bk: use GCP OIDC (#610)

Author: v1v

.buildkite/fpm-pipeline.yml

@@ -8,6 +8,17 @@ env:
   MAKEFILE: "fpm"
   BUILDX: "0"
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - oblt_google_auth_plugin: &gcp_oidc_plugin
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/golang-crossbuild/01-gcp-buildkite-oidc.tf
+      # This plugin authenticates to Google Cloud using the OIDC token.
+      elastic/oblt-google-auth#v1.3.0:
+        lifetime: 10800 # seconds
+        project-id: "elastic-observability-ci"
+        project-number: "911195782929"
+
 steps:
   - label: ":linux: multiarch Linux x86_64/arm64 FPM docker image"
     key: "build-and-publish-ubuntu-x86-fpm"
@@ -22,3 +33,5 @@ steps:
     agents:
       provider: "gcp"
       image: "${IMAGE_UBUNTU_X86_64}"
+    plugins:
+      - *gcp_oidc_plugin

.buildkite/hooks/pre-exit

@@ -6,10 +6,6 @@ source .buildkite/scripts/common.sh
 
 unset_secrets
 
-if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" == build* ]]; then
-    google_cloud_logout_active_account
-fi
-
 if [[ ( "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple" || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* ) ]]; then
     docker logout "${DOCKER_REGISTRY}"
 fi

.buildkite/llvm-apple-pipeline.yml

@@ -8,6 +8,18 @@ env:
   STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
   MAKEFILE: "go/llvm-apple"
   BUILDX: "0"
+
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - oblt_google_auth_plugin: &gcp_oidc_plugin
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/golang-crossbuild/01-gcp-buildkite-oidc.tf
+      # This plugin authenticates to Google Cloud using the OIDC token.
+      elastic/oblt-google-auth#v1.3.0:
+        lifetime: 10800 # seconds
+        project-id: "elastic-observability-ci"
+        project-number: "911195782929"
+
 steps:
   - label: ":linux: Build LLVM Apple / Ubuntu X86_64 - {{matrix.debianVersion}}"
     key: "build-ubuntu-x86-llvm-apple"
@@ -25,6 +37,8 @@ steps:
     agents:
       provider: "gcp"
       image: "${IMAGE_UBUNTU_X86_64}"
+    plugins:
+      - *gcp_oidc_plugin
     matrix:
       setup:
         debianVersion:
@@ -49,6 +63,8 @@ steps:
       provider: "aws"
       imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
       instanceType: "t4g.large"
+    plugins:
+      - *gcp_oidc_plugin
     matrix:
       setup:
         debianVersion:

.buildkite/pipeline.yml

@@ -9,6 +9,17 @@ env:
   STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci"
   BUILDX: 1
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - oblt_google_auth_plugin: &gcp_oidc_plugin
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/golang-crossbuild/01-gcp-buildkite-oidc.tf
+      # This plugin authenticates to Google Cloud using the OIDC token.
+      elastic/oblt-google-auth#v1.3.0:
+        lifetime: 10800 # seconds
+        project-id: "elastic-observability-ci"
+        project-number: "911195782929"
+
 steps:
 
   - group: "FPM"
@@ -97,6 +108,8 @@ steps:
           provider: "gcp"
           image: "${IMAGE_UBUNTU_X86_64}"
           instanceType: "${INSTANCE_TYPE_X86_64}"
+        plugins:
+          - *gcp_oidc_plugin
         retry:
           automatic:
             limit: 1
@@ -128,6 +141,8 @@ steps:
           provider: "aws"
           imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
           instanceType: "t4g.large"
+        plugins:
+          - *gcp_oidc_plugin
         retry:
           automatic:
             limit: 1
@@ -159,6 +174,8 @@ steps:
           provider: "gcp"
           image: "${IMAGE_UBUNTU_X86_64}"
           instanceType: "${INSTANCE_TYPE_X86_64}"
+        plugins:
+          - *gcp_oidc_plugin
         retry:
           automatic:
             limit: 1
@@ -190,6 +207,8 @@ steps:
           provider: "aws"
           imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
           instanceType: "t4g.large"
+        plugins:
+          - *gcp_oidc_plugin
         retry:
           automatic:
             limit: 1

.buildkite/scripts/build.sh

@@ -11,9 +11,8 @@ check_is_arm
 add_bin_path
 with_go "${GOLANG_VERSION}"
 with_mage
-google_cloud_auth
 
-make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=ingest-buildkite-ci
+make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=golang-crossbuild-ci-internal
 
 echo "--- List Docker images staging"
 docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild"

.buildkite/scripts/common.sh

@@ -90,16 +90,6 @@ retry() {
     return 0
 }
 
-google_cloud_auth() {
-    echo "running google_cloud_auth"
-    local gsUtilLocation=$(mktemp -d -p ${BIN} -t "${TMP_FOLDER}.XXXXXXXXX")
-    GOOGLE_CREDENTIALS_FILENAME="google-cloud-credentials.json"
-    local secretFileLocation=${gsUtilLocation}/${GOOGLE_CREDENTIALS_FILENAME}
-    echo "${PRIVATE_CI_GCS_CREDENTIALS_SECRET}" > ${secretFileLocation}
-    gcloud auth activate-service-account --key-file ${secretFileLocation} 2> /dev/null
-    export GOOGLE_APPLICATION_CREDENTIALS=${secretFileLocation}
-}
-
 unset_secrets () {
   for var in $(printenv | sed 's;=.*;;' | sort); do
     if [[ "$var" == *_SECRET || "$var" == *_TOKEN ]]; then
@@ -108,20 +98,6 @@ unset_secrets () {
   done
 }
 
-google_cloud_logout_active_account() {
-  local active_account=$(gcloud auth list --filter=status:ACTIVE --format="value(account)" 2>/dev/null)
-  if [[ -n "$active_account" && -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]]; then
-    echo "Logging out from GCP for active account"
-    gcloud auth revoke $active_account > /dev/null 2>&1
-  else
-    echo "No active GCP accounts found."
-  fi
-  if [ -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]; then
-    unset GOOGLE_APPLICATION_CREDENTIALS
-    cleanup
-  fi
-}
-
 cleanup() {
   echo "Deleting temporary files..."
   rm -rf ${BIN}/${TMP_FOLDER}.*

.buildkite/scripts/llvm-apple/build.sh

@@ -9,9 +9,8 @@ makefile=${1}
 add_bin_path
 with_go "${GOLANG_VERSION}"
 with_mage
-google_cloud_auth
 
-retry 3 make -C "${makefile}" build GS_BUCKET_PATH=ingest-buildkite-ci
+retry 3 make -C "${makefile}" build GS_BUCKET_PATH=golang-crossbuild-ci-internal
 
 echo "--- List Docker images"
 docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}"

.buildkite/scripts/llvm-fpm/build_and_publish.sh

@@ -10,7 +10,7 @@ add_bin_path
 with_go "${GOLANG_VERSION}"
 with_mage
 
-retry 3 make -C "${makefile}" build GS_BUCKET_PATH=ingest-buildkite-ci
+retry 3 make -C "${makefile}" build GS_BUCKET_PATH=golang-crossbuild-ci-internal
 
 echo "--- List Docker images"
 docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}"

Makefile.common

@@ -7,20 +7,20 @@ NPCAP_VERSION := 1.80
 NPCAP_FILE    := npcap-$(NPCAP_VERSION)-oem.exe
 SUFFIX_NPCAP_VERSION := -npcap-$(NPCAP_VERSION)
 NPCAP_REPOSITORY := docker.elastic.co/observability-ci
-GS_BUCKET_PATH ?= ingest-buildkite-ci
+GS_BUCKET_PATH ?= golang-crossbuild-ci-internal
 
 # Requires login at google storage.
 copy-npcap:
 ifeq ($(CI),true)
-	@gsutil cp gs://$(GS_BUCKET_PATH)/private/$(NPCAP_FILE) ../npcap/lib/$(NPCAP_FILE)
+	@gcloud storage cp gs://$(GS_BUCKET_PATH)/private/$(NPCAP_FILE) ../npcap/lib/$(NPCAP_FILE)
 else
 	@echo 'Only available if running in the CI'
 endif
 
 # Requires login at google storage.
 copy-sdks:
 ifeq ($(CI),true)
-	@gcloud storage cp gs://ingest-buildkite-ci/sdks . --recursive
+	@gcloud storage cp gs://$(GS_BUCKET_PATH)/sdks . --recursive
 else
 	@echo 'Only available if running in the CI'
 endif

NPCAP.md

@@ -5,8 +5,8 @@ If you'd like to bump the npcap version please follow the below steps:
 1) Update `NPCAP_VERSION` value in the `Makefile`.
   * **NOTE**: Make sure the PR adding this is back-ported to the Go versions required by the Packetbeat CrossBuild target in [the mage file](https://github.com/elastic/beats/blob/main/x-pack/packetbeat/magefile.go). This is specified in the beats `.go-version` file.
 2) Download the new artifact.
-3) Upload the artifact to `gs://ingest-buildkite-ci/private`.
-  * **NOTE**: This particular Google Bucket can be accessible only by Elasticians who have got access to the Google project called `elastic-platform-ingest`.
+3) Upload the artifact to `gs://golang-crossbuild-ci-internal/private`.
+  * **NOTE**: This particular Google Bucket can be accessible only by Elasticians who have got access to the Google project called `elastic-observability-ci`. It's managed thorugh some Terraform code.
 
 Credentials to the artifact service can be found in the `APM-Shared` folder in the password management tool.