...

Text file src/edge-infra.dev/hack/build/rules/container/sign/keys/gcp_kms.bzl

Documentation: edge-infra.dev/hack/build/rules/container/sign/keys

     1"""Defines a rule that serializes a cosign key into the Bazel graph"""
     2
     3load("//hack/build/rules/container/sign:cosign_key.bzl", "CosignKeyInfo")
     4
     5def _gcp_kms_key(ctx):
     6    key_file = ctx.actions.declare_file("{0}.txt".format(ctx.label.name))
     7    key_template = "gcpkms://projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}"
     8    key_value = key_template.format(
     9        project = ctx.attr.project,
    10        location = ctx.attr.location,
    11        keyring = ctx.attr.keyring,
    12        key = ctx.attr.key,
    13    )
    14    if ctx.attr.version:
    15        key_value = "{key_value}/versions/{version}".format(
    16            key_value = key_value,
    17            version = ctx.attr.version,
    18        )
    19    ctx.actions.write(
    20        output = key_file,
    21        content = key_value,
    22    )
    23
    24    return [
    25        DefaultInfo(
    26            files = depset([key_file]),
    27        ),
    28        CosignKeyInfo(
    29            key_name = ctx.label.name,
    30            key_file = key_file,
    31        ),
    32    ]
    33
    34gcp_kms_key = rule(
    35    doc = """
    36        A GCP KMS Key Rule that can be used to sign containers. Creates a file target containing a valid GCP KMS path i.e. gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]
    37        Optionally provide a version number to specify a specific version. Otherwise the latest version is accessed.
    38    """,
    39    implementation = _gcp_kms_key,
    40    attrs = {
    41        "key": attr.string(
    42            doc = "The name of the key",
    43            mandatory = True,
    44        ),
    45        "keyring": attr.string(
    46            doc = "The name of the keyring",
    47            mandatory = True,
    48        ),
    49        "location": attr.string(
    50            doc = "The location of the keyring and key",
    51            mandatory = True,
    52        ),
    53        "project": attr.string(
    54            doc = "The GCP project containing the keyring and key",
    55            mandatory = True,
    56        ),
    57        "version": attr.int(
    58            doc = "The version of the key to use",
    59        ),
    60    },
    61)

View as plain text