The YAML file performs several tasks, including the installation of gcloud and authentication with GCP. It also installs the gcloud beta CLI and, importantly, attests images.
To attest images, it searches the blog-app.yaml manifest for all images. For each image, it checks whether the image is in the sha256 digest format. If yes, it proceeds to attest the image.
It’s worth noting that the workflow verifies that images are specified using a sha256 digest format rather than a tag in the image definition. This choice is crucial when working with binary authorization. Why? Because binary authorization requires deploying images with their sha256 digest instead of a tag. This precaution is essential because, with tags, anyone can associate a different image with the same tag as the attested image and push it to the container registry. In contrast, a digest is a hash generated from a Docker image. Therefore, as long as the image’s content remains unchanged, the digest remains the same. This prevents any attempts to bypass binary authorization controls.
The format for specifying images in this manner is as follows:
/@sha256:
Therefore, before pushing the changes to the remote repository, let’s replace the image tags with sha256 digests. Use the following commands to do so:
$ grep -ir “image:” ./manifests/blog-app |\
awk {‘print $3’} | sort -t: -u -k1,1 > ./images
$ for image in $(cat ./images); do
no_of_slash=$(echo $image | tr -cd ‘/’ | wc -c)
prefix=””
if [ $no_of_slash -eq 1 ]; then
prefix=”docker.io/”
fi
if [ $no_of_slash -eq 0 ]; then
prefix=”docker.io/library/”
fi
image_to_attest=$image
if [[ $image =~ “@” ]]; then
echo “Image $image has DIGEST”
image_to_attest=”${prefix}${image}”
else
DIGEST=$(docker pull $image | grep Digest | awk {‘print $2’}) image_name=$(echo $image | awk -F ‘:’ {‘print $1’}) image_to_attest=”${prefix}${image_name}@${DIGEST}”
fi
escaped_image=$(printf ‘%s\n’ “${image}” | sed -e ‘s/[]\/$.^[]/\&/g’) escaped_image_to_attest=$(printf ‘%s\n’ “${image_to_attest}” | \ sed -e ‘s/[]\/$.^[]/\&/g’)
echo “Processing $image”
grep -rl $image ./manifests | \
xargs sed -i “s/${escaped_image}/${escaped_image_to_attest}/g”
done
To verify whether the changes were successful, run the following command:
$ cat manifests/blog-app/blog-app.yaml | grep “image:” image: docker.io/library/mongo@sha256:2a1093b275d9bc… image: docker.io/bharamicrosystems/mdo-posts@sha256:b5bc… image: docker.io/bharamicrosystems/mdo-reviews@sha256:073.. image: docker.io/bharamicrosystems/mdo-ratings@sha256:271.. image: docker.io/bharamicrosystems/mdo-users@sha256:5f5a… image: docker.io/bharamicrosystems/mdo-frontend@sha256:87..
As we can see, the images have been updated. Now, let’s proceed to push the changes to the remote repository using the following commands:
$ cp ~/modern-devops/ch13/binaryauth/binaryauth.tf terraform/ $ cp ~/modern-devops/ch13/binaryauth/cluster.tf terraform/
$ cp ~/modern-devops/ch13/binaryauth/variables.tf terraform/ $ cp -r ~/modern-devops/ch13/binaryauth/.github . $ git add –all
$ git commit -m “Enabled Binary Auth”
$ git push
Now, let’s review the Dev CD workflow on GitHub Actions, where we should observe the following:
Figure 13.13 – Dev CD workflow – Attest Images
As is evident, the workflow has successfully configured binary authorization and attested our images.
To verify, execute the following command:
$ gcloud beta container binauthz attestations list \
–attestor-project=”$PROJECT_ID” \
–attestor=”quality-assurance-attestor” | grep resourceUri
resourceUri: docker.io/bharamicrosystems/mdo-ratings@
sha256:271981faefafb86c2d30f7d3ce39cd8b977b7dd07…
resourceUri: docker.io/library/mongo@sha256:2a1093b275d9bc546135ec2e2…
resourceUri: docker.io/bharamicrosystems/mdo-posts@
sha256:b5bc1fc976a93a88cc312d24916bd1423dbb3efe25e…
resourceUri: docker.io/bharamicrosystems/mdo-frontend@
sha256:873526fe6de10e04c42566bbaa47b76c18f265fd…
resourceUri: docker.io/bharamicrosystems/mdo-users@
sha256:5f5aa595bc03c53b86dadf39c928eff4b3f05533239…
resourceUri: docker.io/bharamicrosystems/mdo-reviews@
sha256:07370e90859000ff809b1cd1fd2fc45a14c5ad46e…
As we can see, the attestations have been successfully created. Having deployed our application in the Dev environment, tested it, and attested all the images within, we can now proceed with deploying the code to the Prod environment. This involves merging our code with theprod branch, and we will implement pull request gating for this purpose.
