✨ Create project

The project is created: documentation, code, artifacts and tools are now
introduced.

Signed-off-by: Elis Lulja <[email protected]>

.github/workflows/docker-publish-ghcr.yml

@@ -0,0 +1,88 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+        with:
+          cosign-release: 'v1.4.0'
+
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/linkcheck.yml

@@ -0,0 +1,8 @@
+name: Check Markdown links
+on: [push, pull_request]
+jobs:
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - uses: gaurav-nelson/github-action-markdown-link-check@v1

.github/workflows/test.yml

@@ -0,0 +1,35 @@
+name: Test
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+    types: [opened, edited, reopened, synchronize]
+
+jobs:
+
+  test:
+    name: Run tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup go
+        uses: actions/setup-go@v2
+
+      - name: Cache go mod
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout to repository
+        id: checkout-code
+        uses: actions/checkout@master
+
+      - name: Run tests
+        id: test-code
+        run: make test

.gitignore

@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+bin/*
 
 # Test binary, built with `go test -c`
 *.test
@@ -13,3 +14,6 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# Other stuff
+.DS_Store

Dockerfile

@@ -0,0 +1,26 @@
+# Build binary
+FROM golang:1.17 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY pkg/ pkg/
+
+# Build
+RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o egress-watcher *.go
+
+# Use distroless as minimal base image to package the binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/egress-watcher .
+USER nonroot:nonroot
+
+ENTRYPOINT ["/egress-watcher"]

Makefile

@@ -0,0 +1,21 @@
+IMG ?= {CONTAINER_IMAGE}
+
+test: fmt vet
+	go test ./... -coverprofile cover.out
+
+fmt:
+	go fmt ./...
+
+vet:
+	go vet ./...
+
+build: fmt vet test
+	go build -a -o bin/egress-watcher *.go
+
+# Build the docker image
+docker-build: test
+	docker build . -t ${IMG}
+
+# Push the docker image
+docker-push:
+	docker push ${IMG}

NOTICE

@@ -0,0 +1,5 @@
+egress-watcher
+
+Copyright (c) 2022 Cisco Systems, Inc. and/or its affiliates
+
+This project includes software developed at Cisco Systems, Inc. and/or its affiliates.

OWNERS.md

@@ -0,0 +1,5 @@
+This file lists the committers for the [CloudNativeSDWAN/egress-watcher](https://github.com/CloudNativeSDWAN/egress-watcher) repo.
+
+* Elis Lulja ([asimpleidea](https://github.com/asimpleidea)) ([[email protected]](mailto:[email protected]))
+* Alberto Rodriguez-Natal ([arnatal](https://github.com/arnatal)) ([[email protected]](mailto:[email protected]))
+* Lori Jakab ([ljakab](https://github.com/ljakab)) ([[email protected]](mailto:[email protected]))

README.md

@@ -1,2 +1,180 @@
-# egress-watcher
-Monitor Egress-like resources in Kubernetes and send the information to an SD-WAN controller
+# Egress Watcher
+
+![GitHub](https://img.shields.io/github/license/CloudNativeSDWAN/egress-watcher)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/CloudNativeSDWAN/egress-watcher)
+[![Go Report Card](https://goreportcard.com/badge/github.com/CloudNativeSDWAN/egress-watcher)](https://goreportcard.com/report/github.com/CloudNativeSDWAN/egress-watcher)
+![GitHub Workflow Status](https://img.shields.io/github/workflow/status/CloudNativeSDWAN/egress-watcher/Test)
+![GitHub release (latest SemVer including pre-releases)](https://img.shields.io/github/v/release/CloudNativeSDWAN/egress-watcher?include_prereleases)
+
+Reflect your *Egress* definitions from different object types to your
+*SD-WAN* for processing and routes optmization.
+
+## Supported projects and providers
+
+### Supported Egress types
+
+As of now, we support egress hosts defined as *ISTIO* `ServiceEntry` objects
+and we reflect the changes we detect in them.
+
+Though only *ISTIO* is supported as of now, the project's architecture is
+designed to accomodate different types as defined by other projects.
+
+### Supported SD-WANs
+
+The project is designed to be inter-operable between different SD-WANs, which
+need to be specified in its commands.
+
+As of now, we support *vManage* as SD-WAN and it must be included as argument
+in the [run command](#run-command).
+
+## Install
+
+Make sure *Istio* is up and running properly on your Kubernetes cluster. If not
+please [install it](https://istio.io/latest/docs/setup/), first.
+
+Clone the project:
+
+```bash
+git clone https://github.com/CloudNativeSDWAN/egress-watcher.git && cd egress-watcher
+make build
+```
+
+The project is now ready to be used locally from `./bin` directory as
+`./bin/egress-watcher`
+
+## Usage
+
+### Commands
+
+There are currently two commands:
+
+* `help`: Help about any command
+* `run`: Run locally.
+
+### run command
+
+The `run` command runs the program with certain options that can be provided
+either with flags and/or a file.
+An example of a file is provided in the root directory with `settings.yaml`.
+
+`run` needs an argument specifying the SD-WAN controller it needs to work with:
+
+* for *vManage* specify `vmanage` (or `with-vmanage`)
+
+Currently it supports the following flags:
+
+* `--context`: the context of the kubeconfig to use. **This flag is not
+supported yet and will be silently ignored**.
+* `--kubeconfig`: path to the kubeconfig file to use. **This flag is not
+supported yet and will be silently ignored: the default kubeconfig is used**.
+* `--settings-file`: path to settings file to load. This is optional. Take a
+look at `settings.yaml` in this same directory to view an example.
+* `--sdwan.base-url`: sdwan's base url to use when forming requests.
+  Must be in the form of `http(s)://<host:port>/path`, e.g.
+  `http://example.com:9876/api` or `https://10.11.12.13:1234/my/path`. This is
+**required**, unless this value is provided from file with `--settings-file`.
+* `--watch-all-service-entries, -w`: watch all `ServiceEntry` objects without
+the need for manual `egress-watch: enabled` label.
+To ignore a service entry you will have to label it as
+`egress-watch: disabled`.
+* `--sdwan.username`: the username for authentication. **Required**.
+* `--sdwan.password`: the password for authentication. **Required**.
+* `--sdwan.insecure`: whether to accept self-signed certificates.
+
+As a rule of thumb, remember that flag options **overwrite** options provided
+via file.
+
+Please note that, as we support more egress types and SD-WANs, the above
+flags and command may change.
+
+### Watch ServiceEntry
+
+With default options the watcher will only watch `ServiceEntry` with **label**
+`egress-watch: enabled` and ignore those that don't.
+
+`--watch-all-service-entries` makes the program behave in the opposite way and
+namespaces must be explicitly disabled with a **label**
+`egress-watch: disabled`.
+
+## Run locally
+
+Make sure you followed [Install](#install).
+
+Run the watcher:
+
+```bash
+./bin/egress-watcher run vmanage \
+--sdwan.username <username> \
+--sdwan.password <pass> \
+--sdwan.base-url <base_url> \
+--sdwan.insecure
+```
+
+Try to deploy a `ServiceEntry` object you can use the provided example in
+`artifacts/yamls/istio`:
+
+```bash
+# In another shell terminal
+kubectl create -f ./artifacts/yamls/istio
+```
+
+Get back to the shell terminal where you were running the watcher and you
+should see a couple of log lines.
+
+## Run on Kubernetes
+
+Build and push the docker image via `make` command. For example, with
+*Dockerhub*:
+
+```bash
+export IMAGE="YOUR_IMAGE/REPO:TAG"
+make docker-build docker-push IMG=$IMAGE
+```
+
+Set the appropriate values in the `settings.yaml` file - especially the base
+URL for SD-WAN. You will also need to create secrets for the SD-WAN provider
+you are using, for example when using *vManage* - make sure you replace
+`<USERNAME>` and `<PASSWORD>` accordingly:
+
+```bash
+kubectl create ns egress-watcher
+kubectl create secret generic vmanage-credentials --from-literal=username=<USERNAME> --from-literal=password=<PASSWORD> -n egress-watcher
+kubectl create configmap egress-watcher-settings --from-file=./settings.yaml -n egress-watcher
+kubectl create -f ./artifacts/yamls/k8s -n egress-watcher
+sleep 2
+kubectl set image deployment/egress-watcher egress-watcher=$IMAGE -n egress-watcher
+export POD_NAME=$(kubectl get pods --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' -n egress-watcher | grep egress-watcher)
+kubectl logs -f $POD_NAME -n egress-watcher
+```
+
+Now, on a separate shell terminal, deploy our provided example:
+
+```bash
+# In another shell terminal
+kubectl create -f ./artifacts/yamls/istio
+```
+
+## Contributing
+
+Thank you for interest in contributing to Egress Watcher.
+Before starting, please make sure you know and agree to our [Code of conduct](./code-of-conduct.md).
+
+1. Fork it
+2. Download your fork
+    `git clone https://github.com/your_username/egress-watcher && cd egress-watcher`
+3. Create your feature branch
+    `git checkout -b my-new-feature`
+4. Make changes and add them
+    `git add .`
+5. Commit your changes
+    `git commit -m 'Add some feature'`
+6. Push to the branch
+    `git push origin my-new-feature`
+7. Create new pull request to this repository
+
+## License
+
+Egress Watcher is free and open-source software licensed under the *Apache 2.0*
+License.
+
+Refer to [our license file](github.com/CloudNativeSDWAN/egress-watcher/blob/main/LICENSE).