nrrso/ce-signing-operator

By nrrso

Updated 27 days ago

Transparent Ed25519 signing and verification for CloudEvents on Knative.

Image
Integration & delivery
Message queues
0

646

nrrso/ce-signing-operator repository overview

CloudEvent Signing Operator

Transparent Ed25519 signing and verification for CloudEvents on Kubernetes/Knative. Sign events at the producer, verify at the consumer — enabling cross-namespace event authentication through untrusted brokers.

Images

ImageDescription
ce-signing-proxyHTTP proxy running as a Knative Sequence step in sign or verify mode
ce-signing-operatorKubernetes operator reconciling signing/verification policies and key distribution

Quick Start

Operator (via Helm)
helm install ce-signing-operator \
  oci://ghcr.io/nrrso/eventing-signing-operator/ce-signing-operator \
  --set clusterName=my-cluster
Images
docker pull nrrso/ce-signing-operator:<version>
docker pull nrrso/ce-signing-proxy:<version>

How It Works

  1. ProducerPolicy — creates a namespace-scoped keypair, deploys a signing proxy as a Knative Sequence step, and publishes the public key to a cluster-scoped registry
  2. ConsumerPolicy — deploys a verifying proxy as a Knative Trigger filter, watches the public key registry for key updates
  3. Signing flow — CloudEvent → canonical form (attribute filter + sort + RFC 8785 JCS for data) → Ed25519 sign → event extended with cesignature, cesignaturealg, cekeyid, cecanonattrs

Namespace is the trust boundary. One keypair per namespace, automatic key rotation, signatures are never stripped.

Configuration

ce-signing-proxy
Environment VariableDescription
CE_SIGNING_MODEsign or verify
CE_SIGNING_SECRET_NAMEKubernetes Secret containing the keypair
CE_SIGNING_NAMESPACENamespace of the signing policy

The proxy listens on port 8090. It has no HTTP client — Knative owns all delivery and retry.

ce-signing-operator
Environment VariableDescription
CE_SIGNING_OPERATOR_MODELOCAL or FEDERATION
CE_SIGNING_CLUSTER_NAMECluster identity for multi-cluster federation

CRDs:

  • CloudEventSigningProducerPolicy (namespace-scoped)
  • CloudEventSigningConsumerPolicy (namespace-scoped)
  • PublicKeyRegistry (cluster-scoped singleton)

Tech Stack

Java 21, Quarkus, JOSDK, Fabric8, BouncyCastle Ed25519, CloudEvents SDK, RFC 8785 JCS canonicalization.

License

Apache-2.0

Tag summary

Content type

Image

Digest

sha256:3b6b2d5a9

Size

188.1 MB

Last updated

27 days ago

docker pull nrrso/ce-signing-operator