Transparent Ed25519 signing and verification for CloudEvents on Knative.
646
Transparent Ed25519 signing and verification for CloudEvents on Kubernetes/Knative. Sign events at the producer, verify at the consumer — enabling cross-namespace event authentication through untrusted brokers.
| Image | Description |
|---|---|
ce-signing-proxy | HTTP proxy running as a Knative Sequence step in sign or verify mode |
ce-signing-operator | Kubernetes operator reconciling signing/verification policies and key distribution |
helm install ce-signing-operator \
oci://ghcr.io/nrrso/eventing-signing-operator/ce-signing-operator \
--set clusterName=my-cluster
docker pull nrrso/ce-signing-operator:<version>
docker pull nrrso/ce-signing-proxy:<version>
cesignature, cesignaturealg, cekeyid, cecanonattrsNamespace is the trust boundary. One keypair per namespace, automatic key rotation, signatures are never stripped.
| Environment Variable | Description |
|---|---|
CE_SIGNING_MODE | sign or verify |
CE_SIGNING_SECRET_NAME | Kubernetes Secret containing the keypair |
CE_SIGNING_NAMESPACE | Namespace of the signing policy |
The proxy listens on port 8090. It has no HTTP client — Knative owns all delivery and retry.
| Environment Variable | Description |
|---|---|
CE_SIGNING_OPERATOR_MODE | LOCAL or FEDERATION |
CE_SIGNING_CLUSTER_NAME | Cluster identity for multi-cluster federation |
CRDs:
CloudEventSigningProducerPolicy (namespace-scoped)CloudEventSigningConsumerPolicy (namespace-scoped)PublicKeyRegistry (cluster-scoped singleton)Java 21, Quarkus, JOSDK, Fabric8, BouncyCastle Ed25519, CloudEvents SDK, RFC 8785 JCS canonicalization.
Apache-2.0
Content type
Image
Digest
sha256:3b6b2d5a9…
Size
188.1 MB
Last updated
27 days ago
docker pull nrrso/ce-signing-operator