RUM-11897: Add scripts to set/get Vault secrets & Migrate CI

Author: ambushwork

ci/pipelines/default-pipeline.yml

@@ -13,6 +13,10 @@ stages:
   - notify
 
 .snippets:
+  source-secrets:
+    - source ./ci/scripts/vault_config.sh
+    - source ./ci/scripts/get-secret.sh
+
   # macOS AMI will already have cmdline-tools installed
   install-android-api-components:
     - echo y | ~/android_sdk/cmdline-tools/latest/bin/sdkmanager --install "emulator"
@@ -39,12 +43,12 @@ stages:
     - if [[ "$exit_code" -ne 0 ]]; then exit 1; fi
     - exit 0
   set-publishing-credentials:
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - export GPG_PRIVATE_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_private_key --with-decryption --query "Parameter.Value" --out text)
-    - export GPG_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_passphrase --with-decryption --query "Parameter.Value" --out text)
-    - export CENTRAL_PUBLISHER_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.publishing.central_username --with-decryption --query "Parameter.Value" --out text)
-    - export CENTRAL_PUBLISHER_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.publishing.central_password --with-decryption --query "Parameter.Value" --out text)
-    - export GPG_PUBLIC_FINGERPRINT=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_public_key --with-decryption --query "Parameter.Value" --out text | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
+    - export GPG_PRIVATE_KEY=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PRIVATE_KEY)
+    - export GPG_PASSWORD=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PASSPHRASE)
+    - export CENTRAL_PUBLISHER_USERNAME=$(get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_USERNAME)
+    - export CENTRAL_PUBLISHER_PASSWORD=$(get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_PWD)
+    - export GPG_PUBLIC_FINGERPRINT=$(get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PUBLIC_KEY | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
 
 # CI IMAGE
 
@@ -183,12 +187,13 @@ test:kover:
       - cache/caches/
       - cache/notifications/
   script:
+    - !reference [.snippets, source-secrets]
     - pip3 install datadog
     - rm -rf ~/.gradle/daemon/
     - export DD_AGENT_HOST="$BUILDENV_HOST_IP"
-    - export DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.api_key --with-decryption --query "Parameter.Value" --out text)
-    - export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.app_key --with-decryption --query "Parameter.Value" --out text)
-    - CODECOV_TOKEN=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.codecov-token  --with-decryption --query "Parameter.Value" --out text)
+    - export DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__API_KEY)
+    - export DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__APP_KEY)
+    - CODECOV_TOKEN=$(get_secret $DD_ANDROID_SECRET__CODECOV_TOKEN)
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-core:koverXmlReportRelease  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-internal:koverXmlReportRelease  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :koverReportFeatures  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
@@ -373,8 +378,9 @@ test-pyramid:detekt-api-coverage:
   stage: test-pyramid
   timeout: 1h
   script:
+    - !reference [ .snippets, source-secrets ]
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesDebug --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew printSdkDebugRuntimeClasspath --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :tools:detekt:jar --stacktrace --no-daemon
@@ -391,14 +397,15 @@ test-pyramid:publish-e2e-synthetics:
   only:
     - develop
   script:
+    - !reference [ .snippets, source-secrets ]
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_config_json --with-decryption --query "Parameter.Value" --out text > ./config/us1.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
+    - get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
+    - get_secret $DD_ANDROID_SECRET__E2E_CONFIG_JSON > ./config/us1.json
+    - export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
+    - export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_API_KEY)
+    - export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_APP_KEY)
+    - export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__E2E_MOBILE_APP_ID)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -418,14 +425,15 @@ test-pyramid:publish-webview-synthetics:
   only:
     - develop
   script:
+    - !reference [ .snippets, source-secrets ]
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_config_json --with-decryption --query "Parameter.Value" --out text > ./config/us1.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
+    - get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
+    - get_secret $DD_ANDROID_SECRET__WEBVIEW_CONFIG_JSON > ./config/us1.json
+    - export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
+    - export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_API_KEY)
+    - export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_APP_KEY)
+    - export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__WEBVIEW_MOBILE_APP_ID)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -445,14 +453,15 @@ test-pyramid:publish-staging-synthetics:
   only:
     - develop
   script:
+    - !reference [ .snippets, source-secrets ]
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_config_json --with-decryption --query "Parameter.Value" --out text > ./config/staging.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
+    - get_secret $DD_ANDROID_SECRET__KEYSTORE > ./sample-android.keystore
+    - get_secret $DD_ANDROID_SECRET__E2E_STAGING_CONFIG_JSON > ./config/staging.json
+    - export E2E_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
+    - export E2E_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_API_KEY)
+    - export E2E_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_KEY)
+    - export E2E_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_ID)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageStagingRelease --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -472,14 +481,15 @@ test-pyramid:publish-benchmark-synthetics:
   only:
     - develop
   script:
+    - !reference [ .snippets, source-secrets ]
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-benchmark.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_config_json --with-decryption --query "Parameter.Value" --out text > ./config/benchmark.json
-    - export BM_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export BM_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export BM_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export BM_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./gradle.properties
+    - get_secret $DD_ANDROID_SECRET__KEYSTORE >  ./sample-benchmark.keystore
+    - get_secret $DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON > ./config/benchmark.json
+    - export BM_STORE_PASSWD=$(get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD)
+    - export BM_DD_API_KEY=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_API_KEY)
+    - export BM_DD_APP_KEY=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_APP_KEY)
+    - export BM_MOBILE_APP_ID=$(get_secret $DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:benchmark:packageRelease --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci

ci/scripts/get-secret.sh

@@ -0,0 +1,47 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+source ./ci/scripts/vault_config.sh
+source ./ci/scripts/list-secrets.sh
+
+# Usage:
+#   get_secret <secret_name>
+#
+# Notes:
+# - For <secret_name> use constants defined in './ci/scripts/vault_config.sh'
+# - Requires `vault` to be installed
+get_secret() {
+    local secret_name=$1
+
+    if [ "$CI" = "false" ]; then
+        # K8s runners don't need to set VAULT_ADDR, they have VAULT_ADDR injected alongside the emissary sidecar container.
+        export VAULT_ADDR=$DD_VAULT_ADDR
+        if vault token lookup &>/dev/null; then
+            echo "Reading '$secret_name' secret in local env. You are already authenticated with 'vault'." >&2
+        else
+            echo "Reading '$secret_name' secret in local env. You will now be authenticated with OIDC in your web browser." >&2
+            vault login -method=oidc -no-print
+        fi
+    fi
+
+    local secret_value=$(vault kv get -field=value "$DD_ANDROID_SECRETS_PATH_PREFIX/$secret_name")
+
+    if [[ -z "$secret_value" ]]; then
+        echo "Error" "Failed to retrieve the '$secret_name' secret or the secret is empty." >&2
+        exit 1
+    fi
+
+    echo "$secret_value"
+}
+
+# Only run the main logic if the script is executed directly (not sourced)
+if [ "$CI" != "true" ]; then
+    list_secrets
+    select_secret
+    get_secret "$SECRET_NAME"
+fi

ci/scripts/list-secrets.sh

@@ -0,0 +1,38 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+source ./ci/scripts/vault_config.sh
+
+list_secrets() {
+    GREEN="\e[32m"
+    RESET="\e[0m"
+
+    echo "Available secrets:"
+    for key in ${(k)DD_ANDROID_SECRETS}; do
+        IFS=" | " read -r name description <<< "${DD_ANDROID_SECRETS[$key]}"
+        echo "$key) ${GREEN}$name${RESET} - $description"
+    done | sort -n
+
+    echo ""
+    echo "To add a new secret, first define it in 'ci/scripts/vault_config.sh' and retry."
+}
+
+
+select_secret() {
+    echo
+    while true; do
+        echo "Enter the number of the secret you want to continue:"
+        read "secret_number"
+        if [[ -n ${DD_ANDROID_SECRETS[$secret_number]} ]]; then
+            IFS=" | " read -r SECRET_NAME SECRET_DESC <<< "${DD_ANDROID_SECRETS[$secret_number]}"
+            break
+        else
+            echo_err "Invalid selection. Please enter a valid number."
+        fi
+    done
+}

ci/scripts/set-secret.sh

@@ -0,0 +1,76 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+# Usage:
+# $ ./ci/scripts/vault_config.sh
+#
+# Note:
+# - Requires `vault` to be installed
+
+source ./ci/scripts/vault_config.sh
+source ./ci/scripts/list-secrets.sh
+
+select_input_method() {
+    echo
+    echo "How would you like to provide the secret value?"
+    echo "1) Enter manually"
+    echo "2) Read from text file"
+    while true; do
+        echo "Enter your choice:"
+        read "input_method"
+        case $input_method in
+            1)
+                get_secret_value_from_input
+                break
+                ;;
+            2)
+                get_secret_value_from_file
+                break
+                ;;
+            *)
+                echo "Invalid choice."
+                ;;
+        esac
+    done
+}
+
+get_secret_value_from_file() {
+    echo "Enter the file path to read the value for '$SECRET_NAME':"
+    read "SECRET_FILE"
+    echo
+
+    SECRET_FILE=${SECRET_FILE/#\~/$HOME} # Expand ~ to home directory if present
+    echo "Using '$SECRET_FILE'"
+
+    if [[ -f "$SECRET_FILE" ]]; then
+        SECRET_VALUE=$(cat "$SECRET_FILE")
+    else
+        echo "Error: File '$SECRET_FILE' does not exist."
+        exit 1
+    fi
+}
+
+get_secret_value_from_input() {
+    echo "Enter the new value for '$SECRET_NAME':"
+    read "SECRET_VALUE"
+    echo
+}
+
+set_secret_value() {
+    echo "You will now be authenticated with OIDC in your web browser. Press ENTER to continue."
+    read
+    export VAULT_ADDR=$DD_VAULT_ADDR
+    vault login -method=oidc -no-print
+    vault kv put "$DD_ANDROID_SECRETS_PATH_PREFIX/$SECRET_NAME" value="$SECRET_VALUE"
+    echo "Secret '$SECRET_NAME' set successfully."
+}
+
+list_secrets
+select_secret
+select_input_method
+set_secret_value