errors when the application couldn't find the
config file in the default working directory.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Enable public registration in integration tests via environment variable
BARYCENTER__SERVER__ALLOW_PUBLIC_REGISTRATION=true
- Fix environment variable prefix from CRABIDP to BARYCENTER to match
documentation in CLAUDE.md
- All 4 integration tests now pass successfully
Fixes:
- test_oauth2_authorization_code_flow
- test_openidconnect_authorization_code_flow
- test_security_headers
- test_token_endpoint_cache_control
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add userSync configuration to values.yaml (existingSecret only)
- Add conditional init container to deployment.yaml
- Create comprehensive README.md with:
- Installation and configuration instructions
- User sync workflow and examples
- Troubleshooting guide
- Security best practices
- Add examples/user-sync-secret.yaml with sample users
- Support declarative user management for Kubernetes/GitOps
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Cargo.lock should be committed for applications (not libraries) to ensure
reproducible builds across environments. This is required for Docker builds
and is the recommended practice per Rust guidelines.
Removed Cargo.lock from:
- .gitignore
- .dockerignore
This fixes the Docker build error:
ERROR: "/Cargo.lock": not found
The {{branch}} placeholder is empty for tag pushes, resulting in
invalid tags like '-f7184b4'. Changed to use 'sha-' prefix instead.
Tags will now be:
- ghcr.io/.../barycenter:0.2.0-alpha.3
- ghcr.io/.../barycenter:sha-f7184b4
Disable major and minor version tags for pre-release versions (alpha, beta, rc)
since semver pattern extraction doesn't work correctly with pre-release suffixes.
This fixes the error:
ERROR: failed to build: invalid tag "ghcr.io/.../barycenter:-1171167"
Pre-release versions will now only get:
- Full version tag: v0.2.0-alpha.1
- SHA tag: main-<sha>
Stable releases will continue to get all tags:
- Full version: v1.0.0
- Major.minor: 1.0
- Major: 1
- SHA: main-<sha>
Also added missing id to build step for attestation.
Add comprehensive release automation:
**GitHub Actions Release Workflow:**
- Triggers on version tags (v*.*.*)
- Builds multi-platform Docker images (amd64, arm64)
- Publishes to GitHub Container Registry (ghcr.io)
- Creates GitHub Releases with auto-generated changelogs
- Generates build provenance attestations for supply chain security
- Semantic versioning with tag variants (v1.0.0, 1.0, 1)
**cargo-release Configuration:**
- Automated version bumping in Cargo.toml
- Updates CHANGELOG.md with version and date
- Syncs Helm chart versions (Chart.yaml)
- Creates git tags and commits
- Pushes to remote automatically
- Enforces main branch releases
**Release Documentation:**
- RELEASE.md with complete release process guide
- CHANGELOG.md following Keep a Changelog format
- Updated README.md with deployment and release sections
- Instructions for patch, minor, and major releases
- Dry-run support for testing
- Hotfix and rollback procedures
**Usage:**
To create a release, simply run:
cargo install cargo-release
cargo release minor --execute
This will:
1. Bump version in all relevant files
2. Update changelog
3. Create git tag
4. Trigger Docker image build and publish
5. Create GitHub Release with notes
Docker images will be available at:
ghcr.io/[owner]/barycenter:v1.0.0
ghcr.io/[owner]/barycenter:1.0
ghcr.io/[owner]/barycenter:1
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace all remaining references to "crabidp" with "barycenter" across:
- Source code (error diagnostics, CLI name, comments)
- Configuration files and defaults
- Environment variable prefixes (CRABIDP__ → BARYCENTER__)
- Documentation (CLAUDE.md, README.md, DEPLOYMENT.md)
- Deployment configurations (Docker Compose, Helm, systemd, FreeBSD, illumos)
- Database filenames (crabidp.db → barycenter.db)
Add Kubernetes Gateway API support to Helm chart:
- New HTTPRoute template for Gateway API
- Configurable parentRefs, hostnames, filters, and weights
- Support for advanced traffic management features
- Gateway API as modern alternative to traditional Ingress
- Documentation and examples in DEPLOYMENT.md
Benefits of Gateway API:
- More expressive and extensible routing
- Role-oriented design with separation of concerns
- Better vendor portability
- Advanced traffic management capabilities
The Helm chart now supports both traditional Ingress and
Gateway API, allowing users to choose based on their cluster
capabilities and requirements.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update TestServer::start() to properly locate the barycenter binary
by navigating from target/debug/deps/ (test binary location) up to
target/debug/ where the main binary resides. This fixes the "No such
file or directory" errors that were causing all integration tests to fail.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Problem:
- Security audit fails on vulnerabilities we cannot fix
- RUSTSEC-2023-0071: RSA crate vulnerability (transitive dependency, no fix)
- RUSTSEC-2025-0120: json5 unmaintained (transitive dependency)
Solution:
- Use --ignore flags to exclude known unfixable advisories
- Keep continue-on-error as defense in depth
- Document why each vulnerability is ignored
These are transitive dependencies from openidconnect and config crates.
We'll track updates to those crates that may resolve these issues.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
