MatteoMori
diff --git a/‎.gitignore‎
Lines changed: 7 additions & 1 deletion b/‎.gitignore‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Dockerfile‎
Lines changed: 11 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 68 additions & 0 deletions b/‎Makefile‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 277 additions & 2 deletions b/‎README.md‎
Lines changed: 277 additions & 2 deletions
@@ -8,6 +8,9 @@
 *.so
 *.dylib
 
+# Project binary
+sentinel
+
 # Test binary, built with `go test -c`
 *.test
 
@@ -29,4 +32,7 @@ go.work.sum
 
 # Editor/IDE
 # .idea/
-# .vscode/
+.vscode/
+
+**/.DS_Store
+.claude
@@ -0,0 +1,11 @@
+FROM golang:1.25.6-alpine3.22 AS builder
+
+WORKDIR /go/src/app
+COPY . .
+RUN env CGO_ENABLED=0 go build -o /sentinel
+
+FROM scratch AS build-image
+COPY --from=builder /sentinel /sentinel
+COPY sentinel.yaml /etc/sentinel/sentinel.yaml
+ENTRYPOINT ["/sentinel"]
+CMD ["start"]
@@ -0,0 +1,68 @@
+# Makefile for Sentinel - Kubernetes Controller
+
+# Variables
+BINARY_NAME=sentinel
+DOCKER_IMAGE=sentinel:latest
+KIND_CLUSTER=homelab
+
+# Default target - shows available commands
+.PHONY: help
+help:
+	@echo "Available commands:"
+	@echo "  make build        - Build the Go binary"
+	@echo "  make docker       - Build Docker image"
+	@echo "  make deploy       - Build Docker image and deploy to KIND cluster"
+	@echo "  make clean        - Remove built binary"
+	@echo "  make test         - Run tests"
+	@echo "  make run          - Run locally (requires kubeconfig)"
+
+# Build the Go binary
+.PHONY: build
+build:
+	@echo "Building $(BINARY_NAME)..."
+	go build -o $(BINARY_NAME)
+	@echo "✅ Binary built: ./$(BINARY_NAME)"
+
+# Build Docker image
+.PHONY: docker
+docker:
+	@echo "Building Docker image $(DOCKER_IMAGE)..."
+	docker build -t $(DOCKER_IMAGE) .
+	@echo "✅ Docker image built: $(DOCKER_IMAGE)"
+
+# Build and deploy to KIND cluster
+.PHONY: deploy
+deploy: docker
+	@echo "Loading image into KIND cluster $(KIND_CLUSTER)..."
+	kind load docker-image $(DOCKER_IMAGE) --name $(KIND_CLUSTER)
+	@echo "Deploying to Kubernetes..."
+	kubectl apply -f manifests/install/sentinel.yaml
+	@echo "✅ Deployed to KIND cluster"
+	@echo ""
+	@echo "Check status with: kubectl get pods -n kube-system -l app=sentinel-controller"
+
+# Run locally (useful for development)
+.PHONY: run
+run: build
+	@echo "Running $(BINARY_NAME) locally..."
+	./$(BINARY_NAME) start -v=2
+
+# Clean build artifacts
+.PHONY: clean
+clean:
+	@echo "Cleaning build artifacts..."
+	rm -f $(BINARY_NAME)
+	@echo "✅ Cleaned"
+
+# Run tests
+.PHONY: test
+test:
+	@echo "Running tests..."
+	go test ./...
+
+# Update dependencies
+.PHONY: deps
+deps:
+	@echo "Updating dependencies..."
+	go mod tidy
+	@echo "✅ Dependencies updated"
@@ -1,2 +1,277 @@
-# Luna
-MCP Server | Kubernetes
+# Sentinel
+
+<img src="./images/logo/logo-2.jpg" width="150">
+
+----
+
+**A Kubernetes controller that watches your cluster and exposes container image inventory as Prometheus metrics.**
+
+Sentinel monitors Kubernetes workloads across labeled namespaces and tracks which container images are running in your cluster — exposed as Prometheus metrics with support for dynamic label enrichment from workload annotations and labels.
+
+<br>
+
+## Why Sentinel?
+
+Gain real-time visibility into your cluster's container image landscape. Perfect for:
+
+- **Image Inventory Tracking** – Know exactly what's running, where, and when
+- **Security & Compliance** – Monitor image versions across namespaces
+- **Version Drift Detection** – Spot outdated or unauthorized images quickly
+- **Change Tracking** – Track image updates with old/new tag audit trail
+- **Audit & Governance** – Enrich metrics with custom labels like `owner` or `environment`
+  
+<br>
+
+
+
+## Quick Start
+
+### Prerequisites
+
+- Kubernetes cluster (>= v1.28)
+- `kubectl` configured
+- KIND or Minikube for local testing
+
+### Installation
+
+1. **Deploy Sentinel to your cluster:**
+
+```bash
+kubectl apply -f manifests/install/sentinel.yaml
+```
+
+2. **Label the namespaces you want Sentinel to watch:**
+
+```bash
+kubectl label namespace my-namespace sentinel.io/controlled=enabled
+```
+
+3. **Access metrics:**
+
+Sentinel exposes metrics on port `9090` at `/metrics`:
+
+```bash
+kubectl port-forward -n kube-system svc/sentinel-metrics 9090:9090
+curl localhost:9090/metrics
+```
+<br>
+<br>
+
+## Metrics Exposed
+
+### `sentinel_container_image_info`
+
+Info metric (Gauge, always `1`) providing a full inventory of container images running in your cluster.
+
+**Labels:**
+
+| Label | Description | Example |
+|-------|-------------|---------|
+| `namespace` | Kubernetes namespace | `production` |
+| `workload_type` | Kind of workload | `Deployment` |
+| `workload_name` | Name of the workload | `api-server` |
+| `container_name` | Container within the workload | `nginx` |
+| `image` | Full image string | `ghcr.io/myorg/app:v1.2.3` |
+| `image_registry` | Parsed registry | `ghcr.io` |
+| `image_repository` | Parsed repository | `myorg/app` |
+| `image_tag` | Parsed tag | `v1.2.3` |
+| *dynamic labels* | From `extraLabels` config | `owner`, `env`, etc. |
+
+**Example output:**
+
+```prometheus
+sentinel_container_image_info{
+  namespace="production",
+  workload_type="Deployment",
+  workload_name="api-server",
+  container_name="nginx",
+  image="nginx:1.28.2-alpine-slim",
+  image_registry="docker.io",
+  image_repository="nginx",
+  image_tag="1.28.2-alpine-slim",
+  owner="platform-team",
+  env="production"
+} 1
+```
+<br>
+
+### `sentinel_image_changes_total`
+
+Counter that increments every time a container's image tag changes, providing an audit trail of deployments.
+
+**Labels:**
+
+| Label | Description | Example |
+|-------|-------------|---------|
+| `namespace` | Kubernetes namespace | `production` |
+| `workload_type` | Kind of workload | `Deployment` |
+| `workload_name` | Name of the workload | `api-server` |
+| `container_name` | Container within the workload | `nginx` |
+| `old_image_tag` | Previous image tag | `1.28.2-alpine-slim` |
+| `new_image_tag` | New image tag | `1.29.0-alpine-slim` |
+
+**Example output:**
+
+```prometheus
+sentinel_image_changes_total{
+  namespace="production",
+  workload_type="Deployment",
+  workload_name="api-server",
+  container_name="nginx",
+  old_image_tag="1.28.2-alpine-slim",
+  new_image_tag="1.29.0-alpine-slim"
+} 1
+```
+
+**Useful PromQL queries:**
+
+```promql
+# Count all image changes in the last 24 hours
+sum(increase(sentinel_image_changes_total[24h]))
+
+# Alert: too many image changes in production
+sentinel_image_changes_total{namespace="production"} > 5
+
+# Find containers still using :latest
+sentinel_container_image_info{image_tag="latest"}
+
+# Count containers per registry
+count by (image_registry) (sentinel_container_image_info)
+```
+
+<br>
+
+## Dynamic Label Enrichment
+
+Sentinel can extract annotations and labels from your workloads and expose them as Prometheus metric labels. This is configured via `extraLabels`:
+
+```yaml
+extraLabels:
+  - type: "annotation"           # Where to look: "annotation" or "label"
+    key: "sentinel.io/owner"     # The key to extract
+    timeseriesLabelName: "owner" # The Prometheus label name
+  - type: "label"
+    key: "environment"
+    timeseriesLabelName: "env"
+```
+
+If a workload doesn't have the specified annotation or label, the metric label will be set to an empty string `""`.
+
+This allows each organization to enrich metrics with the labels that matter to them — team ownership, cost center, environment, or any other metadata.
+
+<br>
+
+
+## ⚙️ Configuration
+
+Sentinel can be configured via:
+
+### 1. Config file (`/etc/sentinel/sentinel.yaml`)
+
+```yaml
+namespaceSelector:
+  "sentinel.io/controlled": "enabled"
+metricsPort: "9090"
+verbosity: 2
+
+extraLabels:
+  - type: "annotation"
+    key: "sentinel.io/owner"
+    timeseriesLabelName: "owner"
+  - type: "label"
+    key: "environment"
+    timeseriesLabelName: "env"
+```
+
+### 2. Environment variables
+
+```bash
+# Note: Complex types (maps, arrays) should be configured via YAML file
+# Only simple values can be overridden via environment variables
+export METRICSPORT=9090
+export VERBOSITY=2
+```
+
+### 3. CLI flags
+
+```bash
+sentinel start -v=2
+```
+
+### Configuration Reference
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| `namespaceSelector` | `map[string]string` | `{"sentinel.io/controlled": "enabled"}` | Label selector for namespaces to watch |
+| `metricsPort` | `string` | `"9090"` | Port for Prometheus metrics endpoint |
+| `verbosity` | `int` | `0` | Log level: 0=Info, 1=Warn, 2=Debug |
+| `extraLabels` | `[]ExtraLabel` | `[]` | Additional labels to extract from workloads |
+
+<br>
+
+## 📊 Grafana Dashboard
+
+A pre-built Grafana dashboard is included in [`dashboard/grafana.json`](dashboard/grafana.json). Import it into your Grafana instance for:
+
+- **Overview stats** – Tracked containers, workloads, image changes, and `:latest` tag usage
+- **Image inventory table** – Current container images with color-coded tags (`:latest` in red)
+- **Registry distribution** – Donut chart showing image count by registry
+- **Change tracking log** – Table of all detected image changes with old → new tags
+
+
+
+---
+
+## Local Development
+
+### Build and Run Locally
+
+```bash
+# Initialize Go module
+go mod tidy
+
+# Build the binary
+go build -o sentinel
+```
+
+### Test with KIND
+
+```bash
+# Build Docker image
+docker build -t sentinel:latest .
+
+# Load into KIND cluster
+kind load docker-image sentinel:latest --name <cluster-name>
+
+# Deploy Sentinel
+kubectl apply -f manifests/install/sentinel.yaml
+
+# Deploy demo workloads
+kubectl apply -f manifests/develop/demo-app-1.yaml
+kubectl apply -f manifests/develop/demo-app-2.yaml
+
+# Verify metrics
+kubectl port-forward -n kube-system svc/sentinel-metrics 9090:9090
+curl -s localhost:9090/metrics | grep sentinel_
+```
+
+
+## 🌟 Project Status
+
+Sentinel is in **active development** as a learning project to master Go and Kubernetes controller patterns.
+
+**Current capabilities:**
+- ✅ Namespace watching with label selectors
+- ✅ Deployment monitoring with real-time informers
+- ✅ Container image parsing (registry, repository, tag)
+- ✅ Prometheus metrics server
+- ✅ Dynamic label enrichment from annotations/labels
+- ✅ Image change tracking (old tag → new tag)
+- ✅ Grafana dashboard
+- 🚧 StatefulSet/DaemonSet/CronJob support (planned)
+- 🚧 Init container support (planned)
+- 🚧 Metric cleanup on workload deletion (planned)
+
+---
+
+**Built with ❤️ and Go** | [Report an Issue](https://github.com/MatteoMori/sentinel/issues)