search

hashicorp / packer-plugin-googlecompute

Packer plugin for Google Compute Builder
https://www.packer.io/docs/builders/googlecompute
Mozilla Public License 2.0
25 stars 54 forks source link

Add image_signatures_db to googlecompute builder #113

Open hc-github-team-packer opened 2 years ago

hc-github-team-packer commented 2 years ago

This issue was originally opened by @sas1su in https://github.com/hashicorp/packer/issues/11965 and has been migrated to this repository. The original issue description is below.

Community Note

Please search the existing issues for relevant feature requests, and use the reaction feature (https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to add upvotes to pre-existing requests.

Description

We have some requirement to build custom GCP images with additional trusted certificate to sign the boot file. Currently the process seems to be 1) googlecompute builder to build an image 2) googlecompute-export to cloud storage 3) googlecompute-import to add certificates [1] .

Use Case(s)

Step 2) and 3) can be avoided

Potential configuration

source "googlecompute" "basic-example" {
  project_id = "my project"
  source_image = "debian-9-stretch-v20200805"
  ssh_username = "packer"
  zone = "us-central1-a"
image_signatures_db = ["cert1","cert2"]
}

Potential References

[1] https://www.packer.io/plugins/post-processors/googlecompute/googlecompute-import#image_signatures_db [2] https://cloud.google.com/sdk/gcloud/reference/compute/images/create#--signature-database-file

smartyr73 commented 1 year ago

I also have this requirement. I currently work around this issue by using a post-processor that runs a shell local script to create the image with the certificates baked in e.g.

gcloud compute images create [IMAGE_NAME] \ --source-disk [SOURCE_DISK] \ --source-disk-zone [ZONE] \ --platform-key-file= \ --key-exchange-key-file= \ --signature-database-file=, \ --forbidden-database-file= \ --guest-os-features="UEFI_COMPATIBLE[,WINDOWS]"