From a19371cebaeefde13117365632a842c2b980643b Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Tue, 16 Dec 2025 10:36:37 +0100 Subject: [PATCH] feat: image sign, tidy repo Signed-off-by: Bence Csati --- .github/workflows/artifacts.yaml | 62 +++++++++++++++++++------------- .travis.yml | 7 ---- README.md | 41 +++++++++++---------- 3 files changed, 60 insertions(+), 50 deletions(-) delete mode 100644 .travis.yml diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index b7e29f31f..1e5e0133c 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -23,9 +23,6 @@ on: container-image-tag: description: Container image tag value: ${{ jobs.container-image.outputs.tag }} - container-image-ref: - description: Container image ref - value: ${{ jobs.container-image.outputs.ref }} permissions: contents: read @@ -45,7 +42,6 @@ jobs: name: ${{ steps.image-name.outputs.value }} digest: ${{ steps.build.outputs.digest }} tag: ${{ steps.meta.outputs.version }} - ref: ${{ steps.image-ref.outputs.value }} steps: - name: Checkout repository @@ -58,6 +54,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 + - name: Set up Cosign + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + if: ${{ inputs.publish }} - name: Set image name id: image-name @@ -75,16 +74,10 @@ jobs: type=ref,event=pr,prefix=pr- type=semver,pattern={{raw}} type=raw,value=latest,enable={{is_default_branch}} - - # Multiple exporters are not supported yet - # See https://github.com/moby/buildkit/pull/2760 - - name: Determine build output - uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1 - id: build-output - with: - cond: ${{ inputs.publish }} - if_true: type=image,push=true - if_false: type=oci,dest=image.tar + labels: | + org.opencontainers.image.description=A Kubernetes event router + org.opencontainers.image.title=Event router + org.opencontainers.image.authors=Kube logging authors - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -93,7 +86,7 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - if: inputs.publish + if: ${{ inputs.publish }} - name: Build and push image id: build @@ -105,16 +98,35 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - outputs: ${{ steps.build-output.outputs.value }} - # push: ${{ inputs.publish }} - - - name: Set image ref - id: image-ref - run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - - - name: Fetch image - run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar - if: inputs.publish + outputs: | + type=image,push=${{ inputs.publish }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + type=oci,dest=image.tar,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + + - name: Sign image with GitHub OIDC Token + if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization + env: + DIGEST: ${{ steps.build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS[@]}; do + images+="${tag}@${DIGEST} " + done + + cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images} + + - name: Verify signed image with cosign + if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization + env: + DIGEST: ${{ steps.build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + for tag in ${TAGS[@]}; do + cosign verify "${tag}@${DIGEST}" \ + --rekor-url "https://rekor.sigstore.dev/" \ + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq + done - name: Extract OCI tarball run: | diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index d3e09de58..000000000 --- a/.travis.yml +++ /dev/null @@ -1,7 +0,0 @@ -sudo: required -language: go -services: - - docker -install: true - -script: make container test vet diff --git a/README.md b/README.md index b385e285b..e4e55b23c 100644 --- a/README.md +++ b/README.md @@ -1,41 +1,46 @@ # Eventrouter -This repository contains a simple event router for the [Kubernetes][kubernetes] project. The event router serves as an active watcher of _event_ resource in the kubernetes system, which takes those events and _pushes_ them to a user specified _sink_. This is useful for a number of different purposes, but most notably long term behavioral analysis of your -workloads running on your kubernetes cluster. +This repository contains a simple event router for the [Kubernetes][kubernetes] project. The event router serves as an active watcher of _event_ resource in the kubernetes system, which takes those events and _pushes_ them to a user specified _sink_. This is useful for a number of different purposes, but most notably long term behavioral analysis of your +workloads running on your kubernetes cluster. ## Goals -This project has several objectives, which include: +This project has several objectives, which include: * Persist events for longer period of time to allow for system debugging -* Allows operators to forward events to other system(s) for archiving/ML/introspection/etc. +* Allows operators to forward events to other system(s) for archiving/ML/introspection/etc. * It should be relatively low overhead * Support for multiple _sinks_ should be configurable -### NOTE: +### NOTE -By default, eventrouter is configured to leverage existing EFK stacks by outputting wrapped json object which are easy to index in elastic search. +By default, eventrouter is configured to leverage existing EFK stacks by outputting wrapped json object which are easy to index in elastic search. -## Non-Goals: +## Non-Goals -* This service does not provide a querable extension, that is a responsibility of the +* This service does not provide a querable extension, that is a responsibility of the _sink_ * This service does not serve as a storage layer, that is also the responsibility of the _sink_ -## Running Eventrouter -Standup: -``` -$ kubectl create -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml -``` -Teardown: +## Running Eventrouter + +Standup: + +```sh +kubectl create -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml ``` -$ kubectl delete -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml + +Teardown: + +```sh +kubectl delete -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml ``` -### Inspecting the output +### Inspecting the output + +```sh +kubectl logs -f deployment/eventrouter -n kube-system ``` -$ kubectl logs -f deployment/eventrouter -n kube-system -``` Watch events roll through the system and hopefully stream into your ES cluster for mining, Hooray!