github-actions: create a serverless project daily

v1v · pkoutsovasilis · commit f24c4651873c · 2025-06-11T23:03:05.000+03:00
bk(serverless): use OIDC for running the ITs
diff --git a/.buildkite/integration.pipeline.yml b/.buildkite/integration.pipeline.yml
@@ -4,6 +4,31 @@ env:
   DOCKER_REGISTRY: "docker.elastic.co"
   VAULT_PATH: "kv/ci-shared/observability-ingest/cloud/gcp"
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - google_oidc_plugin: &google_oidc_plugin
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/elastic-agent/01-gcp-oidc.tf
+      # This plugin authenticates to Google Cloud using the OIDC token.
+      elastic/oblt-google-auth#v1.3.0:
+        lifetime: 10800 # seconds
+        project-id: "elastic-observability-ci"
+        project-number: "911195782929"
+# see https://github.com/avaly/gcp-secret-manager-buildkite-plugin/pull/10
+# see https://github.com/avaly/gcp-secret-manager-buildkite-plugin/pull/11
+#  - gcp_serverless_secrets_plugin: &gcp_serverless_secrets_plugin
+      #avaly/gcp-secret-manager#v1.2.0:
+  - gcp_serverless_secrets_plugin: &gcp_serverless_secrets_plugin
+      elastic/gcp-secret-manager#v1.3.0-elastic:
+        env:
+          # These secrets are created in .github/workflows/serverless-project.yml
+          ELASTICSEARCH_HOST: ea-serverless-it-elasticsearch-hostname
+          ELASTICSEARCH_PASSWORD: ea-serverless-it-elasticsearch-password
+          ELASTICSEARCH_USERNAME: ea-serverless-it-elasticsearch-username
+          KIBANA_HOST: ea-serverless-it-kibana-hostname
+          KIBANA_USERNAME: ea-serverless-it-kibana-username
+          KIBANA_PASSWORD: ea-serverless-it-kibana-password
+
 steps:
   - group: "Integration tests: packaging"
     key: "int-packaging"
diff --git a/.github/workflows/serverless-project.yml b/.github/workflows/serverless-project.yml
@@ -0,0 +1,104 @@
+---
+name: serverless-project
+
+on:
+  workflow_dispatch:
+  schedule:
+    # To run more often if needed, for now weekly on sunday at 4:00 UTC
+    - cron: "0 4 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  create-serverless:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    env:
+      PREFIX: "ea-serverless-it"
+    steps:
+      ####################################
+      # 1. Create the serverless project
+      ####################################
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "checks": "read",
+              "contents": "write",
+              "pull_requests": "write"
+            }
+          repositories: >-
+            ["observability-test-environments"]
+
+      - uses: elastic/oblt-actions/git/setup@v1
+        with:
+          github-token: ${{ steps.get_token.outputs.token }}
+
+      - name: Get day of the week
+        id: get_day
+        run: echo "day=$(date +'%a' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - uses: elastic/oblt-actions/oblt-cli/cluster-create-custom@v1
+        id: create_serverless
+        with:
+          template: 'serverless-ea-it'
+          parameters: '{"Target":"production","ProjectType":"observability"}'
+          cluster-name-prefix: "${{ env.PREFIX }}-${{ steps.get_day.outputs.day }}"
+          github-token: ${{ steps.get_token.outputs.token }}
+          gitops: true
+          wait: '15'
+
+      # Authenticate to the elastic-observability to get the cluster credentials
+      - uses: elastic/oblt-actions/google/auth@v1
+
+      - uses: elastic/oblt-actions/oblt-cli/cluster-credentials@v1
+        with:
+          cluster-name: ${{ steps.create_serverless.outputs.cluster-name }}
+          github-token: ${{ steps.get_token.outputs.token }}
+
+      - name: Smoke test
+        run: curl -X GET ${ELASTICSEARCH_HOST}/_cat/indices?v -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}
+
+      ####################################
+      # 2. Copy the serverless secrets
+      ####################################
+      # Authenticate to the elastic-observability-ci to rotate the cluster credentials
+      - uses: elastic/oblt-actions/google/auth@v1
+        with:
+          project-number: "911195782929"
+          project-id: "elastic-observability-ci"
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a
+
+      # TODO: as soon as the oblt-framework supports elastic-observability-ci we can avoid this step.
+      # NOTE:
+      #   * While runnning this workflow, it might cause some hiccups if a PR runs when rotating the secrets
+      #   * Secrets need to be created firstly. gcloud secrets create otherwise gcloud secrets versions add will fail.
+      #     That's not an issue now, as we use the same secret name.
+      - name: Rotate GCSM secrets
+        env:
+          GCP_PROJECT: "elastic-observability-ci"
+        run: |
+          echo -n "${ELASTICSEARCH_HOST}" | gcloud secrets versions add "${PREFIX}-elasticsearch-hostname" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${ELASTICSEARCH_PASSWORD}" | gcloud secrets versions add "${PREFIX}-elasticsearch-password" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${ELASTICSEARCH_USERNAME}" | gcloud secrets versions add "${PREFIX}-elasticsearch-username" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_HOST}" | gcloud secrets versions add "${PREFIX}-kibana-hostname" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_USERNAME}" | gcloud secrets versions add "${PREFIX}-kibana-username" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_PASSWORD}" | gcloud secrets versions add "${PREFIX}-kibana-password" --data-file=- --quiet --project "${GCP_PROJECT}"
+
+      # TODO: if rotation fails then rollback to the previous cluster.
+      - if: ${{ failure()  }}
+        uses: elastic/oblt-actions/slack/send@v1
+        env:
+          JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+        with:
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          channel-id: "#ingest-notifications"
+          message: ":traffic_cone: serverless project creation failed for `${{ github.repository }}@${{ github.ref_name }}`, `@robots-ci` please look what's going on <${{ env.JOB_URL }}|here>"
