-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Ops] Fix GCS bucket access for future buildkite agents #174756
Merged
delanni
merged 24 commits into
elastic:main
from
delanni:fix-gcs-access-in-elastic-buildkite
Feb 7, 2024
Merged
Changes from 21 commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
430772d
chore: render gcloud credentials on pre-command
delanni 8c6f64c
chore: activate privileged gcloud account with access to gcs buckets
delanni 06d3171
chore: activate service account before storybook upload
delanni 2b09a55
Merge branch 'main' into fix-gcs-access-in-elastic-buildkite
delanni 1e09bd4
chore: introduce service account activation snippet, make use of it
delanni e40a31c
chore: fix vault_fns import
delanni af7818a
Merge branch 'main' into fix-gcs-access-in-elastic-buildkite
delanni bef73a9
chore: change service account script to work with impersonation
delanni 8228842
chore: wire in service account impersonation before gsutil calls
delanni c672923
chore: fix vault_get usage
delanni 9c0a021
chore: only activate gcloud account after secrets were read
delanni 843488a
chore: add stack trace to failed vault_gets
delanni 4040093
chore: don't activate sa-proxy account in pre-command, only before im…
delanni a8dacbb
chore: fix typo in account-switch call
delanni 4ceb8a9
Merge branch 'main' into fix-gcs-access-in-elastic-buildkite
delanni 8e3ec5f
chore: remove manifest upload from ES Serverless build - it's not use…
delanni b12ce66
chore: rename sa-proxy key's variable, set up bazel cache with a key …
delanni 96caabe
chore: tidy up acitvate_service_account.sh
delanni d4e571b
chore: remove print_stack, it doesn't work as expected
delanni f1dbec2
chore: delete account activation for headless chrome builds, as it is…
delanni 5a91a62
Merge branch 'main' into fix-gcs-access-in-elastic-buildkite
delanni 46f7bed
chore: fix path to activating the correct service accounts
delanni 9767b22
chore: import vault_fns always relatively
delanni c274d87
chore: log out, and de-impersonalize after commands
delanni File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -euo pipefail | ||
|
||
source .buildkite/scripts/common/vault_fns.sh | ||
|
||
BUCKET_OR_EMAIL="${1:-}" | ||
|
||
if [[ -z "$BUCKET_OR_EMAIL" ]]; then | ||
echo "Usage: $0 <bucket_name|email>" | ||
exit 1 | ||
elif [[ "$BUCKET_OR_EMAIL" == "-" ]]; then | ||
jbudz marked this conversation as resolved.
Show resolved
Hide resolved
|
||
echo "Unsetting impersonation" | ||
gcloud config unset auth/impersonate_service_account | ||
exit 0 | ||
fi | ||
|
||
GCLOUD_EMAIL_POSTFIX="elastic-kibana-ci.iam.gserviceaccount.com" | ||
GCLOUD_SA_PROXY_EMAIL="kibana-ci-sa-proxy@$GCLOUD_EMAIL_POSTFIX" | ||
|
||
CURRENT_GCLOUD_USER=$(gcloud auth list --filter="status=ACTIVE" --format="value(account)") | ||
|
||
# Verify that the service account proxy is activated | ||
if [[ "$CURRENT_GCLOUD_USER" != "$GCLOUD_SA_PROXY_EMAIL" ]]; then | ||
if [[ -x "$(command -v gcloud)" ]]; then | ||
AUTH_RESULT=$(gcloud auth activate-service-account --key-file="$KIBANA_SERVICE_ACCOUNT_PROXY_KEY" || "FAILURE") | ||
if [[ "$AUTH_RESULT" == "FAILURE" ]]; then | ||
echo "Failed to activate service account $GCLOUD_SA_PROXY_EMAIL." | ||
exit 1 | ||
else | ||
echo "Activated service account $GCLOUD_SA_PROXY_EMAIL" | ||
fi | ||
else | ||
echo "gcloud is not installed, cannot activate service account $GCLOUD_SA_PROXY_EMAIL." | ||
exit 1 | ||
fi | ||
fi | ||
|
||
# Check if the arg is a service account e-mail or a bucket name | ||
EMAIL="" | ||
if [[ "$BUCKET_OR_EMAIL" =~ ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then | ||
EMAIL="$BUCKET_OR_EMAIL" | ||
elif [[ "$BUCKET_OR_EMAIL" =~ ^gs://* ]]; then | ||
BUCKET_NAME="${BUCKET_OR_EMAIL:5}" | ||
else | ||
BUCKET_NAME="$BUCKET_OR_EMAIL" | ||
fi | ||
|
||
if [[ -z "$EMAIL" ]]; then | ||
case "$BUCKET_NAME" in | ||
"elastic-kibana-coverage-live") | ||
EMAIL="kibana-ci-access-coverage@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-ci-es-snapshots-daily") | ||
EMAIL="kibana-ci-access-es-snapshots@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-so-types-snapshots") | ||
EMAIL="kibana-ci-access-so-snapshots@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"kibana-performance") | ||
EMAIL="kibana-ci-access-perf-stats@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
"ci-artifacts.kibana.dev") | ||
EMAIL="kibana-ci-access-artifacts@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
*) | ||
EMAIL="$BUCKET_NAME@$GCLOUD_EMAIL_POSTFIX" | ||
;; | ||
esac | ||
fi | ||
|
||
# Activate the service account | ||
echo "Impersonating $EMAIL" | ||
gcloud config set auth/impersonate_service_account "$EMAIL" | ||
echo "Activated service account $EMAIL" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
#!/bin/bash | ||
|
||
# TODO: remove after https://github.com/elastic/kibana-operations/issues/15 is done | ||
if [[ "${VAULT_ADDR:-}" == *"secrets.elastic.co"* ]]; then | ||
VAULT_PATH_PREFIX="secret/kibana-issues/dev" | ||
VAULT_KV_PREFIX="secret/kibana-issues/dev" | ||
IS_LEGACY_VAULT_ADDR=true | ||
else | ||
VAULT_PATH_PREFIX="secret/ci/elastic-kibana" | ||
VAULT_KV_PREFIX="kv/ci-shared/kibana-deployments" | ||
IS_LEGACY_VAULT_ADDR=false | ||
fi | ||
export IS_LEGACY_VAULT_ADDR | ||
|
||
retry() { | ||
local retries=$1; shift | ||
local delay=$1; shift | ||
local attempts=1 | ||
|
||
until "$@"; do | ||
retry_exit_status=$? | ||
echo "Exited with $retry_exit_status" >&2 | ||
if (( retries == "0" )); then | ||
return $retry_exit_status | ||
elif (( attempts == retries )); then | ||
echo "Failed $attempts retries" >&2 | ||
return $retry_exit_status | ||
else | ||
echo "Retrying $((retries - attempts)) more times..." >&2 | ||
attempts=$((attempts + 1)) | ||
sleep "$delay" | ||
fi | ||
done | ||
} | ||
|
||
vault_get() { | ||
key_path=${1:-} | ||
field=${2:-} | ||
|
||
fullPath="$VAULT_PATH_PREFIX/$key_path" | ||
|
||
if [[ -z "$field" || "$field" =~ ^-.* ]]; then | ||
retry 5 5 vault read "$fullPath" "${@:2}" | ||
else | ||
retry 5 5 vault read -field="$field" "$fullPath" "${@:3}" | ||
fi | ||
} | ||
|
||
vault_set() { | ||
key_path=$1 | ||
shift | ||
fields=("$@") | ||
|
||
|
||
fullPath="$VAULT_PATH_PREFIX/$key_path" | ||
|
||
# shellcheck disable=SC2068 | ||
retry 5 5 vault write "$fullPath" ${fields[@]} | ||
} | ||
|
||
vault_kv_set() { | ||
kv_path=$1 | ||
shift | ||
fields=("$@") | ||
|
||
vault kv put "$VAULT_KV_PREFIX/$kv_path" "${fields[@]}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I set up this script to make it easy to set up the impersonation before calling
gcloud storage / gsutil
commands. However, I didn't want the script caller to have to refer to e-mails that are associated with the service-accounts for the buckets.Do you think it's okay to have this bucket name -> service account mapping (from line 49) to make it handier to use the script (with defaults/fallbacks for activating based on the email).