diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index f11f9f6b2cc..9be1c411843 100755 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -13,26 +13,10 @@ if [[ -z "${GO_VERSION-""}" ]]; then export GO_VERSION=$(cat "${WORKSPACE}/.go-version") fi -CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role" CI_GCP_OBS_PATH="kv/ci-shared/observability-ingest/cloud/gcp" # This key exists for backward compatibility with OGC framework # see https://github.com/elastic/elastic-agent/issues/8536 CI_ESS_PATH="kv/ci-shared/platform-ingest/platform-ingest-ec-prod" -CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role" - -function release_manager_login { - DRA_CREDS_SECRET=$(retry 5 vault kv get -field=data -format=json ${CI_DRA_ROLE_PATH}) - VAULT_ADDR_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.vault_addr') - VAULT_ROLE_ID_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.role_id') - VAULT_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.secret_id') - export VAULT_ADDR_SECRET VAULT_ROLE_ID_SECRET VAULT_SECRET -} - -if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" ]]; then - if [[ "$BUILDKITE_STEP_KEY" == "dra-publish" || "$BUILDKITE_STEP_KEY" == "bk-api-publish-independent-agent" ]]; then - release_manager_login - fi -fi if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then echo "Setting credentials" @@ -47,11 +31,3 @@ if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then echo ${API_KEY_TOKEN} > ./apiKey export TEST_INTEG_AUTH_ESS_APIKEY_FILE=$(realpath ./apiKey) fi - -if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-binary-dra" ]]; then - if [[ ("$BUILDKITE_STEP_KEY" == "publish-dra-snapshot" || "$BUILDKITE_STEP_KEY" == "publish-dra-staging") ]]; then - echo "+++ Setting DRA params" - # Shared secret path containing the dra creds for project teams - release_manager_login - fi -fi diff --git a/.buildkite/pipeline.elastic-agent-binary-dra.yml b/.buildkite/pipeline.elastic-agent-binary-dra.yml index 49c2cd265ce..246a0243a89 100644 --- a/.buildkite/pipeline.elastic-agent-binary-dra.yml +++ b/.buildkite/pipeline.elastic-agent-binary-dra.yml @@ -13,6 +13,21 @@ common: - docker_login_plugin: &docker_login_plugin elastic/vault-docker-login#v0.5.2: secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry' + - vault_addr: &vault_addr + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "vault_addr" + env_var: "VAULT_ADDR" + - vault_role_id: &vault_role_id + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "role_id" + env_var: "VAULT_ROLE_ID" + - vault_secret_id: &vault_secret_id + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "secret_id" + env_var: "VAULT_SECRET_ID" steps: - group: ":beats: DRA Elastic-Agent Core Snapshot :beats:" @@ -93,6 +108,9 @@ steps: DRA_WORKFLOW: "snapshot" plugins: - *docker_login_plugin + - *vault_addr + - *vault_role_id + - *vault_secret_id - label: ":hammer: Publish helm chart snapshot" trigger: elastic-agent-helm-charts @@ -188,6 +206,9 @@ steps: DRA_WORKFLOW: "staging" plugins: - *docker_login_plugin + - *vault_addr + - *vault_role_id + - *vault_secret_id notify: - slack: "#ingest-notifications" diff --git a/.buildkite/pipeline.elastic-agent-package.yml b/.buildkite/pipeline.elastic-agent-package.yml index fdea87d1ebc..a1c2d3c4040 100644 --- a/.buildkite/pipeline.elastic-agent-package.yml +++ b/.buildkite/pipeline.elastic-agent-package.yml @@ -5,6 +5,25 @@ env: # after moving elastic-agent out of beats, we should update the URL of the packaging. BEAT_URL: "https://www.elastic.co/elastic-agent" +# This section is used to define the plugins that will be used in the pipeline. +# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins +common: + - vault_addr: &vault_addr + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "vault_addr" + env_var: "VAULT_ADDR" + - vault_role_id: &vault_role_id + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "role_id" + env_var: "VAULT_ROLE_ID" + - vault_secret_id: &vault_secret_id + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/release/dra-role" + field: "secret_id" + env_var: "VAULT_SECRET_ID" + steps: - input: "Build parameters" if: build.env("MANIFEST_URL") == null @@ -129,6 +148,10 @@ steps: env: DRA_PROJECT_ID: "elastic-agent-package" DRA_PROJECT_ARTIFACT_ID: "agent-package" + plugins: + - *vault_addr + - *vault_role_id + - *vault_secret_id command: | echo "+++ Restoring Artifacts" buildkite-agent artifact download "build/**/*" . @@ -169,6 +192,10 @@ steps: DRA_PROJECT_ARTIFACT_ID: "agent-package" artifact_paths: - "build/distributions/**/*" + plugins: + - *vault_addr + - *vault_role_id + - *vault_secret_id command: | echo "+++ Restoring Artifacts" buildkite-agent artifact download "build/**/*" . diff --git a/.buildkite/scripts/steps/dra-publish.sh b/.buildkite/scripts/steps/dra-publish.sh index f659a9a5fce..9409aebf147 100755 --- a/.buildkite/scripts/steps/dra-publish.sh +++ b/.buildkite/scripts/steps/dra-publish.sh @@ -40,9 +40,9 @@ function run_release_manager() { # shellcheck disable=SC2086 docker run --rm \ --name release-manager \ - -e VAULT_ADDR="${VAULT_ADDR_SECRET}" \ - -e VAULT_ROLE_ID="${VAULT_ROLE_ID_SECRET}" \ - -e VAULT_SECRET_ID="${VAULT_SECRET}" \ + -e VAULT_ADDR \ + -e VAULT_ROLE_ID \ + -e VAULT_SECRET_ID \ --mount type=bind,readonly=false,src="${PWD}",target=/artifacts \ docker.elastic.co/infra/release-manager:latest \ cli "${_command}" \