bqrator
Bqrator is a tool for creating and managing BigQuery datasets. It is a custom implementation to allow non-authoritative dataset resources to be created.
It will add and update permissions on the dataset according to the rules defined in the resource.
Development
This operator is built using Kubebuilder. The kustomize files in this repo is not used in production, but is left available for reference.
The deploy is managed in nais-yaml and GCP permissions is managed in nais/gcp.
Verifying the bqrator image and its contents
The image is signed "keylessly" using Sigstore cosign. To verify its authenticity run
cosign verify \
--certificate-identity "https://github.com/nais/bqrator/.github/workflows/build_and_push_image.yaml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/bqrator@sha256:<shasum>
The images are also attested with SBOMs in the CycloneDX format. You can verify these by running
cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/build_and_push_image.yaml/.github/workflows/build_and_push_image.yaml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/bqrator@sha256:<shasum>