GCP Binary Authorization Orb
Use Google's Binary Authorization to sign/certify container images for deployment to Google Kubernetes Engine.
Usage
For full usage guidelines, see the orb registry listing.
CircleCI's Binary Authorization orb can be used to configure and use Binary Authorization for any piece of software that is pushed to test/staging environments via Google's Container Registry, and deployed to production via Google Kubernetes Engine.
The orb can be used in a number of ways; however, in its simplest form, it provdes two jobs. One, run-setup
, is designed to be added to a user's CircleCI configuration file, run successfully once, and then removed. The second, create-attestation
, is designed to be permanently added to a config.yml
file and run on every new commit as part of a pre-deployment workflow.
run-setup
version: 2.1
orbs:
binary-authorization: circleci/[email protected]
workflows:
your-workflow:
jobs:
- binary-authorization/run-setup
The run-setup
job enables all required GCP APIs, can optionally create a GKE cluster, will create an attestor, optionally generate and store a PGP keypair, and optionally create and store a Binary Authorization policy YAML file.
To use run-setup
, at least one existing Google project is required; if using a multi-project Binary Authorization setup, three separate Google projects (deployer, attestor, attestation) are required.
create-attestation
version: 2.1
orbs:
binary-authorization: circleci/[email protected]
workflows:
your-workflow:
jobs:
- binary-authorization/create-attestation
The create-attestation
job will sign/authorize a specific tag of a container stored in a Google container registry for deployment to GKE, provided whatever conditions specified via a Binary Authorization policy YAML file have been met. If these conditions are not met, any attempted deployments to GKE will be blocked.
create-attestation
can also run all required setup steps, by passing the run-setup: true
parameter. After successfully running these steps once, the parameter should be removed.
Documentation
See the following links for more information about Google's Binary Authorization:
- https://cloud.google.com/binary-authorization
- https://cloud.google.com/binary-authorization/docs
- https://cloud.google.com/binary-authorization/docs/overview
- https://cloud.google.com/binary-authorization/docs/key-concepts
- https://cloud.google.com/binary-authorization/docs/how-to
See the following links for more information about using CircleCI orbs:
- https://circleci.com/orbs
- https://circleci.com/docs/2.0/using-orbs
- https://circleci.com/docs/2.0/reusing-config
- https://circleci.com/docs/2.0/orbs-faq
Contributing
We welcome issues to and pull requests against this repository!
For further questions/comments about this or other orbs, visit CircleCI's orbs discussion forum.