chore: rename sa-proxy key's variable, set up bazel cache with a key …

…and access
elastic · Feb 5, 2024 · b12ce66 · b12ce66
1 parent 8e3ec5f
commit b12ce66
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/.buildkite/scripts/common/activate_service_account.sh b/.buildkite/scripts/common/activate_service_account.sh
@@ -22,7 +22,7 @@ GCLOUD_SA_PROXY_EMAIL="kibana-ci-sa-proxy@$GCLOUD_EMAIL_POSTFIX"
 
 if [[ "$GCLOUD_USER" != "$GCLOUD_SA_PROXY_EMAIL" ]]; then
     if [[ -x "$(command -v gcloud)" ]]; then
-      AUTH_RESULT=$(gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS" || "FAILURE")
+      AUTH_RESULT=$(gcloud auth activate-service-account --key-file="$KIBANA_SERVICE_ACCOUNT_PROXY_KEY" || "FAILURE")
       if [[ "$AUTH_RESULT" == "FAILURE" ]]; then
         echo "Failed to activate service account $GCLOUD_SA_PROXY_EMAIL."
         exit 1

diff --git a/.buildkite/scripts/common/setup_bazel.sh b/.buildkite/scripts/common/setup_bazel.sh
@@ -2,6 +2,8 @@
 
 source .buildkite/scripts/common/util.sh
 
+echo '--- Setting up bazel'
+
 echo "[bazel] writing .bazelrc"
 cat <<EOF > $KIBANA_DIR/.bazelrc
   # Generated by .buildkite/scripts/common/setup_bazel.sh
@@ -27,16 +29,16 @@ if [[ "$BAZEL_CACHE_MODE" == "gcs" ]]; then
 
   echo "[bazel] using GCS bucket: $BAZEL_BUCKET"
 
-cat <<EOF >> $KIBANA_DIR/.bazelrc
+  cat <<EOF >> $KIBANA_DIR/.bazelrc
   build --remote_cache=https://storage.googleapis.com/$BAZEL_BUCKET
-  build --google_default_credentials
+  build --google_credentials=$BAZEL_REMOTE_CACHE_CREDENTIALS_FILE
 EOF
 fi
 
 if [[ "$BAZEL_CACHE_MODE" == "populate-local-gcs" ]]; then
   echo "[bazel] enabling caching with GCS buckets for local dev"
 
-cat <<EOF >> $KIBANA_DIR/.bazelrc
+  cat <<EOF >> $KIBANA_DIR/.bazelrc
   build --remote_cache=https://storage.googleapis.com/kibana-local-bazel-remote-cache
   build --google_credentials=$BAZEL_LOCAL_DEV_CACHE_CREDENTIALS_FILE
 EOF

diff --git a/.buildkite/scripts/lifecycle/pre_command.sh b/.buildkite/scripts/lifecycle/pre_command.sh
@@ -167,10 +167,15 @@ BAZEL_LOCAL_DEV_CACHE_CREDENTIALS_FILE="$HOME/.kibana-ci-bazel-remote-cache-loca
 export BAZEL_LOCAL_DEV_CACHE_CREDENTIALS_FILE
 vault_get kibana-ci-bazel-remote-cache-local-dev service_account_json > "$BAZEL_LOCAL_DEV_CACHE_CREDENTIALS_FILE"
 
-# Export and activate service account proxy
-GOOGLE_APPLICATION_CREDENTIALS="$(mktemp -d)/kibana-gcloud-service-account.json"
-export GOOGLE_APPLICATION_CREDENTIALS
-vault_get kibana-ci-sa-proxy-key key | base64 -d > "$GOOGLE_APPLICATION_CREDENTIALS"
+# Export key for accessing bazel remote cache's GCS bucket
+BAZEL_REMOTE_CACHE_CREDENTIALS_FILE="$HOME/.kibana-ci-bazel-remote-cache-gcs.json"
+export BAZEL_REMOTE_CACHE_CREDENTIALS_FILE
+vault_get kibana-ci-bazel-remote-cache-sa-key key | base64 -d > "$BAZEL_REMOTE_CACHE_CREDENTIALS_FILE"
+
+# Setup GCS Service Account Proxy for CI
+KIBANA_SERVICE_ACCOUNT_PROXY_KEY="$(mktemp -d)/kibana-gcloud-service-account.json"
+export KIBANA_SERVICE_ACCOUNT_PROXY_KEY
+vault_get kibana-ci-sa-proxy-key key | base64 -d > "$KIBANA_SERVICE_ACCOUNT_PROXY_KEY"
 
 PIPELINE_PRE_COMMAND=${PIPELINE_PRE_COMMAND:-".buildkite/scripts/lifecycle/pipelines/$BUILDKITE_PIPELINE_SLUG/pre_command.sh"}
 if [[ -f "$PIPELINE_PRE_COMMAND" ]]; then