Add Guardian to opensource to connect to calico cloud

This commit adds guardian, a component that can connect to calico cloud. This facilitates open source clusters connecting to calico free tier.
projectcalico · Feb 18, 2025 · 8581bb4 · 8581bb4
1 parent 931244d
commit 8581bb4
Show file tree

Hide file tree

Showing 31 changed files with 2,786 additions and 2 deletions.
diff --git a/.semaphore/semaphore-scheduled-builds.yml b/.semaphore/semaphore-scheduled-builds.yml
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
diff --git a/.semaphore/semaphore.yml.d/blocks/20-guardian.yml b/.semaphore/semaphore.yml.d/blocks/20-guardian.yml
@@ -0,0 +1,24 @@
+- name: guardian
+  run:
+    when: "${FORCE_RUN} or change_in(['/*', '/guardian/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
+  execution_time_limit:
+    minutes: 30
+  dependencies:
+    - Prerequisites
+  task:
+    prologue:
+      commands:
+        - cd guardian
+    jobs:
+      - name: make ci
+        commands:
+          - ../.semaphore/run-and-monitor make-ci.log make ci
+      - name: Build binary
+        matrix:
+          - env_var: ARCH
+            values:
+              - arm64
+              - ppc64le
+              - s390x
+        commands:
+          - ../.semaphore/run-and-monitor image-$ARCH.log make build ARCH=$ARCH
diff --git a/go.mod b/go.mod
@@ -117,7 +117,10 @@ require (
 
 require (
 	github.com/gogo/googleapis v1.4.1
+	github.com/hashicorp/yamux v0.1.2
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
+	golang.org/x/net v0.33.0
+	golang.org/x/oauth2 v0.24.0
 )
 
 require (
@@ -318,8 +321,6 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/tools v0.28.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.20200121 // indirect

diff --git a/go.sum b/go.sum
@@ -377,6 +377,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
+github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/homeport/dyff v1.6.0 h1:AN+ikld0Fy+qx34YE7655b/bpWuxS6cL9k852pE2GUc=
 github.com/homeport/dyff v1.6.0/go.mod h1:FlAOFYzeKvxmU5nTrnG+qrlJVWpsFew7pt8L99p5q8k=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=

diff --git a/guardian/.mockery.yaml b/guardian/.mockery.yaml
@@ -0,0 +1,17 @@
+with-expecter: False
+inpackage: False
+dir: "{{.InterfaceDir}}/mocks"
+mockname: "{{.InterfaceName}}"
+outpkg: "mocks"
+filename: "{{.InterfaceName}}.go"
+packages:
+  github.com/projectcalico/calico/guardian/pkg/tunnel:
+    interfaces:
+      SessionDialer:
+      Session:
+  net:
+    config:
+      outpkg: "{{.PackageName}}"
+      dir: "pkg/thirdpartymocks/{{.PackagePath}}"
+    interfaces:
+      Conn:
diff --git a/guardian/Makefile b/guardian/Makefile
@@ -0,0 +1,111 @@
+include ../metadata.mk
+
+PACKAGE_NAME   ?= github.com/projectcalico/calico/guardian
+
+#############################################
+# Env vars related to packaging and releasing
+#############################################
+COMPONENTS            ?=guardian
+GUARDIAN_IMAGE        ?=guardian
+BUILD_IMAGES          ?=$(GUARDIAN_IMAGE)
+
+##############################################################################
+# Include ../lib.Makefile before anything else
+#   Additions to EXTRA_DOCKER_ARGS need to happen before the include since
+#   that variable is evaluated when we declare DOCKER_RUN and siblings.
+##############################################################################
+include ../lib.Makefile
+
+##########################################################################################
+# Define some constants
+##########################################################################################
+BRANCH_NAME ?= $(PIN_BRANCH)
+
+# Some env vars that devs might find useful:
+#  TEST_DIRS=   : only run the unit tests from the specified dirs
+#  UNIT_TESTS=  : only run the unit tests matching the specified regexp
+
+BINDIR        ?= bin
+SRC_FILES = $(shell find . -name '*.go') \
+		$(shell find ../api/pkg -name '*.go') \
+		$(shell find ../libcalico-go/lib/logutils -name '*.go')
+ifdef UNIT_TESTS
+UNIT_TEST_FLAGS=-run $(UNIT_TESTS) -v
+endif
+
+#############################################
+# Env vars related to building
+#############################################
+
+# Flags for building the binaries.
+#
+# We use -X to insert the version information into the placeholder variables
+# in the version package.
+LDFLAGS = -X $(PACKAGE_NAME)/pkg/version.BuildVersion=$(GIT_VERSION) \
+			  -X $(PACKAGE_NAME)/pkg/version.BuildDate=$(DATE) \
+			  -X $(PACKAGE_NAME)/pkg/version.GitDescription=$(GIT_DESCRIPTION) \
+			  -X $(PACKAGE_NAME)/pkg/version.GitRevision=$(GIT_COMMIT) \
+
+##########################################################################################
+# BUILD
+##########################################################################################
+build: $(BINDIR)/guardian-$(ARCH)
+
+.PHONY: $(BINDIR)/guardian-$(ARCH)
+$(BINDIR)/guardian-$(ARCH): $(SRC_FILES)
+ifeq ($(FIPS),true)
+	$(call build_cgo_boring_binary, ./cmd/guardian/main.go, $@)
+else
+	$(call build_binary, ./cmd/guardian/main.go, $@)
+endif
+
+gen-mocks:
+	$(DOCKER_RUN) $(CALICO_BUILD) sh -c 'mockery'
+
+gen-files: gen-mocks
+
+#############################################
+# Docker Image
+#############################################
+GUARDIAN_CONTAINER_CREATED=.guardian.created-$(ARCH)
+
+# by default, build the image for the target architecture
+.PHONY: image-all
+image-all: $(addprefix sub-image-,$(VALIDARCHES))
+sub-image-%:
+	$(MAKE) image ARCH=$*
+
+.PHONY: image
+image: $(BUILD_IMAGES)
+
+$(GUARDIAN_IMAGE): $(GUARDIAN_CONTAINER_CREATED)
+$(GUARDIAN_CONTAINER_CREATED): docker-image/guardian/Dockerfile $(BINDIR)/guardian-$(ARCH)
+	$(DOCKER_BUILD) -t $(GUARDIAN_IMAGE):latest-$(ARCH) -f docker-image/guardian/Dockerfile .
+	$(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest BUILD_IMAGES=$(GUARDIAN_IMAGE)
+	touch $@
+
+#############################################
+# Run unit level tests
+#############################################
+.PHONY: ut
+## Run only Unit Tests.
+ut:
+	$(DOCKER_GO_BUILD) go test ./... -cover -count 1
+
+##########################################################################################
+# CI/CD
+##########################################################################################
+.PHONY: ci cd
+
+#############################################
+# Run CI cycle - build, test, etc.
+#############################################
+## Run all CI steps for build and test, likely other targets.
+ci: static-checks ut
+
+#############################################
+# Deploy images to registry
+#############################################
+## Run all CD steps, normally pushing images out to registries.
+cd: image-all cd-common
+
diff --git a/guardian/cmd/guardian/main.go b/guardian/cmd/guardian/main.go
@@ -0,0 +1,47 @@
+// Copyright (c) 2025 Tigera, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"flag"
+	"os"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/projectcalico/calico/guardian/pkg/config"
+	"github.com/projectcalico/calico/guardian/pkg/daemon"
+	"github.com/projectcalico/calico/guardian/pkg/version"
+)
+
+var (
+	versionFlag = flag.Bool("version", false, "Print version information")
+)
+
+func main() {
+	flag.Parse()
+
+	// For --version use case
+	if *versionFlag {
+		version.Version()
+		os.Exit(0)
+	}
+
+	cfg, err := config.NewConfig()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	daemon.Run(cfg, cfg.Targets())
+}
diff --git a/guardian/docker-image/guardian/Dockerfile b/guardian/docker-image/guardian/Dockerfile
@@ -0,0 +1,15 @@
+# Copyright (c) 2023 Tigera, Inc. All rights reserved.
+
+FROM scratch AS source
+
+ARG TARGETARCH
+
+COPY bin/guardian-${TARGETARCH} /usr/bin/guardian
+
+FROM calico/base
+
+COPY --from=source / /
+
+USER 10001:10001
+
+ENTRYPOINT ["/usr/bin/guardian"]