[CI] Fix issues related to publish (#183393)

## Summary On the new infra, the publish step will still require legacy vault credentials and login. (https://buildkite.com/elastic/kibana-artifacts-staging/builds/3513#018f7691-73c8-4e6f-862b-328b05d9de3b) As a fix: this PR digs up the credentials from the vault instead of gcloud secrets on the new infra. Also, other usages of role-id/secret-id is used are moved in the legacy-vault usages, plus minor code re-org, to reduce branching, and future cleanup. (cherry picked from commit 05fce3b) # Conflicts: # .buildkite/scripts/steps/cloud/build_and_deploy.sh # .buildkite/scripts/steps/serverless/deploy.sh
elastic · May 15, 2024 · c2798e7 · c2798e7
1 parent a8f15df
commit c2798e7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/.buildkite/scripts/common/vault_fns.sh b/.buildkite/scripts/common/vault_fns.sh
@@ -65,3 +65,23 @@ vault_kv_set() {
 
   vault kv put "$VAULT_KV_PREFIX/$kv_path" "${fields[@]}"
 }
+
+function get_vault_role_id() {
+  if [[ "$IS_LEGACY_VAULT_ADDR" == "true" ]]; then
+    VAULT_ROLE_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-role-id)"
+  else
+    VAULT_ROLE_ID="$(vault_get kibana-buildkite-vault-credentials role-id)"
+  fi
+
+  echo "$VAULT_ROLE_ID"
+}
+
+function get_vault_secret_id() {
+    if [[ "$IS_LEGACY_VAULT_ADDR" == "true" ]]; then
+      VAULT_SECRET_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-secret-id)"
+    else
+      VAULT_SECRET_ID="$(vault_get kibana-buildkite-vault-credentials secret-id)"
+    fi
+
+    echo "$VAULT_SECRET_ID"
+}
diff --git a/.buildkite/scripts/steps/artifacts/publish.sh b/.buildkite/scripts/steps/artifacts/publish.sh
@@ -50,8 +50,8 @@ docker pull docker.elastic.co/infra/release-manager:latest
 
 echo "--- Publish artifacts"
 if [[ "$BUILDKITE_BRANCH" == "$KIBANA_BASE_BRANCH" ]]; then
-  export VAULT_ROLE_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-role-id)"
-  export VAULT_SECRET_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-secret-id)"
+  export VAULT_ROLE_ID="$(get_vault_role_id)"
+  export VAULT_SECRET_ID="$(get_vault_secret_id)"
   export VAULT_ADDR="https://secrets.elastic.co:8200"
   docker run --rm \
     --name release-manager \