forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Ops] Fix GCS bucket access for future buildkite agents (elastic#174756)
## Summary Once we're moving to the elastic-wide buildkite agents, and away from the kibana-buildkite-managed ones, we won't have default access to the buckets we used to use, as the assumed service account will differ. **Note:** Although this will only be required in the new infra, but this change can be merged and expected to work properly in the current infra as well. ### Solution We've set up a central service-account with rights to impersonate other service accounts that have controlled access to individual buckets to minimize the reach and influence of individual accounts. See: elastic/kibana-operations#51 **several of the changes weren't tested, as they're part of CI tasks outside the PR build** - will merge with caution and monitor the stability afterwards TODO: _add access, and assume account before other GCS bucket usages_ - [x] storybook - [x] coverage (.buildkite/scripts/steps/code_coverage/reporting/uploadPrevSha.sh) - [x] upload static site (.buildkite/scripts/steps/code_coverage/reporting/uploadStaticSite.sh) - [x] SO object migration (.buildkite/scripts/steps/archive_so_migration_snapshot.sh) - [x] ES Snapshot manifest upload (.buildkite/scripts/steps/es_snapshots/create_manifest.ts) - [x] Scalability? (.buildkite/scripts/steps/functional/scalability_dataset_extraction.sh) - [x] Benchmarking (.buildkite/scripts/steps/scalability/benchmarking.sh) - [x] Webpack bundle analyzer (.buildkite/scripts/steps/webpack_bundle_analyzer/upload.ts) - [x] ~Build chromium (x-pack/build_chromium/build.py)~ Not needed, as it's manual, and not a CI task TODO: _others_ - [x] Remove manifest upload (.buildkite/scripts/steps/es_serverless/promote_es_serverless_image.sh) - [x] Decide if we should merge with the CDN access: no, SRE is managing that account - [x] Bazel remote cache seems to also rely on gcs - roles PR: elastic/kibana-operations#56 Closes: elastic/kibana-operations#29 Part of: elastic/kibana-operations#15
- Loading branch information
1 parent
d295be7
commit 377f1d6
Showing
17 changed files
with
200 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euo pipefail | ||
|
||
source "$(dirname "${BASH_SOURCE[0]}")/vault_fns.sh" | ||
|
||
BUCKET_OR_EMAIL="${1:-}" | ||
GCLOUD_EMAIL_POSTFIX="elastic-kibana-ci.iam.gserviceaccount.com" | ||
GCLOUD_SA_PROXY_EMAIL="kibana-ci-sa-proxy@$GCLOUD_EMAIL_POSTFIX" | ||
|
||
if [[ -z "$BUCKET_OR_EMAIL" ]]; then | ||
echo "Usage: $0 <bucket_name|email>" | ||
exit 1 | ||
elif [[ "$BUCKET_OR_EMAIL" == "--unset-impersonation" ]]; then | ||
echo "Unsetting impersonation" | ||
gcloud config unset auth/impersonate_service_account | ||
exit 0 | ||
elif [[ "$BUCKET_OR_EMAIL" == "--logout-gcloud" ]]; then | ||
echo "Logging out of gcloud" | ||
if [[ -x "$(command -v gcloud)" ]] && [[ "$(gcloud auth list 2>/dev/null | grep $GCLOUD_SA_PROXY_EMAIL)" != "" ]]; then | ||
gcloud auth revoke $GCLOUD_SA_PROXY_EMAIL --no-user-output-enabled | ||
fi | ||
exit 0 | ||
fi | ||
|
||
CURRENT_GCLOUD_USER=$(gcloud auth list --filter="status=ACTIVE" --format="value(account)") | ||
|
||
# Verify that the service account proxy is activated | ||
if [[ "$CURRENT_GCLOUD_USER" != "$GCLOUD_SA_PROXY_EMAIL" ]]; then | ||
if [[ -x "$(command -v gcloud)" ]]; then | ||
if [[ -z "${KIBANA_SERVICE_ACCOUNT_PROXY_KEY:-}" ]]; then | ||
echo "KIBANA_SERVICE_ACCOUNT_PROXY_KEY is not set, cannot activate service account $GCLOUD_SA_PROXY_EMAIL." | ||
exit 1 | ||
fi | ||
|
||
AUTH_RESULT=$(gcloud auth activate-service-account --key-file="$KIBANA_SERVICE_ACCOUNT_PROXY_KEY" || "FAILURE") | ||
if [[ "$AUTH_RESULT" == "FAILURE" ]]; then | ||
echo "Failed to activate service account $GCLOUD_SA_PROXY_EMAIL." | ||
exit 1 | ||
else | ||
echo "Activated service account $GCLOUD_SA_PROXY_EMAIL" | ||
fi | ||
else | ||
echo "gcloud is not installed, cannot activate service account $GCLOUD_SA_PROXY_EMAIL." | ||
exit 1 | ||
fi | ||
fi | ||
|
||
# Check if the arg is a service account e-mail or a bucket name | ||
EMAIL="" | ||
if [[ "$BUCKET_OR_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then | ||
EMAIL="$BUCKET_OR_EMAIL" | ||
elif [[ "$BUCKET_OR_EMAIL" =~ ^gs://* ]]; then | ||
BUCKET_NAME="${BUCKET_OR_EMAIL:5}" | ||
else | ||
BUCKET_NAME="$BUCKET_OR_EMAIL" | ||
fi | ||
|
||
if [[ -z "$EMAIL" ]]; then | ||
case "$BUCKET_NAME" in | ||
"elastic-kibana-coverage-live") | ||
EMAIL="kibana-ci-access-coverage@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-ci-es-snapshots-daily") | ||
EMAIL="kibana-ci-access-es-snapshots@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-so-types-snapshots") | ||
EMAIL="kibana-ci-access-so-snapshots@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-performance") | ||
EMAIL="kibana-ci-access-perf-stats@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"ci-artifacts.kibana.dev") | ||
EMAIL="kibana-ci-access-artifacts@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
*) | ||
EMAIL="$BUCKET_NAME@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
esac | ||
fi | ||
|
||
# Activate the service account | ||
echo "Impersonating $EMAIL" | ||
gcloud config set auth/impersonate_service_account "$EMAIL" | ||
echo "Activated service account $EMAIL" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
#!/bin/bash | ||
|
||
# TODO: remove after https://github.com/elastic/kibana-operations/issues/15 is done | ||
if [[ "${VAULT_ADDR:-}" == *"secrets.elastic.co"* ]]; then | ||
VAULT_PATH_PREFIX="secret/kibana-issues/dev" | ||
VAULT_KV_PREFIX="secret/kibana-issues/dev" | ||
IS_LEGACY_VAULT_ADDR=true | ||
else | ||
VAULT_PATH_PREFIX="secret/ci/elastic-kibana" | ||
VAULT_KV_PREFIX="kv/ci-shared/kibana-deployments" | ||
IS_LEGACY_VAULT_ADDR=false | ||
fi | ||
export IS_LEGACY_VAULT_ADDR | ||
|
||
retry() { | ||
local retries=$1; shift | ||
local delay=$1; shift | ||
local attempts=1 | ||
|
||
until "$@"; do | ||
retry_exit_status=$? | ||
echo "Exited with $retry_exit_status" >&2 | ||
if (( retries == "0" )); then | ||
return $retry_exit_status | ||
elif (( attempts == retries )); then | ||
echo "Failed $attempts retries" >&2 | ||
return $retry_exit_status | ||
else | ||
echo "Retrying $((retries - attempts)) more times..." >&2 | ||
attempts=$((attempts + 1)) | ||
sleep "$delay" | ||
fi | ||
done | ||
} | ||
|
||
vault_get() { | ||
key_path=${1:-} | ||
field=${2:-} | ||
|
||
fullPath="$VAULT_PATH_PREFIX/$key_path" | ||
|
||
if [[ -z "$field" || "$field" =~ ^-.* ]]; then | ||
retry 5 5 vault read "$fullPath" "${@:2}" | ||
else | ||
retry 5 5 vault read -field="$field" "$fullPath" "${@:3}" | ||
fi | ||
} | ||
|
||
vault_set() { | ||
key_path=$1 | ||
shift | ||
fields=("$@") | ||
|
||
|
||
fullPath="$VAULT_PATH_PREFIX/$key_path" | ||
|
||
# shellcheck disable=SC2068 | ||
retry 5 5 vault write "$fullPath" ${fields[@]} | ||
} | ||
|
||
vault_kv_set() { | ||
kv_path=$1 | ||
shift | ||
fields=("$@") | ||
|
||
vault kv put "$VAULT_KV_PREFIX/$kv_path" "${fields[@]}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.