Watch-Proxy sits in your Kubernetes cluster and watches resources you care about, then tells you when they are created, changed or deleted.
You tell Watch-Proxy via a configmap which resources you care about, e.g. namespaces and deployments. Watch-Proxy watches those resources and, when an event occurs, it sends a POST request with a JSON payload to a REST API endpoint that you give it. You can also provide more than one API endpoint and only report on specific namespaces to particular API endpoints.
Build and push a docker image:
$ export PREFIX=[your image repo] # e.g.
$ export TAG=[version no.] # e.g. 0.14
$ make release
Edit example manifests:
- Add your image name to
- Configure as needed
. See Configuration section below.
- If using basic auth at the remote endpoint/s that Watch-Proxy is reporting to, add username and password credentials to
. Refer to Kubernetes secret docs for instructions. If not using basic auth, remove the env
definitions in examples/watch-proxy-deploy.yaml
Deploy Watch-Proxy:
$ kubectl apply -f examples/watch-proxy-rbac.yaml
$ kubectl apply -f examples/watch-proxy-config.yaml
$ kubectl apply -f examples/watch-proxy-deploy.yaml
If you would like to see the payload that is being sent by Watch-Proxy for testing and development purposes:
Deploy the echo pod:
$ kubectl apply -f examples/echo.yaml
Configure one of the remoteEndpoints
in examples/watch-proxy-config.yaml
to use url: http://echo/watch-proxy
View the echo logs:
$ kubectl logs -n tanzu-watch-proxy echo
Configuration for Watch-Proxy is done via a config file, which, when deployed to kubernetes should take the form of a configmap. An example can be seen in the examples dir.
Config file options
Name of the cluster Watch-Proxy is deployed to. This is an arbitrary value but should be meaninfgul to the endpoint that is processing the payload, especially when it is receiving reports from multiple clusters.
Amount of time Watch-Proxy should remember it previously emitted an object and that object's state at the given time. Specified with seconds (s), minutes (m), or hours (h).
Maximum number of objects to be sent in a single request. If not defined, default is 10.
Amount of time in seconds that the emissions processor sleeps between sending batches of objects. When emissions are processed, the number of objects sent is limited by emitBatchMaxObjects
. Be aware that if you set emitBatchMaxObjects
to low and the emitInterval
too long, it may delay the reporting of changes to resources. If not defined, default is 1s.
Amount of time Watch-Proxy should wait before attempting to re-process all objects inside of kubernetes. If state of object during re-upload hasn't changed since last emit (meaning Watch-Proxy still has a cached record, the object will be dropped). This setting relates to client-go's resyncPeriod Setting this value to 0 ensures no forced re-upload occurs. Specified with seconds (s), minutes (m), or hours (h).
Configuration for exposing prometheus metrics:
The port to expose the metrics on. This value must be supplied to activate prometheus metrics. Supply a string or int with a valid port number.
The path at which to expose metrics. Supply a string including the leading forward slash. If not defined will default to "/metrics".
Configuration for HTTP liveness check server:
The port that the liveness check server should listen on. This value must be supplied to start the liveness server. Supply a string or int with a valid port number.
The path the liveness checker will send requests to. If not defined will default to "/live".
An array of destinations to send payloads to. The following can be defined for each endpoint:
The type of endpoint. The following are supported:
An HTTP or HTTPS REST API endpoint.
An AWS Simple Queue Service endpoint.
An HTTP or HTTPS VMware vRealize Orchestrator REST API endpoint. The target vRO workflow must have an input parameter input
of type string
A standard URL that Watch-Proxy can reach, e.g. https://myendpoint/watch-proxy
A basic auth username used to authenticate at the remote endpoint. If you use this option you must also define an env
with the same name
in your deployment manifest, perferably referenced from a secret.
A basic auth password used to authenticate at the remote endpoint. If you use this option you must also define an env
with the same name
in your deployment manifest, perferably referenced from a secret.
An array of namespaces to report on. If specified, only resources in the configured namespaces will be included in the payload. If this option is not configured, all resources from all namespaces will be reported.
Arbitrary key-value pairs that will be added to the root of every payload.
An array of Kubernetes resources that Watch-Proxy should watch. The following can be defined for each resource:
The name of the resource. The following resources are supported:
- Kubernetes:
An arbitrary string that can be used by the remote endpoint to help differentiate resources.
Fields to remove from payload. Used to remove useless or sensitive data that you don't wish to send.
An array of events to ignore. The three events are add
, update
and delete
. If you don't need to get notified of any of the three events, include here.
Do you wish to send a full object of all the kubernetes resources we are watching, or just the the items have have changed? This is a bool and expects either true
or false
An array of namespaces you wish to always ignore. No events in these namespaces will ever be reported on, even if they are added to the remoteEndpoints.namespaces
CLI Parameters
The following are the available CLI parameters
-c string
Path to watch-proxy config file (default "/etc/watch-proxy/config.yaml")
-kubeconfig string
Path to a kubeconfig file
Because watch-proxy leverages the kubernetes go-client package the following parameters are also available, however they are not specific to watch-proxy itself.
log to standard error as well as files
-log_backtrace_at value
when logging hits line file:N, emit a stack trace
-log_dir string
If non-empty, write log files in this directory
log to standard error instead of files
-stderrthreshold value
logs at or above this threshold go to stderr
-v value
log level for V logs
A Makefile
is included to update dependencies, build, test and create a docker image
deps Install/Update depdendencies
help This help info
image Build Docker image
release Build binary, build docker image, push docker image, clean up
run Build Docker image
test Run tests
Dependencies are managed via dep and will need to installed if you choose to update the dependencies. All dependencies are commited in the vendor
To develop and test watch-proxy locally, the controller accepts a kubeconfig file to interact with a cluster. Otherwise the pod's service account would be used, which is desired for real deployment. To run against a local kubeconfig, the command would be as follows.
make run KUBECONFIG=~/.kube/config