bk: use docker login plugin (#631)

Author: v1v

.buildkite/fpm-pipeline.yml

@@ -3,8 +3,7 @@
 env:
   SETUP_GVM_VERSION: "v0.5.1"
   IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   MAKEFILE: "fpm"
   BUILDX: "0"
 
@@ -18,6 +17,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
   - label: ":linux: multiarch Linux x86_64/arm64 FPM docker image"
@@ -35,3 +37,4 @@ steps:
       image: "${IMAGE_UBUNTU_X86_64}"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin

.buildkite/hooks/pre-command

@@ -4,17 +4,6 @@ set -euo pipefail
 
 source .buildkite/scripts/common.sh
 
-DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
-
-# Secrets must be redacted
-# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
-
-if [[ ("$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple"  || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* || "$BUILDKITE_STEP_KEY" == release* ) ]]; then
-    export DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
-    export DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
-    docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null
-fi
-
 if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" == "release-post" ]]; then
     export GITHUB_USERNAME="elasticmachine"
     export GITHUB_EMAIL="[email protected]"

.buildkite/hooks/pre-exit

@@ -6,9 +6,5 @@ source .buildkite/scripts/common.sh
 
 unset_secrets
 
-if [[ ( "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple" || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* ) ]]; then
-    docker logout "${DOCKER_REGISTRY}"
-fi
-
 # Ensure that any temporal files created during any step are removed
 cleanup

.buildkite/llvm-apple-pipeline.yml

@@ -4,8 +4,7 @@ env:
   SETUP_GVM_VERSION: "v0.5.1"
   IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
   IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   MAKEFILE: "go/llvm-apple"
   BUILDX: "0"
 
@@ -19,6 +18,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
   - label: ":linux: Build LLVM Apple / Ubuntu X86_64 - {{matrix.debianVersion}}"
@@ -39,6 +41,7 @@ steps:
       image: "${IMAGE_UBUNTU_X86_64}"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin
     matrix:
       setup:
         debianVersion:
@@ -65,6 +68,7 @@ steps:
       instanceType: "t4g.large"
     plugins:
       - *gcp_oidc_plugin
+      - *docker_elastic_login_plugin
     matrix:
       setup:
         debianVersion:

.buildkite/pipeline.yml

@@ -5,8 +5,7 @@ env:
   IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204"
   INSTANCE_TYPE_X86_64: "n2-standard-4"
   IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64"
-  DOCKER_REGISTRY: "docker.elastic.co"
-  STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
+  STAGING_IMAGE: "docker.elastic.co/observability-ci"
   BUILDX: 1
 
 # This section is used to define the plugins that will be used in the pipeline.
@@ -19,6 +18,9 @@ common:
         lifetime: 10800 # seconds
         project-id: "elastic-observability-ci"
         project-number: "911195782929"
+  - docker_elastic_login_plugin: &docker_elastic_login_plugin
+      elastic/vault-docker-login#v0.6.0:
+        secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
 
 steps:
 
@@ -111,6 +113,7 @@ steps:
           instanceType: "${INSTANCE_TYPE_X86_64}"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -146,6 +149,7 @@ steps:
           instanceType: "t4g.large"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -180,6 +184,7 @@ steps:
           instanceType: "${INSTANCE_TYPE_X86_64}"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1
@@ -215,6 +220,7 @@ steps:
           instanceType: "t4g.large"
         plugins:
           - *gcp_oidc_plugin
+          - *docker_elastic_login_plugin
         retry:
           automatic:
             limit: 1

.buildkite/scripts/build.sh

@@ -18,6 +18,4 @@ echo "--- List Docker images staging"
 docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild"
 
 echo "--- List Docker images production"
-docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${DOCKER_REGISTRY}/beats-dev/golang-crossbuild"
-
-
+docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="docker.elastic.co/beats-dev/golang-crossbuild"