initial commit

Signed-off-by: Bence Csati <bence.csati@axoflow.com>

Author: csatib02

.dockerignore

@@ -0,0 +1 @@
+bin/

.github/actionlint-matcher.json

@@ -0,0 +1,17 @@
+{
+    "problemMatcher": [
+      {
+        "owner": "actionlint",
+        "pattern": [
+          {
+            "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+            "file": 1,
+            "line": 2,
+            "column": 3,
+            "message": 4,
+            "code": 5
+          }
+        ]
+      }
+    ]
+}

.github/workflows/ci.yaml

@@ -0,0 +1,47 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - "release-[0-9]+.[0-9]+*"
+  pull_request:
+
+jobs:
+  verification:
+    name: Verification
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Actionlint
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          make lint-actions
+          echo "::remove-matcher owner=actionlint::"
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          config: .hadolint.yaml
+
+      - name: Run Yamllint
+        run: |
+          pip install --user yamllint
+          yamllint .
+
+      - name: Run Helm lint
+        run: |
+          make lint-helm
+
+  image-build:
+    name: Image build
+    uses: ./.github/workflows/image-build.yaml
+    with:
+      publish: ${{ github.event_name == 'push' }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write

.github/workflows/image-build.yaml

@@ -0,0 +1,147 @@
+name: Image build
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: Publish artifacts to ghcr.io
+        default: false
+        required: false
+        type: boolean
+      release:
+        description: Whether this is a release build
+        default: false
+        required: false
+        type: boolean
+    outputs:
+      container-image-name:
+        description: Container image name
+        value: ${{ jobs.container-image.outputs.name }}
+      container-image-digest:
+        description: Container image digest
+        value: ${{ jobs.container-image.outputs.digest }}
+      container-image-tag:
+        description: Container image tag
+        value: ${{ jobs.container-image.outputs.tag }}
+
+permissions:
+  contents: read
+
+jobs:
+  container-image:
+    name: Container image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    outputs:
+      name: ${{ steps.image-name.outputs.value }}
+      digest: ${{ steps.build.outputs.digest }}
+      tag: ${{ steps.meta.outputs.version }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        if: inputs.publish
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/axoflow/cloudconnectors" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr,prefix=pr-
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.description=Axoflow cloudconnectors helps collecting logs from various cloud-providers.
+            org.opencontainers.image.title=Axoflow cloudconnectors
+            org.opencontainers.image.authors=Axoflow
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+        if: inputs.publish
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: |
+            type=image,push=${{ inputs.publish }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+            type=oci,dest=image.tar,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+      - name: Sign image with GitHub OIDC Token
+        if: ${{ inputs.publish && github.repository_owner == 'axoflow' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          readarray -t tag_array <<< "$TAGS"
+          for tag in "${tag_array[@]}"; do
+            full_image="${tag}@${DIGEST}"
+            cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${full_image}"
+          done
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'axoflow' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in $TAGS; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/image-build.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
+
+      - name: Extract OCI tarball
+        run: |
+          mkdir -p image
+          tar -xf image.tar -C image
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          input: image
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5

.github/workflows/release.yaml

@@ -0,0 +1,20 @@
+name: Release
+
+on:
+  push:
+    tags: ["[0-9]+.[0-9]+.[0-9]+*"]
+
+permissions:
+  contents: read
+
+jobs:
+  image-build:
+    name: Image build
+    uses: ./.github/workflows/image-build.yaml
+    with:
+      publish: true
+      release: true
+    permissions:
+      contents: read
+      packages: write
+      id-token: write

.gitignore

@@ -0,0 +1,3 @@
+.DS_Store
+bin/
+connectors/storage/*

.hadolint.yaml

@@ -0,0 +1,2 @@
+ignored:
+  - DL3018

.yamlignore

@@ -0,0 +1,2 @@
+/.github/
+/charts/

.yamllint.yaml

@@ -0,0 +1,7 @@
+ignore-from-file: [.gitignore, .yamlignore]
+
+extends: default
+
+rules:
+  line-length: disable
+  document-start: disable

Dockerfile

@@ -0,0 +1,22 @@
+FROM ghcr.io/axoflow/axoflow-otel-collector/axoflow-otel-collector:0.120.0-axoflow1 AS axo-otelcol
+
+FROM alpine:3.21 AS base
+
+WORKDIR /cloudconnectors
+ENV HOME=/cloudconnectors
+
+COPY --from=axo-otelcol /axoflow-otel-collector .
+COPY --from=axo-otelcol /etc/axoflow-otel-collector/ /etc/axoflow-otel-collector/
+COPY --from=axo-otelcol /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+RUN apk add --no-cache bash
+
+# Set user
+ARG USER_UID=10001
+USER ${USER_UID}
+
+# Copy application files
+COPY entrypoint.sh ./
+COPY connectors/ /etc/axoflow-otel-collector/connectors/
+
+ENTRYPOINT ["./entrypoint.sh"]