kube-logging · csatib02 · Dec 16, 2025 · Dec 16, 2025
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
@@ -23,9 +23,6 @@ on:
       container-image-tag:
         description: Container image tag
         value: ${{ jobs.container-image.outputs.tag }}
-      container-image-ref:
-        description: Container image ref
-        value: ${{ jobs.container-image.outputs.ref }}
 
 permissions:
   contents: read
@@ -45,7 +42,6 @@ jobs:
       name: ${{ steps.image-name.outputs.value }}
       digest: ${{ steps.build.outputs.digest }}
       tag: ${{ steps.meta.outputs.version }}
-      ref: ${{ steps.image-ref.outputs.value }}
 
     steps:
       - name: Checkout repository
@@ -58,6 +54,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
 
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        if: ${{ inputs.publish }}
 
       - name: Set image name
         id: image-name
@@ -75,16 +74,10 @@ jobs:
             type=ref,event=pr,prefix=pr-
             type=semver,pattern={{raw}}
             type=raw,value=latest,enable={{is_default_branch}}
-
-      # Multiple exporters are not supported yet
-      # See https://github.com/moby/buildkit/pull/2760
-      - name: Determine build output
-        uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
-        id: build-output
-        with:
-          cond: ${{ inputs.publish }}
-          if_true: type=image,push=true
-          if_false: type=oci,dest=image.tar
+          labels: |
+            org.opencontainers.image.description=A Kubernetes event router
+            org.opencontainers.image.title=Event router
+            org.opencontainers.image.authors=Kube logging authors
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -93,7 +86,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
-        if: inputs.publish
+        if: ${{ inputs.publish }}
 
       - name: Build and push image
         id: build
@@ -105,16 +98,35 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          outputs: ${{ steps.build-output.outputs.value }}
-          # push: ${{ inputs.publish }}
-
-      - name: Set image ref
-        id: image-ref
-        run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
-
-      - name: Fetch image
-        run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar
-        if: inputs.publish
+          outputs: |
+            type=image,push=${{ inputs.publish }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+            type=oci,dest=image.tar,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+      - name: Sign image with GitHub OIDC Token
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS[@]}; do
+            images+="${tag}@${DIGEST} "
+          done
+
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in ${TAGS[@]}; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
 
       - name: Extract OCI tarball
         run: |

diff --git a/.travis.yml b/.travis.yml
diff --git a/README.md b/README.md
@@ -1,41 +1,46 @@
 # Eventrouter
 
-This repository contains a simple event router for the [Kubernetes][kubernetes] project. The event router serves as an active watcher of _event_ resource in the kubernetes system, which takes those events and _pushes_ them to a user specified _sink_.  This is useful for a number of different purposes, but most notably long term behavioral analysis of your 
-workloads running on your kubernetes cluster. 
+This repository contains a simple event router for the [Kubernetes][kubernetes] project. The event router serves as an active watcher of _event_ resource in the kubernetes system, which takes those events and _pushes_ them to a user specified _sink_.  This is useful for a number of different purposes, but most notably long term behavioral analysis of your
+workloads running on your kubernetes cluster.
 
 ## Goals
 
-This project has several objectives, which include: 
+This project has several objectives, which include:
 
 * Persist events for longer period of time to allow for system debugging
-* Allows operators to forward events to other system(s) for archiving/ML/introspection/etc. 
+* Allows operators to forward events to other system(s) for archiving/ML/introspection/etc.
 * It should be relatively low overhead
 * Support for multiple _sinks_ should be configurable
 
-### NOTE:
+### NOTE
 
-By default, eventrouter is configured to leverage existing EFK stacks by outputting wrapped json object which are easy to index in elastic search. 
+By default, eventrouter is configured to leverage existing EFK stacks by outputting wrapped json object which are easy to index in elastic search.
 
-## Non-Goals: 
+## Non-Goals
 
-* This service does not provide a querable extension, that is a responsibility of the 
+* This service does not provide a querable extension, that is a responsibility of the
 _sink_
 * This service does not serve as a storage layer, that is also the responsibility of the _sink_
 
-## Running Eventrouter 
-Standup: 
-```
-$ kubectl create -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml
-```
-Teardown: 
+## Running Eventrouter
+
+Standup:
+
+```sh
+kubectl create -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml
 ```
-$ kubectl delete -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml
+
+Teardown:
+
+```sh
+kubectl delete -f https://raw.githubusercontent.com/kube-logging/eventrouter/master/yaml/eventrouter.yaml
 ```
 
-### Inspecting the output 
+### Inspecting the output
+
+```sh
+kubectl logs -f deployment/eventrouter -n kube-system 
 ```
-$ kubectl logs -f deployment/eventrouter -n kube-system 
-``` 
 
 Watch events roll through the system and hopefully stream into your ES cluster for mining, Hooray!