Skip to content

Commit

Permalink
Split in various steps and move creds to pre-command
Browse files Browse the repository at this point in the history
  • Loading branch information
marc-gr committed Jul 14, 2023
1 parent 00deb76 commit 7bbce22
Show file tree
Hide file tree
Showing 4 changed files with 89 additions and 32 deletions.
65 changes: 52 additions & 13 deletions .buildkite/hooks/pre-command
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,65 @@

set -euo pipefail

if command -v docker &>/dev/null; then
DOCKER_REGISTRY="docker.elastic.co"
DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
export DOCKER_USERNAME_SECRET=$(vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
export DOCKER_PASSWORD_SECRET=$(vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
unset DOCKER_USERNAME_SECRET DOCKER_PASSWORD_SECRET
else
echo "+++ docker not found"
fi
function retry {
local retries=$1
shift

local count=0
until "$@"; do
exit=$?
wait=$((2 ** count))
count=$((count + 1))
if [ $count -lt "$retries" ]; then
>&2 echo "Retry $count/$retries exited $exit, retrying in $wait seconds..."
sleep $wait
else
>&2 echo "Retry $count/$retries exited $exit, no more retries left."
return $exit
fi
done
return 0
}

DOCKER_REGISTRY="docker.elastic.co"
DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
CI_DRA_ROLE_PATH=kv/ci-shared/release/dra-role
CI_GCP_OBS_PATH=kv/ci-shared/observability-ingest/cloud/gcp
CI_AGENT_QA_OBS_PATH=kv/ci-shared/observability-ingest/elastic-agent-ess-qa

# Secrets must be redacted
# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables

if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent" && "$BUILDKITE_STEP_KEY" == "integration-tests" ]]; then
# Set GCP credentials
export GOOGLE_APPLICATION_GCP_SECRET=$(vault kv get -format=json -field=data kv/ci-shared/observability-ingest/cloud/gcp)
export GOOGLE_APPLICATION_GCP_SECRET=$(retry 5 vault kv get -format=json -field=data ${CI_GCP_OBS_PATH})
echo "${GOOGLE_APPLICATION_GCP_SECRET}" > ./gcp.json
export GOOGLE_APPLICATION_CREDENTIALS=$(realpath ./gcp.json)
export TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE=$(realpath ./gcp.json)

# ESS credentials
export API_KEY_TOKEN=$(vault kv get -field api_key kv/ci-shared/observability-ingest/elastic-agent-ess-qa)
export API_KEY_TOKEN=$(vault kv get -field api_key ${CI_AGENT_QA_OBS_PATH})
echo ${API_KEY_TOKEN} > ./apiKey
export TEST_INTEG_AUTH_ESS_APIKEY_FILE=$(realpath ./apiKey)
fi
fi

if [[ ("$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" && "$BUILDKITE_STEP_KEY" == "package_elastic-agent") || "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-binary-dra" ]]; then
if command -v docker &>/dev/null; then
export DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
export DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
unset DOCKER_USERNAME_SECRET DOCKER_PASSWORD_SECRET
else
echo "+++ docker not found"
fi
fi

if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-binary-dra" && ("$BUILDKITE_STEP_KEY" == "publish-dra-snapshot" || "$BUILDKITE_STEP_KEY" == "publish-dra-staging") ]]; then
echo "+++ Setting DRA params"
# Shared secret path containing the dra creds for project teams
DRA_CREDS=$(retry 5 vault kv get -field=data -format=json ${CI_DRA_ROLE_PATH})
VAULT_ADDR=$(echo $DRA_CREDS | jq -r '.vault_addr')
VAULT_ROLE_ID_SECRET=$(echo $DRA_CREDS | jq -r '.role_id')
VAULT_SECRET=$(echo $DRA_CREDS | jq -r '.secret_id')
export VAULT_ADDR VAULT_ROLE_ID_SECRET VAULT_SECRET
fi
40 changes: 32 additions & 8 deletions .buildkite/pipeline.elastic-agent-binary-dra.yml
Original file line number Diff line number Diff line change
@@ -1,29 +1,53 @@
env:
RUN_SNAPSHOT: "true"
steps:
- group: ":beats: DRA Elastic-Agent Core Snapshot :beats:"
key: "dra-core-snapshot"
if: build.branch == 'main' || build.branch =~ /^[0-9]+\.[0-9]+\$/ || build.env("RUN_SNAPSHOT") == "true"
steps:
- label: ":hammer::package: Build and DRA Publish Elastic-Agent Core Snapshot"
if: build.branch == 'main' || build.branch =~ /^[0-9]+\.[0-9]+\$/ || build.env("RUN_SNAPSHOT") == "true"
- label: ":package: Build Elastic-Agent Core Snapshot"
commands:
- .buildkite/scripts/steps/dra-build.sh
key: "build-dra-snapshot"
artifact_paths:
- "build/**"
agents:
provider: "gcp"
machineType: "c2-standard-16"
env:
WORKFLOW: "snapshot"

- wait

- label: ":hammer: DRA Publish Elastic-Agent Core Snapshot"
commands:
- .buildkite/scripts/steps/dra-publish.sh
key: "build-and-publish-dra-snapshot"
key: "publish-dra-snapshot"
agents:
provider: "gcp"
machineType: "c2-standard-16"
env:
WORKFLOW: "snapshot"
- group: ":beats: DRA Elastic-Agent Core Staging :beats:"
key: "dra-core-staging"
if: build.branch =~ /^[0-9]+\.[0-9]+\$/ || build.env("RUN_STAGING") == "true"
steps:
- label: ":hammer::package: Build and DRA Publish Elastic-Agent Core staging"
if: build.branch =~ /^[0-9]+\.[0-9]+\$/ || build.env("RUN_STAGING") == "true"
- label: ":package: Build Elastic-Agent Core staging"
commands:
- .buildkite/scripts/steps/dra-build.sh
key: "build-dra-staging"
artifact_paths:
- "build/**"
agents:
provider: "gcp"
machineType: "c2-standard-16"
env:
WORKFLOW: "staging"

- wait

- label: ":hammer: DRA Publish Elastic-Agent Core staging"
commands:
- .buildkite/scripts/steps/dra-publish.sh
key: "build-and-publish-dra-staging"
key: "publish-dra-staging"
agents:
provider: "gcp"
machineType: "c2-standard-16"
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,21 @@ set -uo pipefail

source .buildkite/scripts/bootstrap.sh

echo "+++ Setting DRA params"
# Shared secret path containing the dra creds for project teams
DRA_CREDS=$(vault kv get -field=data -format=json kv/ci-shared/release/dra-role)
VAULT_ADDR=$(echo $DRA_CREDS | jq -r '.vault_addr')
VAULT_ROLE_ID=$(echo $DRA_CREDS | jq -r '.role_id')
VAULT_SECRET_ID=$(echo $DRA_CREDS | jq -r '.secret_id')
export VAULT_ADDR VAULT_ROLE_ID VAULT_SECRET_ID

# Publish DRA artifacts
function run_release_manager() {
echo "+++ Publishing $BUILDKITE_BRANCH ${WORKFLOW} DRA artifacts..."
dry_run=""
if [ "$BUILDKITE_PULL_REQUEST" != "false" ]; then
# dry_run="--dry-run"
dry_run="--dry-run"
# force main branch on PR's or it won't execute
# because the PR branch does not have a project folder in release-manager
BRANCH=main
fi
docker run --rm \
--name release-manager \
-e VAULT_ADDR="${VAULT_ADDR}" \
-e VAULT_ROLE_ID="${VAULT_ROLE_ID}" \
-e VAULT_SECRET_ID="${VAULT_SECRET_ID}" \
-e VAULT_ROLE_ID="${VAULT_ROLE_ID_SECRET}" \
-e VAULT_SECRET_ID="${VAULT_SECRET}" \
--mount type=bind,readonly=false,src="${PWD}",target=/artifacts \
docker.elastic.co/infra/release-manager:latest \
cli collect \
Expand All @@ -39,6 +31,8 @@ function run_release_manager() {
$dry_run
}

buildkite-agent artifact download "build/" .

run_release_manager
RM_EXIT_CODE=$?

Expand Down

0 comments on commit 7bbce22

Please sign in to comment.