Automating Enrollment in CI/CD (Anka Secure API)
Integrate Anka Secure’s Key Management and Crypto Streaming endpoints directly into your CI/CD pipeline to:
- generate / rotate signing and encryption keys,
- sign or encrypt build artefacts in one pass, and
- verify artefacts during deployment -- all without manual steps.
1 · Use-case blueprint
| # | Stage | API family | Purpose |
|---|---|---|---|
| 1 | Authenticate pipeline | /api/authenticate/app |
Obtain JWT for subsequent calls. |
| 2 | Key generate / retrieve | /api/key-management/keys |
Ensure signing / encryption keys exist. |
| 3 | Crypto operations | /api/crypto/stream/* |
Sign or encrypt artefacts (detached-JWS / JWET). |
| 4 | Verify & deploy | /api/crypto/stream/verify |
Integrity check before rollout. |
| 5 | Rotate / revoke | /api/key-management/keys/* |
Periodic key hygiene. |
flowchart LR
subgraph CI/CD
A[Authenticate] --> B[Generate / Retrieve Key]
B --> C[Sign / Encrypt Artefacts]
C --> D[Verify + Deploy]
D --> E[Rotate / Revoke Key]
end
A -->|JWT| AS[Anka Secure API]
B --> KS[Key Management]
C --> CS[Crypto Streaming]
D --> CS
E --> KS2 - Detailed steps
2.1 Authenticate
POST /api/authenticate/app
Content-Type: application/json
{
"clientId" : "ciCdRunner",
"clientSecret": "s3cr3t"
}
Response
Store token in a secure CI secret.
2.2 Ensure a signing key exists
Generate (if absent)
POST /api/key-management/keys
Authorization: Bearer <JWT>
Content-Type: application/json
{
"kid" : "ciCdSigningKey",
"kty" : "FALCON",
"alg" : "Falcon-1024",
"keyOps" : ["sign","verify"],
"exportable": false
}
Retrieve (idempotent)
2.3 Sign artefacts - streaming
Endpoint
multipart/form-data parts
| # | Name | Content-Type | Schema / remarks |
|---|---|---|---|
| 1 | metadata |
application/json |
SignStreamRequest → { "kid":"ciCdSigningKey" } |
| 2 | file |
application/octet-stream |
Raw build artefact (any size) |
Response application/json
Headers:
2.4 Verify & deploy - streaming
| Part | Name | Content-Type | Schema |
|---|---|---|---|
| 1 | metadata |
application/json |
VerifyDetachedJwsStreamRequest -- { "detachedJws": "<header+sig>" } |
| 2 | file |
application/octet-stream |
Payload to verify |
Response
2.5 Rotate / revoke keys
Rotate
POST /api/key-management/keys
Authorization: Bearer <JWT>
{
"kid":"ciCdSigningKey-v2",
"kty":"FALCON","alg":"Falcon-1024",
"keyOps":["sign","verify"]
}
Revoke
The old key stays usable for verify-only if your policy allows.
3 - Sample GitLab CI snippet
variables:
ANKA_API: https://api.ankasecure.co
ANKA_APP_ID: $CI_APP_ID
ANKA_APP_SEC: $CI_APP_SECRET
ARTIFACT: build/output.bin
stages: [auth, build, sign, deploy]
auth:
stage: auth
script:
- export TOKEN=$(curl -s -X POST "$ANKA_API/api/authenticate/app"\
-H "Content-Type: application/json"\
-d '{"clientId":"'$ANKA_APP_ID'","clientSecret":"'$ANKA_APP_SEC'"}' |
jq -r .token)
build:
stage: build
script: ./build.sh -o $ARTIFACT
sign:
stage: sign
script:
- |
curl -X POST "$ANKA_API/api/crypto/stream/sign"\
-H "Authorization: Bearer $TOKEN"\
-F "metadata={\"kid\":\"ciCdSigningKey\"};type=application/json"\
-F "file=@$ARTIFACT;type=application/octet-stream"\
-o signature.json
deploy:
stage: deploy
script: ./deploy.sh --bin $ARTIFACT --sig signature.json
4 - Security best practices
-
Secrets in CI -- store
clientSecret, JWTs, and keys in masked / protected variables. -
Principle of least privilege -- CI token needs only sign & verify scopes.
-
TLS everywhere -- enforce
https://endpoints. -
Key rotation cadence -- automate
generate → revokequarterly or per release. -
Audit trails -- use Anka Secure logs for compliance evidence.
By embedding Anka Secure directly in your pipeline, you achieve hands-off key lifecycle management, strong artefact integrity, and provable compliance---all without sacrificing build speed or developer productivity.
Document version 2.2.0 -- generated from OpenAPI build 2025-05-31
© 2025 AnkaTech Co. All rights reserved.