initial commit of the basic repo structure

Author: mtougeron

.dockerignore

@@ -0,0 +1,2 @@
+.git*
+examples/**

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/containerscan/allowedlist.yaml

@@ -0,0 +1,6 @@
+general:
+  bestPracticeViolations:
+    - DKL-LI-0001
+    - DKL-LI-0002
+    - CIS-DI-0005
+    - CIS-DI-0006

.github/workflows/containerscan.yml

@@ -0,0 +1,31 @@
+name: ContainerScan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+
+  ContainerScan:
+    name: ContainerScan
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: ^1.15
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build Image
+      run: |
+        docker build . --file Dockerfile --tag scan-image:${{ github.sha }} --build-arg VERSION=${{ github.sha }}
+
+    - uses: Azure/container-scan@v0
+      with:
+        image-name: scan-image:${{ github.sha }}

.github/workflows/go.yml

@@ -0,0 +1,29 @@
+name: Go
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: ^1.15
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build
+      run: go build -v .
+
+    - name: Test
+      run: go test -v .

.github/workflows/gosec.yml

@@ -0,0 +1,16 @@
+name: Gosec
+on: [push, pull_request]
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Download Gosec
+        run: curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sudo sh -s -- -b /usr/bin latest
+      - name: Run Gosec Security Scanner
+        #G107: Url provided to HTTP request as taint input
+        #G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
+        #G304: prevent loading configuration files from variable locations (we want to do this in local development)
+        #G601: Implicit memory aliasing in for loop.  (disabled due to false positives for safe code)
+        run: gosec -exclude=G107,G109,G304,G601 ./...

.github/workflows/publish.yml

@@ -0,0 +1,75 @@
+name: Publish
+
+on:
+  push:
+    # Publish `v*` tags as releases.
+    tags:
+    - v*
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: ^1.15
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build
+      run: go build -v .
+
+    - name: Test
+      run: go test -v .
+  publish:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    # Ensure test job passes before pushing image.
+    needs: test
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: ${{ secrets.DOCKER_HUB_USERNAME }}/k8s-aws-ebs-tagger,ghcr.io/${{ github.repository_owner }}/k8s-aws-ebs-tagger
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1
+        if: github.event_name != 'pull_request'
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      -
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GHCR_PAT }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          build-args: VERSION=${{ steps.docker_meta.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}

CODE_OF_CONDUCT.md

@@ -0,0 +1 @@
+This project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

CONTRIBUTING.md

@@ -0,0 +1 @@
+Contributions are welcome so long as they follow the [CODE OF CONDUCT](CODE_OF_CONDUCT.md)

Dockerfile

@@ -0,0 +1,44 @@
+FROM golang:1.15-alpine AS builder
+
+ARG VERSION=0.0.1
+ENV APP_NAME=k8s-aws-ebs-tagger
+ENV APP_VERSION=$VERSION
+ARG TARGETARCH
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=linux \
+    GOARCH=$TARGETARCH
+
+# Move to working directory /build
+WORKDIR /build
+
+# Copy and download dependency using go mod
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the code into the container
+COPY . .
+
+# Build the application
+RUN date +%s > buildtime
+RUN APP_BUILD_TIME=$(cat buildtime); \
+    go build -ldflags="-X 'main.buildTime=${APP_BUILD_TIME}' -X 'main.buildVersion=${APP_VERSION}'" -o ${APP_NAME} .
+
+# Move to /dist directory as the place for resulting binary folder
+WORKDIR /app 
+
+# Copy binary from build to main folder
+RUN cp /build/${APP_NAME} .
+
+RUN addgroup -S k8s-aws-ebs-tagger && adduser -S k8s-aws-ebs-tagger -G k8s-aws-ebs-tagger
+
+# Build a small image
+FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+USER k8s-aws-ebs-tagger
+# https://github.com/aws/aws-sdk-go/issues/2322
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /app/${APP_NAME} /
+
+CMD ["/k8s-aws-ebs-tagger"]

README.md

@@ -1,2 +1,14 @@
 # k8s-aws-ebs-tagger
 A utility to tag AWS EBS volumes based on the PV labels / annotations
+
+![Go](https://github.com/mtougeron/k8s-aws-ebs-tagger/workflows/Go/badge.svg) ![Gosec](https://github.com/mtougeron/k8s-aws-ebs-tagger/workflows/Gosec/badge.svg) ![ContainerScan](https://github.com/mtougeron/k8s-aws-ebs-tagger/workflows/ContainerScan/badge.svg) [![GitHub tag](https://img.shields.io/github/tag/mtougeron/k8s-aws-ebs-tagger.svg)](https://github.com/mtougeron/k8s-aws-ebs-tagger/tags/)
+
+The `k8s-aws-ebs-tagger` watches for new PersistentVolumes and when new AWS EBS volumes are created it adds tags based on the PV labels to the created EBS volume.
+
+#### Container Image
+
+Images are available on the [GitHub Container Registry](https://github.com/users/mtougeron/packages/container/k8s-aws-ebs-tagger/versions) and [DockerHub](https://hub.docker.com/repository/docker/mtougeron/k8s-aws-ebs-tagger)
+
+### Licensing
+
+This project is licensed under the Apache V2 License. See [LICENSE](LICENSE) for more information.

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          | gosec  |
+| ------- | ------------------ | ------ |
+| latest  | :white_check_mark: | ![Gosec](https://github.com/mtougeron/k8s-aws-ebs-tagger/workflows/Gosec/badge.svg) |
+
+## Scanning
+
+Security scanning uses [gosec](https://github.com/securego/gosec) via a [GitHub workflow](https://github.com/mtougeron/k8s-aws-ebs-tagger/actions?query=workflow%3AGosec)
+
+## Reporting a Vulnerability
+
+To report a security issue, please contact [email protected]

go.mod

@@ -0,0 +1,7 @@
+module github.com/mtougeron/k8s-aws-ebs-tagger
+
+go 1.15
+
+require (
+	github.com/sirupsen/logrus v1.7.0
+)

go.sum

@@ -0,0 +1,7 @@
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

main.go

@@ -0,0 +1,55 @@
+// Licensed to Michael Tougeron <[email protected]> under
+// one or more contributor license agreements. See the LICENSE
+// file distributed with this work for additional information
+// regarding copyright ownership.
+// Michael Tougeron <[email protected]> licenses this file
+// to you under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package main
+
+import (
+	"os"
+	"strconv"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	buildVersion string = ""
+	buildTime    string = ""
+	debugEnv     string = os.Getenv("DEBUG")
+	debug        bool
+)
+
+func init() {
+	var err error
+	if len(debugEnv) != 0 {
+		debug, err = strconv.ParseBool(debugEnv)
+		if err != nil {
+			log.Fatalln("Failed to parse DEBUG Environment variable:", err.Error())
+		}
+	}
+
+	if debug {
+		log.SetLevel(log.DebugLevel)
+	}
+
+	// APP Build information
+	log.Debugln("Application Version:", buildVersion)
+	log.Debugln("Application Build Time:", buildTime)
+}
+
+func main() {
+	log.Infoln("Application started")
+}