From 9cc8aebfd5d53cdd99088c7c581041f30fcf2537 Mon Sep 17 00:00:00 2001 From: Pavel Zorin Date: Wed, 2 Jul 2025 15:40:28 +0200 Subject: [PATCH] [CI] BK Vault plugin for EC access (#8377) * [CI] BK Vault plugin for ES access * Typo * Typo * Quick Windows test * Quick test Windows * Revert last two commits * Applied proposed changes * Fixed indentation * revert buildkite_analytics_token deletion * Remaned the anchor * Added the issue to comments * Updated FIPS pipeline (cherry picked from commit e2505e45357d87e61aed870f249411320cc1cc9d) --- .buildkite/bk.integration-fips.pipeline.yml | 17 +++++++++ .buildkite/bk.integration.pipeline.yml | 42 ++++++++++++++++++++- .buildkite/hooks/pre-command | 2 + .buildkite/scripts/steps/ess.ps1 | 16 +------- .buildkite/scripts/steps/ess.sh | 10 ----- 5 files changed, 62 insertions(+), 25 deletions(-) diff --git a/.buildkite/bk.integration-fips.pipeline.yml b/.buildkite/bk.integration-fips.pipeline.yml index fb1e10e4fb7..10f498ba71a 100644 --- a/.buildkite/bk.integration-fips.pipeline.yml +++ b/.buildkite/bk.integration-fips.pipeline.yml @@ -8,6 +8,15 @@ env: IMAGE_UBUNTU_X86_64_FIPS: "platform-ingest-elastic-agent-ubuntu-2204-fips-1751072471" IMAGE_UBUNTU_ARM64_FIPS: "platform-ingest-elastic-agent-ubuntu-2204-fips-aarch64-1751072471" +# This section is used to define the plugins that will be used in the pipeline. +# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins +common: + - vault_ec_key_prod: &vault_ec_key_prod + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/platform-ingest/platform-ingest-ec-prod" + field: "apiKey" + env_var: "EC_API_KEY" + steps: - label: Build and push custom elastic-agent image depends_on: @@ -45,6 +54,8 @@ steps: agents: image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:0.5" useCustomGlobalHooks: true + plugins: + - *vault_ec_key_prod - group: "fips:Stateful:Ubuntu" key: integration-tests-ubuntu-fips @@ -71,6 +82,8 @@ steps: provider: "aws" image: "${IMAGE_UBUNTU_X86_64_FIPS}" instanceType: "m5.2xlarge" + plugins: + - *vault_ec_key_prod matrix: setup: sudo: @@ -99,6 +112,8 @@ steps: provider: "aws" image: "${IMAGE_UBUNTU_ARM64_FIPS}" instanceType: "m6g.2xlarge" + plugins: + - *vault_ec_key_prod matrix: setup: sudo: @@ -137,6 +152,8 @@ steps: agents: image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:0.5" useCustomGlobalHooks: true + plugins: + - *vault_ec_key_prod - label: Aggregate test reports depends_on: diff --git a/.buildkite/bk.integration.pipeline.yml b/.buildkite/bk.integration.pipeline.yml index 34b791493f1..b42ad1d7583 100644 --- a/.buildkite/bk.integration.pipeline.yml +++ b/.buildkite/bk.integration.pipeline.yml @@ -37,6 +37,11 @@ common: KIBANA_HOST: ea-serverless-it-kibana-hostname KIBANA_USERNAME: ea-serverless-it-kibana-username KIBANA_PASSWORD: ea-serverless-it-kibana-password + - vault_ec_key_prod: &vault_ec_key_prod + elastic/vault-secrets#v0.1.0: + path: "kv/ci-shared/platform-ingest/platform-ingest-ec-prod" + field: "apiKey" + env_var: "EC_API_KEY" steps: - label: Start ESS stack for integration tests @@ -56,6 +61,8 @@ steps: agents: image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:0.5" useCustomGlobalHooks: true + plugins: + - *vault_ec_key_prod - group: "Extended runtime leak tests" key: extended-integration-tests @@ -83,6 +90,9 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod + - label: "Windows:2025:amd64:sudo" depends_on: - packaging-windows @@ -101,6 +111,9 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_WIN_2025}" + plugins: + - *vault_ec_key_prod + - label: "Ubuntu:2404:amd64:sudo" depends_on: packaging-ubuntu-x86-64 env: @@ -118,6 +131,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_UBUNTU_2404_X86_64}" + plugins: + - *vault_ec_key_prod - group: "Stateful: Windows" key: integration-tests-win @@ -145,6 +160,8 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod matrix: - default - fleet @@ -172,6 +189,8 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod matrix: - default @@ -193,6 +212,8 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod matrix: - default - fleet @@ -221,6 +242,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_WIN_2025}" + plugins: + - *vault_ec_key_prod matrix: - default @@ -249,6 +272,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_UBUNTU_2404_X86_64}" + plugins: + - *vault_ec_key_prod matrix: - default @@ -271,6 +296,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_UBUNTU_2404_X86_64}" + plugins: + - *vault_ec_key_prod matrix: - default - upgrade @@ -304,6 +331,8 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod matrix: - default - upgrade @@ -339,6 +368,8 @@ steps: provider: "aws" image: "${IMAGE_UBUNTU_2404_ARM_64}" instanceType: "m6g.xlarge" + plugins: + - *vault_ec_key_prod matrix: - default @@ -367,6 +398,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_DEBIAN_12}" + plugins: + - *vault_ec_key_prod matrix: - default @@ -389,6 +422,8 @@ steps: provider: "gcp" machineType: "n2-standard-8" image: "${IMAGE_DEBIAN_12}" + plugins: + - *vault_ec_key_prod matrix: - default - upgrade @@ -428,6 +463,8 @@ steps: retry: automatic: limit: 1 + plugins: + - *vault_ec_key_prod agents: provider: "gcp" machineType: "n2-standard-8" @@ -463,6 +500,8 @@ steps: machineType: "n2-standard-4" image: "${IMAGE_UBUNTU_2404_X86_64}" diskSizeGb: 80 + plugins: + - *vault_ec_key_prod matrix: setup: variants: @@ -565,7 +604,8 @@ steps: agents: image: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:0.5" useCustomGlobalHooks: true - + plugins: + - *vault_ec_key_prod - label: Aggregate test reports # Warning: The key has a hook in pre-command key: aggregate-reports diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index a1aaafe0d88..f11f9f6b2cc 100755 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -15,6 +15,8 @@ fi CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role" CI_GCP_OBS_PATH="kv/ci-shared/observability-ingest/cloud/gcp" +# This key exists for backward compatibility with OGC framework +# see https://github.com/elastic/elastic-agent/issues/8536 CI_ESS_PATH="kv/ci-shared/platform-ingest/platform-ingest-ec-prod" CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role" diff --git a/.buildkite/scripts/steps/ess.ps1 b/.buildkite/scripts/steps/ess.ps1 index 0a11a49fb9e..b1920fca9db 100644 --- a/.buildkite/scripts/steps/ess.ps1 +++ b/.buildkite/scripts/steps/ess.ps1 @@ -13,16 +13,7 @@ function ess_up { Write-Error "Error: Specify stack version: ess_up [stack_version]" return 1 } - - $Env:EC_API_KEY = Retry-Command -ScriptBlock { - vault kv get -field=apiKey kv/ci-shared/platform-ingest/platform-ingest-ec-prod - } - - if (-not $Env:EC_API_KEY) { - Write-Error "Error: Failed to get EC API key from vault" - exit 1 - } - + $BuildkiteBuildCreator = if ($Env:BUILDKITE_BUILD_CREATOR) { $Env:BUILDKITE_BUILD_CREATOR } else { get_git_user_email } $BuildkiteBuildNumber = if ($Env:BUILDKITE_BUILD_NUMBER) { $Env:BUILDKITE_BUILD_NUMBER } else { "0" } $BuildkitePipelineSlug = if ($Env:BUILDKITE_PIPELINE_SLUG) { $Env:BUILDKITE_PIPELINE_SLUG } else { "elastic-agent-integration-tests" } @@ -56,10 +47,7 @@ function ess_down { return 0 } Write-Output "~~~ Tearing down the ESS Stack(created for this step)" - try { - $Env:EC_API_KEY = Retry-Command -ScriptBlock { - vault kv get -field=apiKey kv/ci-shared/platform-ingest/platform-ingest-ec-prod - } + try { Push-Location -Path $TfDir & terraform init & terraform destroy -auto-approve diff --git a/.buildkite/scripts/steps/ess.sh b/.buildkite/scripts/steps/ess.sh index d1792a8bb29..cdc479b8e59 100755 --- a/.buildkite/scripts/steps/ess.sh +++ b/.buildkite/scripts/steps/ess.sh @@ -13,13 +13,6 @@ function ess_up() { return 1 fi - export EC_API_KEY=$(retry -t 5 -- vault kv get -field=apiKey kv/ci-shared/platform-ingest/platform-ingest-ec-prod) - - if [[ -z "${EC_API_KEY}" ]]; then - echo "Error: Failed to get EC API key from vault" >&2 - exit 1 - fi - BUILDKITE_BUILD_CREATOR="${BUILDKITE_BUILD_CREATOR:-"$(get_git_user_email)"}" BUILDKITE_BUILD_NUMBER="${BUILDKITE_BUILD_NUMBER:-"0"}" BUILDKITE_PIPELINE_SLUG="${BUILDKITE_PIPELINE_SLUG:-"elastic-agent-integration-tests"}" @@ -48,9 +41,6 @@ function ess_down() { echo "~~~ Tearing down the ESS Stack" local WORKSPACE=$(git rev-parse --show-toplevel) local TF_DIR="${WORKSPACE}/test_infra/ess/" - if [ -z "${EC_API_KEY:-}" ]; then - export EC_API_KEY=$(retry -t 5 -- vault kv get -field=apiKey kv/ci-shared/platform-ingest/platform-ingest-ec-prod) - fi pushd "${TF_DIR}" terraform init