Skip to content

[9.0](backport #4895) bk: use GCP OIDC#4933

Merged
v1v merged 3 commits into9.0from
mergify/bp/9.0/pr-4895
May 21, 2025
Merged

[9.0](backport #4895) bk: use GCP OIDC#4933
v1v merged 3 commits into9.0from
mergify/bp/9.0/pr-4895

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented May 19, 2025

What is the problem this PR solves?

Remove static service accounts and the security concerns around it.

How does this PR solve the problem?

  • Use GCP OIDC to copy the logs to the private storage.
  • Use gcloud instead of gsutil (so it honours the Env variables)
  • Tear-down is now managed by the BK plugin itself.

How to test this PR locally

In the CI:

Produced

image 
2025-05-07 13:49:22 UTC | If you have a compatible Python interpreter installed, you can use it by setting
  | 2025-05-07 13:49:22 UTC | the CLOUDSDK_PYTHON environment variable to point to it.
  | 2025-05-07 13:49:22 UTC |  
  | 2025-05-07 13:49:26 UTC | Copying file://build/distributions/fleet-server-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz.sha512 to gs://fleet-server-ci-internal/jobs/commits/29b03ada4cc6bc8b735d8d616c662818aa84eb3e/fleet-server-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz.sha512
  | 2025-05-07 13:49:26 UTC | Copying file://build/distributions/fleet-server-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz to gs://fleet-server-ci-internal/jobs/commits/29b03ada4cc6bc8b735d8d616c662818aa84eb3e/fleet-server-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz
  | 2025-05-07 13:49:27 UTC | Completed files 2/2 \| 7.5MiB/7.5MiB
  | 2025-05-07 13:49:28 UTC |  

Design Checklist

  • I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
  • I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
  • I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool

Related issues

This is an automatic backport of pull request #4895 done by [Mergify](https://mergify.com).

@v1v @mergify
bk: use GCP OIDC (#4895)
d93811d 
(cherry picked from commit d4d19b2)

# Conflicts:
#	.buildkite/hooks/pre-command
#	.buildkite/hooks/pre-exit
#	.buildkite/pipeline.package.mbp.yml
@mergify mergify bot added backport conflicts There is a conflict in the backported pull request labels May 19, 2025
@mergify mergify bot requested a review from a team as a code owner May 19, 2025 17:56
@mergify mergify bot assigned v1v May 19, 2025
@mergify
Copy link
Contributor Author

mergify bot commented May 19, 2025

Cherry-pick of d4d19b2 has failed:

On branch mergify/bp/9.0/pr-4895
Your branch is up to date with 'origin/9.0'.

You are currently cherry-picking commit d4d19b2.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   .buildkite/pipeline.yml
	modified:   .buildkite/scripts/common.sh
	modified:   .buildkite/scripts/dra_release.sh
	modified:   .buildkite/scripts/package.sh
	modified:   .buildkite/scripts/release_test.sh

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   .buildkite/hooks/pre-command
	both modified:   .buildkite/hooks/pre-exit
	both modified:   .buildkite/pipeline.package.mbp.yml

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@prodsecmachine
Copy link

prodsecmachine commented May 19, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

@v1v
Copy link
Member

v1v commented May 19, 2025

Requires #4934

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label May 20, 2025
v1v
v1v previously approved these changes May 20, 2025
View reviewed changes
@v1v v1v removed the conflicts There is a conflict in the backported pull request label May 20, 2025
@v1v v1v enabled auto-merge (squash) May 20, 2025 19:47
v1v
v1v reviewed May 21, 2025
View reviewed changes
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 21, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@v1v v1v merged commit aec383e into 9.0 May 21, 2025
9 checks passed
@v1v v1v deleted the mergify/bp/9.0/pr-4895 branch May 21, 2025 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@v1v v1v v1v approved these changes

@andrzej-stencel andrzej-stencel andrzej-stencel approved these changes

@michel-laterman michel-laterman Awaiting requested review from michel-laterman michel-laterman is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@v1v v1v

Labels

backport Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@prodsecmachine @v1v @andrzej-stencel @pierrehilbert