feat(events): add events extension (#3045)

* feat: add events config Signed-off-by: Piaras Hoban <phoban01@gmail.com> * feat: implement event support with log sink Signed-off-by: Piaras Hoban <phoban01@gmail.com> * feat: integrate events and update tests Signed-off-by: Piaras Hoban <phoban01@gmail.com> * refactor: update event config Signed-off-by: Piaras Hoban <phoban01@gmail.com> * feat: implement http and nats sinks. remove log sink Signed-off-by: Piaras Hoban <phoban01@gmail.com> * refactor: events extension setup Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: cleanup tests to use nil event recorder Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: update events config example and add more logging Signed-off-by: Piaras Hoban <phoban01@gmail.com> * refactor: better use of build tags for minimal binary Signed-off-by: Piaras Hoban <phoban01@gmail.com> * fix: missing store param in evelated privileges tests Signed-off-by: Piaras Hoban <phoban01@gmail.com> * fix: regression in config decoding Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: update check logs script to enable cross-platform usage via GREP_BIN_PATH envvar Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: fix log lint issue for events Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: fix failing events disabled test Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: add blackbox tests for events Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: specify architecture when downloading binaries in Makefile Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: improve failure handling when no valid sinks are provided Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: fix data race in events test Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: cleanup event decoding Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: fix logging tests Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: make nats server test more reliable Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: go mod cleanup Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: add sleep when setting up nats client Signed-off-by: Piaras Hoban <phoban01@gmail.com> * fix: ensure event sink errors do not propogate Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: increase coverage for events Signed-off-by: Piaras Hoban <phoban01@gmail.com> * feat(events): Refactor events to be non-blocking from caller. Signed-off-by: Asgeir Nilsen <asgeir.nilsen@bouvet.no> Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: remove harded-coded linux Co-authored-by: Andrei Aaron <andreifdaaron@gmail.com> Signed-off-by: Piaras Hoban <phoban01@gmail.com> * feat(events): fail to start if incorrect event sink is configured Signed-off-by: Piaras Hoban <phoban01@gmail.com> * test: allow cli tests to return errors instead of panic Signed-off-by: Piaras Hoban <phoban01@gmail.com> * chore: bump nats server to v2.11.3 Signed-off-by: Piaras Hoban <phoban01@gmail.com> --------- Signed-off-by: Piaras Hoban <phoban01@gmail.com> Signed-off-by: Asgeir Nilsen <asgeir.nilsen@bouvet.no> Co-authored-by: Asgeir Nilsen <asgeir.nilsen@bouvet.no> Co-authored-by: Andrei Aaron <andreifdaaron@gmail.com>
2026-06-17 12:58:02 +08:00 · 2025-05-02 20:30:06 +01:00
parent 06a0cd5220
commit bc5fd1a357
63 changed files with 2907 additions and 306 deletions
@@ -9,7 +9,8 @@ PATH=$PATH:${SCRIPTPATH}/../../hack/tools/bin

 tests=("pushpull" "pushpull_authn" "delete_images" "referrers" "metadata" "anonymous_policy"
      "annotations" "detect_manifest_collision" "cve" "sync" "sync_docker" "sync_replica_cluster"
-      "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat" "redis_local")
+      "scrub" "garbage_collect" "metrics" "metrics_minimal" "multiarch_index" "docker_compat" "redis_local"
+      "events_nats" "events_http" "events_nats_lint_failure" "events_http_lint_failure" "events_sink_failure" "events_config_decoding")

 for test in ${tests[*]}; do
    ${BATS} ${BATS_FLAGS} ${SCRIPTPATH}/${test}.bats > ${test}.log & pids+=($!)
@@ -0,0 +1,122 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+}
+
+@test "startup error when invalid sink is specified" {
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    mkdir -p ${zot_root_dir}
+    zot_port=$(get_free_port)
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "events": {
+            "enable": true,
+            "sinks": [
+                {
+                    "type": "http",
+                    "address": "http://127.0.0.1:${http_server_port}/events",
+                    "timeout": "15s",
+                    "credentials": {
+                        "username": "jane.joe",
+                        "password": "opensesame"
+                    }
+                },
+                {
+                    "type": "generic",
+                    "address": "http://127.0.0.1:${http_server_port}/events",
+                    "timeout": "15s",
+                    "credentials": {
+                        "username": "jane.joe",
+                        "password": "opensesame"
+                    }
+                }
+            ]
+        }
+    }
+}
+EOF
+    run ${ZOT_PATH} verify ${zot_config_file}
+    [ "$status" -ne 0 ]
+    [[ "$output" =~ "event sink is not supported" ]]
+}
+
+@test "no error when valid sinks are specified" {
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    mkdir -p ${zot_root_dir}
+    zot_port=$(get_free_port)
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "http",
+                "address": "http://127.0.0.1:${http_server_port}/events",
+                "timeout": "15s",
+                "credentials": {
+                    "username": "jane.joe",
+                    "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    run ${ZOT_PATH} verify ${zot_config_file}
+    [ "$status" -eq 0 ]
+}
@@ -0,0 +1,167 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup http server
+    http_server_port=$(get_free_port)
+    http_event_dir="${BATS_FILE_TMPDIR}/http_events"
+    http_server_start http_receiver "${http_server_port}" "${http_event_dir}"
+    echo ${http_server_port} > ${BATS_FILE_TMPDIR}/http_server.port
+    wait_for_http_server $http_server_port
+
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "http",
+                "address": "http://127.0.0.1:${http_server_port}/events",
+                "timeout": "15s",
+                "credentials": {
+                    "username": "jane.joe",
+                    "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown_file() {
+    zot_stop_all
+    http_server_stop http_receiver
+}
+
+@test "http/publish repository created event" {
+    http_server_port=$(cat ${BATS_FILE_TMPDIR}/http_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/http_events
+
+    run curl -XGET http://127.0.0.1:${http_server_port}/reset
+    [ "$status" -eq 0 ]
+    [ -d "${output_path}" ] && rm -f "${output_path}"/*.json
+
+    # Push a new image and create repository
+    run skopeo --insecure-policy copy --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:${zot_port}/golang:1.20
+    [ "$status" -eq 0 ]
+
+    sleep 1
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 2 ]
+
+    result=$(jq '.' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.headers["Ce-Type"]') = "zotregistry.repository.created" ]
+    [ $(echo "${result}" | jq -r '.body.name') = "golang" ]
+}
+
+@test "http/publish image updated event" {
+    http_server_port=$(cat ${BATS_FILE_TMPDIR}/http_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/http_events
+
+    run curl -XGET http://127.0.0.1:${http_server_port}/reset
+    [ "$status" -eq 0 ]
+    [ -d "${output_path}" ] && rm -f "${output_path}"/*.json
+
+    # Push a new image tag
+    run skopeo --insecure-policy copy --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:${zot_port}/golang:latest
+    [ "$status" -eq 0 ]
+
+    sleep 1
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    ls -al $output_path
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.headers["Ce-Type"]') = "zotregistry.image.updated" ]
+    [ $(echo "${result}" | jq -r '.body.name') = "golang" ]
+    [ $(echo "${result}" | jq -r '.body.reference') = "latest" ]
+}
+
+@test "http/publish image deleted event" {
+    http_server_port=$(cat ${BATS_FILE_TMPDIR}/http_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/http_events
+
+    run curl -XGET http://127.0.0.1:${http_server_port}/reset
+    [ "$status" -eq 0 ]
+    [ -d "${output_path}" ] && rm -f "${output_path}"/*.json
+
+    # Delete the tag
+    run curl -X DELETE  http://localhost:${zot_port}/v2/golang/manifests/latest
+    [ "$status" -eq 0 ]
+
+    sleep 1
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    ls -al $output_path
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.headers["Ce-Type"]') = "zotregistry.image.deleted" ]
+    [ $(echo "${result}" | jq -r '.body.name') = "golang" ]
+    [ $(echo "${result}" | jq -r '.body.reference') = "latest" ]
+}
@@ -0,0 +1,162 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v oras) ]; then
+        echo "you need to install oras as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup http server
+    http_server_port=$(get_free_port)
+    http_event_dir="${BATS_FILE_TMPDIR}/http_events"
+    http_server_start http_receiver_lint "${http_server_port}" "${http_event_dir}"
+    echo ${http_server_port} > ${BATS_FILE_TMPDIR}/http_server.port
+    wait_for_http_server $http_server_port
+
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "lint": {
+            "enable": true,
+            "mandatoryAnnotations": ["event-test"]
+        },
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "http",
+                "address": "http://127.0.0.1:${http_server_port}/events",
+                "timeout": "15s",
+                "credentials": {
+                    "username": "jane.joe",
+                    "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown_file() {
+    zot_stop_all
+    http_server_stop http_receiver_lint
+}
+
+@test "http/publish image lint failure event" {
+    http_server_port=$(cat ${BATS_FILE_TMPDIR}/http_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/http_events
+
+    run curl -XGET http://127.0.0.1:${http_server_port}/reset
+    [ "$status" -eq 0 ]
+    [ -d "${output_path}" ] && rm -f "${output_path}"/*.json
+
+    # Create dummy config
+    echo '{}' > config.json
+
+    # Create dummy layer
+    echo "this is a bogus artifact" > artifact.txt
+
+    # Push using oras with intentionally broken config + type
+    run oras push --plain-http 127.0.0.1:${zot_port}/test-artifact:v0 \
+        --config config.json:application/vnd.oci.image.config.v1+json \
+        artifact.txt:text/plain -d -v
+
+    rm -f artifact.txt config.json
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 2 ]
+
+    # Validate the event
+    result=$(jq '.' ${output_path}/2.json)
+    echo $result
+    [ $(echo "${result}" | jq -r '.headers["Ce-Type"]') = "zotregistry.image.lint_failed" ]
+    [ $(echo "${result}" | jq -r '.body.name') = "test-artifact" ]
+    [ $(echo "${result}" | jq -r '.body.reference') = "v0" ]
+}
+
+@test "http/publish image with annotations" {
+    http_server_port=$(cat ${BATS_FILE_TMPDIR}/http_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/http_events
+
+    run curl -XGET http://127.0.0.1:${http_server_port}/reset
+    [ "$status" -eq 0 ]
+    [ -d "${output_path}" ] && rm -f "${output_path}"/*.json
+
+    # Create dummy config
+    echo '{}' > config.json
+
+    # Create dummy layer
+    echo "this is a bogus artifact" > artifact.txt
+
+    # Push using oras with intentionally broken config + type
+    run oras push --plain-http 127.0.0.1:${zot_port}/test-artifact:v1 \
+        --annotation "event-test=true" \
+        --config config.json:application/vnd.oci.image.config.v1+json \
+        artifact.txt:text/plain -d -v
+
+    rm -f artifact.txt config.json
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.headers["Ce-Type"]') = "zotregistry.image.updated" ]
+    [ $(echo "${result}" | jq -r '.body.name') = "test-artifact" ]
+    [ $(echo "${result}" | jq -r '.body.reference') = "v1" ]
+}
@@ -0,0 +1,158 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup nats server
+    nats_server_port=$(get_free_port)
+    nats_server_start nats_server_local ${nats_server_port}
+    echo ${nats_server_port} > ${BATS_FILE_TMPDIR}/nats_server.port
+
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "nats",
+                "address": "nats://127.0.0.1:${nats_server_port}",
+                "timeout": "5s",
+                "channel": "zot.test",
+                "credentials": {
+                   "username": "jane.joe",
+                   "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown_file() {
+    zot_stop_all
+    nats_server_stop nats_server_local
+}
+
+@test "nats/publish repository created event" {
+    nats_server_port=$(cat ${BATS_FILE_TMPDIR}/nats_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/repository_created
+
+    # Wait for event
+    run wait_event_on_subject "zot.test" ${nats_server_port} ${output_path}
+    [ "$status" -eq 0 ]
+
+    # Push a new image and create repository
+    run skopeo --insecure-policy copy --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:${zot_port}/golang:1.20
+    [ "$status" -eq 0 ]
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 1 ]
+
+    result=$(jq '.Data | @base64d | fromjson' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.type') = "zotregistry.repository.created" ]
+    [ $(echo "${result}" | jq -r '.data.name') = "golang" ]
+}
+
+@test "nats/publish image updated event" {
+    nats_server_port=$(cat ${BATS_FILE_TMPDIR}/nats_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/updated
+
+    # Wait for event
+    run wait_event_on_subject "zot.test" ${nats_server_port} ${output_path}
+    [ "$status" -eq 0 ]
+
+    # Push a new image tag
+    run skopeo --insecure-policy copy --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:${zot_port}/golang:latest
+    [ "$status" -eq 0 ]
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.Data | @base64d | fromjson' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.type') = "zotregistry.image.updated" ]
+    [ $(echo "${result}" | jq -r '.data.name') = "golang" ]
+    [ $(echo "${result}" | jq -r '.data.reference') = "latest" ]
+}
+
+@test "nats/publish image deleted event" {
+    nats_server_port=$(cat ${BATS_FILE_TMPDIR}/nats_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/deleted
+
+    # Wait for event
+    run wait_event_on_subject "zot.test" ${nats_server_port} ${output_path}
+    [ "$status" -eq 0 ]
+
+    # Delete the tag
+    run curl -X DELETE  http://localhost:${zot_port}/v2/golang/manifests/latest
+    [ "$status" -eq 0 ]
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.Data | @base64d | fromjson' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.type') = "zotregistry.image.deleted" ]
+    [ $(echo "${result}" | jq -r '.data.name') = "golang" ]
+    [ $(echo "${result}" | jq -r '.data.reference') = "latest" ]
+}
@@ -0,0 +1,161 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v oras) ]; then
+        echo "you need to install oras as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup nats server
+    nats_server_port=$(get_free_port)
+    nats_server_start nats_server_local_lint ${nats_server_port}
+    echo ${nats_server_port} > ${BATS_FILE_TMPDIR}/nats_server.port
+
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "lint": {
+            "enable": true,
+            "mandatoryAnnotations": ["event-test"]
+        },
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "nats",
+                "address": "nats://127.0.0.1:${nats_server_port}",
+                "timeout": "5s",
+                "channel": "zot.test",
+                "credentials": {
+                   "username": "jane.joe",
+                   "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown_file() {
+    zot_stop_all
+    nats_server_stop nats_server_local_lint
+}
+
+@test "nats/publish image lint failure event" {
+    nats_server_port=$(cat ${BATS_FILE_TMPDIR}/nats_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/lint_failure
+
+    # Wait for event
+    run wait_event_on_subject "zot.test" ${nats_server_port} ${output_path} 2
+    [ "$status" -eq 0 ]
+
+    # Create dummy config
+    echo '{}' > config.json
+
+    # Create dummy layer
+    echo "this is a bogus artifact" > artifact.txt
+
+    # Push using oras with intentionally broken config + type
+    run oras push --plain-http 127.0.0.1:${zot_port}/test-artifact:v0 \
+        --config config.json:application/vnd.oci.image.config.v1+json \
+        artifact.txt:text/plain -d -v
+
+    rm -f artifact.txt config.json
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 2 ]
+
+    # Validate the event
+    result=$(jq '.Data | @base64d | fromjson' ${output_path}/2.json)
+    echo $result
+    [ $(echo "${result}" | jq -r '.type') = "zotregistry.image.lint_failed" ]
+    [ $(echo "${result}" | jq -r '.data.name') = "test-artifact" ]
+    [ $(echo "${result}" | jq -r '.data.reference') = "v0" ]
+}
+
+@test "nats/publish image with annotations" {
+    nats_server_port=$(cat ${BATS_FILE_TMPDIR}/nats_server.port)
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/lint_success
+
+    # Wait for event
+    run wait_event_on_subject "zot.test" ${nats_server_port} ${output_path} 1
+    [ "$status" -eq 0 ]
+
+    # Create dummy config
+    echo '{}' > config.json
+
+    # Create dummy layer
+    echo "this is a bogus artifact" > artifact.txt
+
+    # Push using oras with intentionally broken config + type
+    run oras push --plain-http 127.0.0.1:${zot_port}/test-artifact:v1 \
+        --annotation "event-test=true" \
+        --config config.json:application/vnd.oci.image.config.v1+json \
+        artifact.txt:text/plain -d -v
+
+    rm -f artifact.txt config.json
+
+    # Check the correct number of events were generated
+    count=$(find "${output_path}" -type f | wc -l)
+    [ "$count" -eq 1 ]
+
+    # Validate the event
+    result=$(jq '.Data | @base64d | fromjson' ${output_path}/1.json)
+    [ $(echo "${result}" | jq -r '.type') = "zotregistry.image.updated" ]
+    [ $(echo "${result}" | jq -r '.data.name') = "test-artifact" ]
+    [ $(echo "${result}" | jq -r '.data.reference') = "v1" ]
+}
@@ -0,0 +1,98 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_events
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v docker) ]; then
+        echo "you need to install docker as a prerequisite to running the tests" >&3
+        return 1
+    fi
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup http server
+    http_server_port=$(get_free_port)
+    http_event_dir="${BATS_FILE_TMPDIR}/http_events"
+    http_server_start http_receiver_failure "${http_server_port}" "${http_event_dir}"
+    wait_for_http_server $http_server_port
+
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}"
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    },
+    "extensions": {
+        "events": {
+            "enable": true,
+            "sinks": [{
+                "type": "http",
+                "address": "http://127.0.0.1:${http_server_port}/events",
+                "timeout": "15s",
+                "credentials": {
+                    "username": "jane.joe",
+                    "password": "opensesame"
+                }
+            }]
+        }
+    }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown_file() {
+    zot_stop_all
+}
+
+@test "no zot server error when sink returns an error" {
+    zot_port=$(cat ${BATS_FILE_TMPDIR}/zot.port)
+    output_path=${BATS_FILE_TMPDIR}/events/repository_created
+
+    http_server_stop http_receiver_failure
+
+    sleep 5
+
+    # Push a new image and create repository
+    run skopeo --insecure-policy copy --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:${zot_port}/golang:1.20
+    [ "$status" -eq 0 ]
+}
@@ -0,0 +1,122 @@
+function nats_server_start() {
+  local cname="$1" # container name
+  local free_port="$2"
+  docker run -d --name ${cname} -p ${free_port}:4222 nats:2.11.1 --user jane.joe --pass opensesame
+}
+
+function nats_server_stop() {
+  local cname="$1"
+  docker stop ${cname}
+  docker rm -f ${cname}
+}
+
+function wait_event_on_subject() {
+    local subject="$1"
+    local port="$2"
+    local dir="$3"
+    local count="${4:-1}"
+
+    mkdir -p "${dir}"
+
+    docker run -d --rm --network host --user "$(id -u):$(id -g)" -v "${dir}":/data natsio/nats-box:latest  \
+        nats sub ${subject} --user jane.joe --password opensesame \
+        --server nats://127.0.0.1:${port} --count=${count} --wait=5s --raw --dump=/data
+
+    # give client a chance to startup
+    sleep 2
+
+    return $?
+}
+
+function http_server_start() {
+    local cname="$1"
+    local port="$2"
+    local dir="$3"
+
+    mkdir -p "${dir}"
+
+    docker run -d --rm --name "${cname}" \
+        -p "${port}:8080" \
+        -v "${dir}":/data \
+        python:3 sh -c '
+            pip install flask > /dev/null && \
+            echo "
+import os
+import json
+from flask import Flask, request, Response
+
+app = Flask(__name__)
+counter = 0
+
+USERNAME = \"jane.joe\"
+PASSWORD = \"opensesame\"
+
+def check_auth(auth):
+    return auth and auth.username == USERNAME and auth.password == PASSWORD
+
+def authenticate():
+    return Response(
+        \"Unauthorized\", 401,
+        {\"WWW-Authenticate\": \"Basic realm=\\\"Login Required\\\"\"}
+    )
+
+@app.route(\"/reset\", methods=[\"GET\"])
+def reset_counter():
+    global counter
+    counter = 0
+    return \"\", 200
+
+@app.route(\"/events\", methods=[\"POST\"])
+def receive_event():
+    auth = request.authorization
+    if not check_auth(auth):
+      return authenticate
+
+    global counter
+    counter += 1
+    method = request.method
+    headers = dict(request.headers)
+    raw_data = request.data.decode(\"utf-8\", errors=\"replace\")
+    try:
+        body = json.loads(raw_data)
+    except Exception:
+        body = raw_data  # fallback to plain text
+
+    event = {
+        \"method\": method,
+        \"headers\": headers,
+        \"body\": body
+    }
+
+    filename = f\"/data/{counter}.json\"
+
+    with open(filename, \"w\") as f:
+        json.dump(event, f, indent=2)
+
+    return \"\", 200
+
+app.run(host=\"0.0.0.0\", port=8080)
+            " > app.py && python app.py
+'
+}
+
+function http_server_stop() {
+    local cname="$1"
+    docker rm -f "${cname}" >/dev/null 2>&1
+}
+
+function wait_for_http_server() {
+    local port="$1"
+    local timeout=10
+    local elapsed=0
+
+    while [ "$elapsed" -lt "$timeout" ]; do
+        if curl --silent --fail --output /dev/null "http://127.0.0.1:${port}/reset"; then
+            return 0
+        fi
+        sleep 1
+        elapsed=$((elapsed + 1))
+    done
+
+    return 1
+}