Initial work to opensource guardian (#9849)

.semaphore/semaphore.yml.d/03-promotions.yml

@@ -63,6 +63,10 @@ promotions:
     pipeline_file: push-images/whisker-backend.yml
     auto_promote:
       when: "branch =~ 'master|release-'"
+  - name: Push Guardian images
+    pipeline_file: push-images/guardian.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
   - name: Push Envoy images
     pipeline_file: push-images/envoy.yml
     auto_promote:

.semaphore/semaphore.yml.d/blocks/20-guardian.yml

@@ -0,0 +1,24 @@
+- name: guardian
+  run:
+    when: "${FORCE_RUN} or change_in(['/*', '/guardian/'], {exclude: ['/**/.gitignore', '/**/README.md', '/**/LICENSE']})"
+  execution_time_limit:
+    minutes: 30
+  dependencies:
+    - Prerequisites
+  task:
+    prologue:
+      commands:
+        - cd guardian
+    jobs:
+      - name: make ci
+        commands:
+          - ../.semaphore/run-and-monitor make-ci.log make ci
+      - name: Build binary
+        matrix:
+          - env_var: ARCH
+            values:
+              - arm64
+              - ppc64le
+              - s390x
+        commands:
+          - ../.semaphore/run-and-monitor image-$ARCH.log make build ARCH=$ARCH

go.mod

@@ -38,6 +38,7 @@ require (
 	github.com/google/safetext v0.0.0-20230106111101-7156a760e523
 	github.com/google/uuid v1.6.0
 	github.com/gruntwork-io/terratest v0.48.0
+	github.com/hashicorp/yamux v0.1.2
 	github.com/ishidawataru/sctp v0.0.0-20230406120618-7ff4192f6ff2
 	github.com/joho/godotenv v1.5.1
 	github.com/json-iterator/go v1.1.12
@@ -84,6 +85,8 @@ require (
 	go.etcd.io/etcd/client/v2 v2.305.17
 	go.etcd.io/etcd/client/v3 v3.5.17
 	golang.org/x/crypto v0.31.0
+	golang.org/x/net v0.33.0
+	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.10.0
 	golang.org/x/sys v0.28.0
 	golang.org/x/text v0.21.0
@@ -314,8 +317,6 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/tools v0.28.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 // indirect

go.sum

@@ -376,6 +376,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
+github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/homeport/dyff v1.6.0 h1:AN+ikld0Fy+qx34YE7655b/bpWuxS6cL9k852pE2GUc=
 github.com/homeport/dyff v1.6.0/go.mod h1:FlAOFYzeKvxmU5nTrnG+qrlJVWpsFew7pt8L99p5q8k=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=

guardian/.mockery.yaml

@@ -0,0 +1,17 @@
+with-expecter: False
+inpackage: False
+dir: "{{.InterfaceDir}}/mocks"
+mockname: "{{.InterfaceName}}"
+outpkg: "mocks"
+filename: "{{.InterfaceName}}.go"
+packages:
+  github.com/projectcalico/calico/guardian/pkg/tunnel:
+    interfaces:
+      SessionDialer:
+      Session:
+  net:
+    config:
+      outpkg: "{{.PackageName}}"
+      dir: "pkg/thirdpartymocks/{{.PackagePath}}"
+    interfaces:
+      Conn:

guardian/Makefile

@@ -0,0 +1,104 @@
+include ../metadata.mk
+
+PACKAGE_NAME   ?= github.com/projectcalico/calico/guardian
+
+#############################################
+# Env vars related to packaging and releasing
+#############################################
+COMPONENTS            ?=guardian
+GUARDIAN_IMAGE        ?=guardian
+BUILD_IMAGES          ?=$(GUARDIAN_IMAGE)
+
+##############################################################################
+# Include ../lib.Makefile before anything else
+#   Additions to EXTRA_DOCKER_ARGS need to happen before the include since
+#   that variable is evaluated when we declare DOCKER_RUN and siblings.
+##############################################################################
+include ../lib.Makefile
+
+##########################################################################################
+# Define some constants
+##########################################################################################
+BRANCH_NAME ?= $(PIN_BRANCH)
+
+BINDIR        ?= bin
+SRC_FILES = $(shell find . -name '*.go') \
+		$(shell find ../api/pkg -name '*.go') \
+		$(shell find ../libcalico-go/lib/logutils -name '*.go')
+
+#############################################
+# Env vars related to building
+#############################################
+
+# Flags for building the binaries.
+#
+# We use -X to insert the version information into the placeholder variables
+# in the version package.
+LDFLAGS = -X $(PACKAGE_NAME)/pkg/version.BuildVersion=$(GIT_VERSION) \
+			  -X $(PACKAGE_NAME)/pkg/version.BuildDate=$(DATE) \
+			  -X $(PACKAGE_NAME)/pkg/version.GitDescription=$(GIT_DESCRIPTION) \
+			  -X $(PACKAGE_NAME)/pkg/version.GitRevision=$(GIT_COMMIT) \
+
+##########################################################################################
+# BUILD
+##########################################################################################
+build: $(BINDIR)/guardian-$(ARCH)
+
+.PHONY: $(BINDIR)/guardian-$(ARCH)
+$(BINDIR)/guardian-$(ARCH): $(SRC_FILES)
+ifeq ($(FIPS),true)
+	$(call build_cgo_boring_binary, ./cmd/guardian/main.go, $@)
+else
+	$(call build_binary, ./cmd/guardian/main.go, $@)
+endif
+
+gen-mocks:
+	$(DOCKER_RUN) $(CALICO_BUILD) sh -c 'mockery'
+
+gen-files: gen-mocks
+
+#############################################
+# Docker Image
+#############################################
+GUARDIAN_CONTAINER_CREATED=.guardian.created-$(ARCH)
+
+# by default, build the image for the target architecture
+.PHONY: image-all
+image-all: $(addprefix sub-image-,$(VALIDARCHES))
+sub-image-%:
+	$(MAKE) image ARCH=$*
+
+.PHONY: image
+image: $(BUILD_IMAGES)
+
+$(GUARDIAN_IMAGE): $(GUARDIAN_CONTAINER_CREATED)
+$(GUARDIAN_CONTAINER_CREATED): docker-image/guardian/Dockerfile $(BINDIR)/guardian-$(ARCH)
+	$(DOCKER_BUILD) -t $(GUARDIAN_IMAGE):latest-$(ARCH) -f docker-image/guardian/Dockerfile .
+	$(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest BUILD_IMAGES=$(GUARDIAN_IMAGE)
+	touch $@
+
+#############################################
+# Run unit level tests
+#############################################
+.PHONY: ut
+## Run only Unit Tests.
+ut:
+	$(DOCKER_GO_BUILD) go test ./... -cover -count 1
+
+##########################################################################################
+# CI/CD
+##########################################################################################
+.PHONY: ci cd
+
+#############################################
+# Run CI cycle - build, test, etc.
+#############################################
+## Run all CI steps for build and test, likely other targets.
+ci: static-checks ut
+
+#############################################
+# Deploy images to registry
+#############################################
+## Run all CD steps, normally pushing images out to registries.
+cd: image-all cd-common
+

guardian/cmd/guardian/main.go

@@ -0,0 +1,48 @@
+// Copyright (c) 2025 Tigera, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"flag"
+	"os"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/projectcalico/calico/guardian/pkg/config"
+	"github.com/projectcalico/calico/guardian/pkg/daemon"
+	"github.com/projectcalico/calico/guardian/pkg/version"
+)
+
+var (
+	versionFlag = flag.Bool("version", false, "Print version information")
+)
+
+func main() {
+	flag.Parse()
+
+	// For --version use case
+	if *versionFlag {
+		version.Version()
+		os.Exit(0)
+	}
+
+	cfg, err := config.NewCalicoConfig()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	logrus.Infof("Starting Calico Guardian %s", cfg.String())
+	daemon.Run(cfg.Config, cfg.Targets())
+}

guardian/docker-image/guardian/Dockerfile

@@ -0,0 +1,27 @@
+# Copyright (c) 2025 Tigera, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM scratch AS source
+
+ARG TARGETARCH
+
+COPY bin/guardian-${TARGETARCH} /usr/bin/guardian
+
+FROM calico/base
+
+COPY --from=source / /
+
+USER 10001:10001
+
+ENTRYPOINT ["/usr/bin/guardian"]