feat: move in node-exporter image

Signed-off-by: Bence Csati <[email protected]>

Author: csatib02

.github/workflows/config-reloader.yaml

@@ -103,7 +103,7 @@ jobs:
           for tag in ${TAGS[@]}; do
             cosign verify "${tag}@${DIGEST}" \
               --rekor-url "https://rekor.sigstore.dev/" \
-              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/config-reloader-image.yaml@${{ github.ref }}" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/config-reloader.yaml@${{ github.ref }}" \
               --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
           done
 

.github/workflows/dependency-images.yaml

@@ -62,3 +62,14 @@ jobs:
       packages: write
       id-token: write
       security-events: write
+
+  node-exporter:
+    name: Node exporter
+    uses: ./.github/workflows/node-exporter.yaml
+    with:
+      publish: ${{ inputs.publish }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write

.github/workflows/node-exporter.yaml

@@ -0,0 +1,135 @@
+name: Node exporter
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: Publish artifacts to the artifact store
+        default: false
+        required: false
+        type: boolean
+
+permissions:
+  contents: read
+
+jobs:
+  node-exporter-image:
+    name: Node exporter image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        if: ${{ inputs.publish }}
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/${{ github.repository }}/node-exporter" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.description=Node exporter image for the Logging operator.
+            org.opencontainers.image.title=Logging operator Node exporter image
+            org.opencontainers.image.authors=Kube logging authors
+            org.opencontainers.image.documentation=https://kube-logging.dev/docs/
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+        if: ${{ inputs.publish }}
+
+      - name: Build and push Node exporter image
+        id: build
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: images/node-exporter
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: |
+            type=image,push=${{ inputs.publish }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+            type=oci,dest=image.tar,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+      - name: Sign image with GitHub OIDC Token
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS[@]}; do
+            images+="${tag}@${DIGEST} "
+          done
+          
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in ${TAGS[@]}; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/node-exporter.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
+
+      - name: Extract OCI tarball
+        run: |
+          mkdir -p image
+          tar -xf image.tar -C image
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          input: image
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        with:
+          sarif_file: trivy-results.sarif

Makefile

@@ -233,6 +233,7 @@ test-e2e-nodeps:
 		CONFIG_RELOADER_IMAGE="${CONFIG_RELOADER_IMG}" \
 		SYSLOG_NG_RELOADER_IMAGE="${SYSLOG_NG_RELOADER_IMG}" \
 		FLUENTD_DRAIN_WATCH_IMAGE="${FLUENTD_DRAIN_WATCH_IMG}" \
+		NODE_EXPORTER_IMAGE="${NODE_EXPORTER_IMG}" \
 		FLUENTD_IMAGE="${FLUENTD_IMG}" \
 		KIND_PATH="$(KIND)" \
 		KIND_IMAGE="$(KIND_IMAGE)" \

config/samples/logging_logging_with_monitoring.yaml

@@ -11,7 +11,7 @@ spec:
   enableRecreateWorkloadOnImmutableFieldChange: true
   fluentd:
     bufferVolumeImage:
-      repository: ghcr.io/kube-logging/node-exporter
+      repository: ghcr.io/kube-logging/logging-operator/node-exporter
     bufferVolumeMetrics: 
       prometheusRules: true
       serviceMonitor: true

images/node-exporter/Dockerfile

@@ -0,0 +1,16 @@
+FROM ghcr.io/kube-logging/custom-runner:v0.12.0 AS custom-runner
+
+FROM quay.io/prometheus/node-exporter:v1.9.0
+
+COPY --from=custom-runner /runner /
+
+USER root
+
+RUN mkdir -p /prometheus/node_exporter/textfile_collector
+
+COPY buffer-size.sh /prometheus/buffer-size.sh
+RUN chmod 0744 /prometheus/buffer-size.sh
+
+WORKDIR /
+
+ENTRYPOINT ["/runner"]

images/node-exporter/README.md

@@ -0,0 +1,34 @@
+# Node Exporter Image
+
+Node Exporter Image is a monitoring script that collects buffer size and file count metrics for Prometheus Node Exporter.
+
+## Features
+
+- Tracks disk usage of buffer files.
+- Reports buffer file count.
+- Generates Prometheus-compatible metrics.
+- Supports a configurable buffer path.
+
+## Usage
+
+Set the required environment variable before running:
+
+```sh
+export BUFFER_PATH=/path/to/buffers  # Optional, default is /buffers
+```
+
+### Prometheus Integration
+
+The script generates the following metrics for Prometheus Node Exporter:
+
+- `node_buffer_size_bytes`: Deprecated metric for buffer disk usage.
+- `logging_buffer_size_bytes`: New metric for buffer disk usage, including the host label.
+- `logging_buffer_files`: Number of buffer files.
+
+Metrics are stored in:
+
+```sh
+/prometheus/node_exporter/textfile_collector/
+```
+
+Ensure Node Exporter is configured to read from this directory.

images/node-exporter/buffer-size.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+[ -z "$BUFFER_PATH" ] && BUFFER_PATH=/buffers
+
+while true; do
+    # Deprecated: node_buffer_size_bytes will soon be replaced by logging_buffer_size_bytes
+    # logging_buffer_size_bytes includes the host label
+    echo "# HELP node_buffer_size_bytes Disk space used [deprecated]" > /prometheus/node_exporter/textfile_collector/buffer_size.prom.$$
+    echo "# TYPE node_buffer_size_bytes gauge" >> /prometheus/node_exporter/textfile_collector/buffer_size.prom.$$
+    du -sb ${BUFFER_PATH} | sed -ne 's/\\/\\\\/;s/"/\\"/g;s/^\([0-9]\+\)\t\(.*\)$/node_buffer_size_bytes{entity="\2"} \1/p' >> /prometheus/node_exporter/textfile_collector/buffer_size.prom.$$
+    mv /prometheus/node_exporter/textfile_collector/buffer_size.prom.$$ /prometheus/node_exporter/textfile_collector/buffer_size.prom
+
+    echo "# HELP logging_buffer_size_bytes Disk space used" > /prometheus/node_exporter/textfile_collector/logging_buffer_size_bytes.prom.$$
+    echo "# TYPE logging_buffer_size_bytes gauge" >> /prometheus/node_exporter/textfile_collector/logging_buffer_size_bytes.prom.$$
+    du -sb ${BUFFER_PATH} | sed -ne 's/\\/\\\\/;s/"/\\"/g;s/^\([0-9]\+\)\t\(.*\)$/logging_buffer_size_bytes{entity="\2", host="'$(hostname)'"} \1/p' >> /prometheus/node_exporter/textfile_collector/logging_buffer_size_bytes.prom.$$
+    mv /prometheus/node_exporter/textfile_collector/logging_buffer_size_bytes.prom.$$ /prometheus/node_exporter/textfile_collector/logging_buffer_size_bytes.prom
+
+    echo "# HELP logging_buffer_files File count" > /prometheus/node_exporter/textfile_collector/logging_buffer_files.prom.$$
+    echo "# TYPE logging_buffer_files gauge" >> /prometheus/node_exporter/textfile_collector/logging_buffer_files.prom.$$
+    echo -e "$(find "${BUFFER_PATH}" -type f 2>/dev/null | wc -l)\t${BUFFER_PATH}" | sed -ne 's/\\/\\\\/;s/"/\\"/g;s/^\([0-9]\+\)\t\(.*\)$/logging_buffer_files{entity="\2", host="'$(hostname)'"} \1/p' >> /prometheus/node_exporter/textfile_collector/logging_buffer_files.prom.$$
+    mv /prometheus/node_exporter/textfile_collector/logging_buffer_files.prom.$$ /prometheus/node_exporter/textfile_collector/logging_buffer_files.prom
+
+    sleep 15
+done

images/syslog-ng-reloader/README.md

@@ -5,7 +5,3 @@ It watches mounted volume dirs and notifies the target process changed files on
 If changes exist - send webhook.
 
 It is available as a Docker image at `ghcr.io/kube-logging/logging-operator/syslog-ng-reloader`
-
-## License
-
-The project is licensed under the [Apache License, Version 2.0](LICENSE).

pkg/sdk/logging/api/v1beta1/fluentd_types.go

@@ -252,7 +252,11 @@ func (f *FluentdSpec) SetDefaults() error {
 			f.BufferVolumeImage.Repository = DefaultFluentdBufferVolumeImageRepository
 		}
 		if f.BufferVolumeImage.Tag == "" {
-			f.BufferVolumeImage.Tag = DefaultFluentdBufferVolumeImageTag
+			if Version == "" {
+				f.BufferVolumeImage.Tag = DefaultFluentdBufferVolumeImageTag
+			} else {
+				f.BufferVolumeImage.Tag = Version
+			}
 		}
 		if f.BufferVolumeImage.PullPolicy == "" {
 			f.BufferVolumeImage.PullPolicy = "IfNotPresent"