From c2798e734fb3cb0867176c135b3223fc8a521a36 Mon Sep 17 00:00:00 2001
From: Alex Szabo <alex.szabo@elastic.co>
Date: Wed, 15 May 2024 09:42:42 +0200
Subject: [PATCH] [CI] Fix issues related to publish (#183393)

## Summary
On the new infra, the publish step will still require legacy vault
credentials and login.
(https://buildkite.com/elastic/kibana-artifacts-staging/builds/3513#018f7691-73c8-4e6f-862b-328b05d9de3b)

As a fix: this PR digs up the credentials from the vault instead of
gcloud secrets on the new infra.

Also, other usages of role-id/secret-id is used are moved in the
legacy-vault usages, plus minor code re-org, to reduce branching, and
future cleanup.

(cherry picked from commit 05fce3b4badb0ed5abc7cfab0e529dd8a39e2827)

# Conflicts:
#	.buildkite/scripts/steps/cloud/build_and_deploy.sh
#	.buildkite/scripts/steps/serverless/deploy.sh
---
 .buildkite/scripts/common/vault_fns.sh        | 20 +++++++++++++++++++
 .buildkite/scripts/steps/artifacts/publish.sh |  4 ++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.buildkite/scripts/common/vault_fns.sh b/.buildkite/scripts/common/vault_fns.sh
index a7b92a4b05d6d..022a22541d6bf 100644
--- a/.buildkite/scripts/common/vault_fns.sh
+++ b/.buildkite/scripts/common/vault_fns.sh
@@ -65,3 +65,23 @@ vault_kv_set() {
 
   vault kv put "$VAULT_KV_PREFIX/$kv_path" "${fields[@]}"
 }
+
+function get_vault_role_id() {
+  if [[ "$IS_LEGACY_VAULT_ADDR" == "true" ]]; then
+    VAULT_ROLE_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-role-id)"
+  else
+    VAULT_ROLE_ID="$(vault_get kibana-buildkite-vault-credentials role-id)"
+  fi
+
+  echo "$VAULT_ROLE_ID"
+}
+
+function get_vault_secret_id() {
+    if [[ "$IS_LEGACY_VAULT_ADDR" == "true" ]]; then
+      VAULT_SECRET_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-secret-id)"
+    else
+      VAULT_SECRET_ID="$(vault_get kibana-buildkite-vault-credentials secret-id)"
+    fi
+
+    echo "$VAULT_SECRET_ID"
+}
diff --git a/.buildkite/scripts/steps/artifacts/publish.sh b/.buildkite/scripts/steps/artifacts/publish.sh
index 6e8a9ed2bb47d..36b1ccacfd016 100644
--- a/.buildkite/scripts/steps/artifacts/publish.sh
+++ b/.buildkite/scripts/steps/artifacts/publish.sh
@@ -50,8 +50,8 @@ docker pull docker.elastic.co/infra/release-manager:latest
 
 echo "--- Publish artifacts"
 if [[ "$BUILDKITE_BRANCH" == "$KIBANA_BASE_BRANCH" ]]; then
-  export VAULT_ROLE_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-role-id)"
-  export VAULT_SECRET_ID="$(retry 5 15 gcloud secrets versions access latest --secret=kibana-buildkite-vault-secret-id)"
+  export VAULT_ROLE_ID="$(get_vault_role_id)"
+  export VAULT_SECRET_ID="$(get_vault_secret_id)"
   export VAULT_ADDR="https://secrets.elastic.co:8200"
   docker run --rm \
     --name release-manager \