[8.19] (backport #8444) bk(docker-login): use BK plugin (#8477)

mergify[bot] · web-flow · commit 57bdcbf97a91 · 2025-06-13T10:21:37.000+02:00
diff --git a/.buildkite/bk.integration-fips.pipeline.yml b/.buildkite/bk.integration-fips.pipeline.yml
@@ -1,7 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   ASDF_MAGE_VERSION: 1.14.0
 
   IMAGE_UBUNTU_2404_X86_64: "platform-ingest-elastic-agent-ubuntu-2404-1749258065"
@@ -26,6 +25,9 @@ steps:
       provider: "gcp"
       machineType: "n1-standard-8"
       image: "${IMAGE_UBUNTU_2404_X86_64}"
+    plugins:
+      - elastic/vault-docker-login#v0.5.2:
+          secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
   - label: Start ESS stack for FIPS integration tests
     key: integration-fips-ess
diff --git a/.buildkite/bk.integration.pipeline.yml b/.buildkite/bk.integration.pipeline.yml
@@ -1,7 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
   ASDF_MAGE_VERSION: 1.14.0
 
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -13,21 +13,11 @@ if [[ -z "${GO_VERSION-""}" ]]; then
     export GO_VERSION=$(cat "${WORKSPACE}/.go-version")
 fi
 
-DOCKER_REGISTRY="docker.elastic.co"
-DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
 CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role"
 CI_GCP_OBS_PATH="kv/ci-shared/observability-ingest/cloud/gcp"
 CI_ESS_PATH="kv/ci-shared/platform-ingest/platform-ingest-ec-prod"
 CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role"
 
-
-function docker_login {
-  DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
-  DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
-  docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
-  unset DOCKER_USERNAME_SECRET DOCKER_PASSWORD_SECRET
-}
-
 function release_manager_login {
   DRA_CREDS_SECRET=$(retry 5 vault kv get -field=data -format=json ${CI_DRA_ROLE_PATH})
   VAULT_ADDR_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.vault_addr')
@@ -37,10 +27,6 @@ function release_manager_login {
 }
 
 if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" ]]; then
-  if [[ "$BUILDKITE_STEP_KEY" == "package_elastic-agent" ]]; then
-    docker_login
-  fi
-
   if [[ "$BUILDKITE_STEP_KEY" == "dra-publish" || "$BUILDKITE_STEP_KEY" == "bk-api-publish-independent-agent" ]]; then
     release_manager_login
   fi
@@ -61,19 +47,9 @@ if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
 fi
 
 if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-binary-dra" ]]; then
-  if command -v docker &>/dev/null; then
-    docker_login
-  else
-    echo "+++ docker not found"
-  fi
   if [[ ("$BUILDKITE_STEP_KEY" == "publish-dra-snapshot" || "$BUILDKITE_STEP_KEY" == "publish-dra-staging") ]]; then
     echo "+++ Setting DRA params"
     # Shared secret path containing the dra creds for project teams
     release_manager_login
   fi
 fi
-
-# BUILDKITE_PIPELINE_SLUG should match elastic-agent for PRs, and elastic-agent-extended-tests once it has merged to main
-if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent"* && "$BUILDKITE_STEP_KEY" == "integration-fips-cloud-image" ]]; then
-    docker_login
-fi
diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit
@@ -25,8 +25,3 @@ if [ -n "$TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE" ]; then
     rm $TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE
   fi
 fi
-
-if command -v docker &>/dev/null; then
-  DOCKER_REGISTRY="docker.elastic.co"
-  docker logout $DOCKER_REGISTRY
-fi
diff --git a/.buildkite/integration.pipeline.yml b/.buildkite/integration.pipeline.yml
@@ -1,7 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
 
 steps:
diff --git a/.buildkite/pipeline.elastic-agent-binary-dra.yml b/.buildkite/pipeline.elastic-agent-binary-dra.yml
@@ -7,6 +7,13 @@ env:
   DRA_PROJECT_ID: "elastic-agent-core"
   DRA_PROJECT_ARTIFACT_ID: "agent-core"
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - docker_login_plugin: &docker_login_plugin
+      elastic/vault-docker-login#v0.5.2:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
+
 steps:
   - group: ":beats: DRA Elastic-Agent Core Snapshot :beats:"
     key: "dra-core-snapshot"
@@ -84,6 +91,8 @@ steps:
         machineType: "c2-standard-16"
       env:
         DRA_WORKFLOW: "snapshot"
+      plugins:
+        - *docker_login_plugin
 
     - label: ":hammer: Publish helm chart snapshot"
       trigger: elastic-agent-helm-charts
@@ -177,6 +186,8 @@ steps:
         machineType: "c2-standard-16"
       env:
         DRA_WORKFLOW: "staging"
+      plugins:
+        - *docker_login_plugin
 
 notify:
   - slack: "#ingest-notifications"
diff --git a/.buildkite/pipeline.elastic-agent-gce-cleanup.yml b/.buildkite/pipeline.elastic-agent-gce-cleanup.yml
@@ -4,7 +4,6 @@
 # See gce-cleanup.sh and .buildkite/misc/gce-cleanup.yml
 env:
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
-  DOCKER_REGISTRY: "docker.elastic.co"
 steps:
   - label: "GCE Cleanup"
     key: "gce-cleanup"
diff --git a/.buildkite/pipeline.elastic-agent-package.yml b/.buildkite/pipeline.elastic-agent-package.yml
@@ -1,6 +1,5 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   # this is required in order to allow the build process to override the default PWD of the BEAT_NAME.
   BEAT_NAME: "elastic-agent"
   # after moving elastic-agent out of beats, we should update the URL of the packaging.
@@ -82,6 +81,10 @@ steps:
             fips:
               - false
               - true
+        plugins:
+          - elastic/vault-docker-login#v0.5.2:
+              secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
+
       - label: ":package: FIPS={{matrix.fips}} Package ARM elastic-agent"
         key: package_elastic-agent-arm
         agents:
diff --git a/.buildkite/pipeline.integration-test-matrix.yml b/.buildkite/pipeline.integration-test-matrix.yml
@@ -1,7 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
 
 steps:
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -2,7 +2,6 @@
 
 env:
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
-  DOCKER_REGISTRY: "docker.elastic.co"
 
   # The following images are defined here and their values will be updated by updatecli
   # Please do not change them manually.
diff --git a/.buildkite/scripts/steps/gce-cleanup.sh b/.buildkite/scripts/steps/gce-cleanup.sh
@@ -12,4 +12,4 @@ docker run -v $(pwd)/.buildkite/misc/gce-cleanup.yml:/etc/cloud-reaper/config.ym
   -e ACCOUNT_KEY="$ACCOUNT_KEY_SECRET" \
   -e ACCOUNT_PROJECT=$ACCOUNT_PROJECT_SECRET \
   -e DELETE_CREATED_AFTER_DATE=$DELETE_CREATED_AFTER_DATE \
-  ${DOCKER_REGISTRY}/observability-ci/cloud-reaper:0.3.0 cloud-reaper --config /etc/cloud-reaper/config.yml destroy --confirm
+  docker.elastic.co/observability-ci/cloud-reaper:0.3.0 cloud-reaper --config /etc/cloud-reaper/config.yml destroy --confirm
diff --git a/.buildkite/serverless.beats.tests.yml b/.buildkite/serverless.beats.tests.yml
@@ -1,7 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  DOCKER_REGISTRY: "docker.elastic.co"
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
 
 steps:
