From 32e2e1ce73f5e575559fdc5df1d90de7cbe89d71 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 18 Jun 2025 11:31:59 +0200 Subject: [PATCH 1/2] bk: use docker login plugin (#631) (cherry picked from commit d64e74810cc47652396dc11a0057b6a9c0b485fa) # Conflicts: # .buildkite/scripts/build.sh --- .buildkite/fpm-pipeline.yml | 7 +++++-- .buildkite/hooks/pre-command | 11 ----------- .buildkite/hooks/pre-exit | 4 ---- .buildkite/llvm-apple-pipeline.yml | 8 ++++++-- .buildkite/pipeline.yml | 10 ++++++++-- .buildkite/scripts/build.sh | 5 +++++ 6 files changed, 24 insertions(+), 21 deletions(-) diff --git a/.buildkite/fpm-pipeline.yml b/.buildkite/fpm-pipeline.yml index 3c7da927..5bf07b7d 100644 --- a/.buildkite/fpm-pipeline.yml +++ b/.buildkite/fpm-pipeline.yml @@ -3,8 +3,7 @@ env: SETUP_GVM_VERSION: "v0.5.1" IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204" - DOCKER_REGISTRY: "docker.elastic.co" - STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci" + STAGING_IMAGE: "docker.elastic.co/observability-ci" MAKEFILE: "fpm" CHANGESET_FILE: ".buildkite/scripts/changeset/fpm" DOCKER_FILTER_REF: "docker.elastic.co/beats-dev" @@ -20,6 +19,9 @@ common: lifetime: 10800 # seconds project-id: "elastic-observability-ci" project-number: "911195782929" + - docker_elastic_login_plugin: &docker_elastic_login_plugin + elastic/vault-docker-login#v0.6.0: + secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry' steps: - label: ":linux: Build FPM / Ubuntu X86_64" @@ -38,3 +40,4 @@ steps: image: "${IMAGE_UBUNTU_X86_64}" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 7da4d218..5cc20619 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -4,17 +4,6 @@ set -euo pipefail source .buildkite/scripts/common.sh -DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod" - -# Secrets must be redacted -# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables - -if [[ ("$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple" || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* || "$BUILDKITE_STEP_KEY" == release* ) ]]; then - export DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}") - export DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}") - docker login -u "${DOCKER_USERNAME_SECRET}" -p "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}" 2>/dev/null -fi - if [[ "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" && "$BUILDKITE_STEP_KEY" == "release-post" ]]; then GITHUB_USERNAME_SECRET="elasticmachine" export GITHUB_USERNAME_SECRET=$GITHUB_USERNAME_SECRET diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit index 0f77bcf3..558e71b9 100644 --- a/.buildkite/hooks/pre-exit +++ b/.buildkite/hooks/pre-exit @@ -6,9 +6,5 @@ source .buildkite/scripts/common.sh unset_secrets -if [[ ( "$BUILDKITE_PIPELINE_SLUG" == "golang-crossbuild" || "$BUILDKITE_PIPELINE_SLUG" == "llvm-apple" || "$BUILDKITE_PIPELINE_SLUG" == "fpm") && ( "$BUILDKITE_STEP_KEY" == build* ) ]]; then - docker logout "${DOCKER_REGISTRY}" -fi - # Ensure that any temporal files created during any step are removed cleanup diff --git a/.buildkite/llvm-apple-pipeline.yml b/.buildkite/llvm-apple-pipeline.yml index 8e05cd56..45d4a13c 100644 --- a/.buildkite/llvm-apple-pipeline.yml +++ b/.buildkite/llvm-apple-pipeline.yml @@ -4,8 +4,7 @@ env: SETUP_GVM_VERSION: "v0.5.1" IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204" IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64" - DOCKER_REGISTRY: "docker.elastic.co" - STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci" + STAGING_IMAGE: "docker.elastic.co/observability-ci" MAKEFILE: "go/llvm-apple" CHANGESET_FILE: ".buildkite/scripts/changeset/llvm-apple" DOCKER_FILTER_REF: "*/*/golang-crossbuild:llvm-apple*" @@ -21,6 +20,9 @@ common: lifetime: 10800 # seconds project-id: "elastic-observability-ci" project-number: "911195782929" + - docker_elastic_login_plugin: &docker_elastic_login_plugin + elastic/vault-docker-login#v0.6.0: + secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry' steps: - label: ":linux: Build LLVM Apple / Ubuntu X86_64 - {{matrix.debianVersion}}" @@ -41,6 +43,7 @@ steps: image: "${IMAGE_UBUNTU_X86_64}" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin matrix: setup: debianVersion: @@ -67,6 +70,7 @@ steps: instanceType: "t4g.large" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin matrix: setup: debianVersion: diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 92872f7c..2d0dc31f 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -5,8 +5,7 @@ env: IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204" INSTANCE_TYPE_X86_64: "n2-standard-4" IMAGE_UBUNTU_ARM_64: "core-ubuntu-2004-aarch64" - DOCKER_REGISTRY: "docker.elastic.co" - STAGING_IMAGE: "${DOCKER_REGISTRY}/observability-ci" + STAGING_IMAGE: "docker.elastic.co/observability-ci" BUILDX: 1 # This section is used to define the plugins that will be used in the pipeline. @@ -19,6 +18,9 @@ common: lifetime: 10800 # seconds project-id: "elastic-observability-ci" project-number: "911195782929" + - docker_elastic_login_plugin: &docker_elastic_login_plugin + elastic/vault-docker-login#v0.6.0: + secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry' steps: @@ -110,6 +112,7 @@ steps: instanceType: "${INSTANCE_TYPE_X86_64}" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin retry: automatic: limit: 1 @@ -145,6 +148,7 @@ steps: instanceType: "t4g.large" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin retry: automatic: limit: 1 @@ -178,6 +182,7 @@ steps: instanceType: "${INSTANCE_TYPE_X86_64}" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin retry: automatic: limit: 1 @@ -213,6 +218,7 @@ steps: instanceType: "t4g.large" plugins: - *gcp_oidc_plugin + - *docker_elastic_login_plugin retry: automatic: limit: 1 diff --git a/.buildkite/scripts/build.sh b/.buildkite/scripts/build.sh index 02a80e8f..0b4d194a 100755 --- a/.buildkite/scripts/build.sh +++ b/.buildkite/scripts/build.sh @@ -17,7 +17,12 @@ make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=golang-crossbuild-ci echo "--- List Docker images staging"xd docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild" +<<<<<<< HEAD echo ":: List Docker images production ::" docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${DOCKER_REGISTRY}/beats-dev/golang-crossbuild" +======= +echo "--- List Docker images production" +docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="docker.elastic.co/beats-dev/golang-crossbuild" +>>>>>>> d64e748 (bk: use docker login plugin (#631)) From 411c45c3ea41ea77eafee47bbd3e71b6a44feeb4 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 18 Jun 2025 11:41:26 +0200 Subject: [PATCH 2/2] Update .buildkite/scripts/build.sh --- .buildkite/scripts/build.sh | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.buildkite/scripts/build.sh b/.buildkite/scripts/build.sh index 0b4d194a..34a11a9a 100755 --- a/.buildkite/scripts/build.sh +++ b/.buildkite/scripts/build.sh @@ -14,15 +14,8 @@ with_mage make -C go -f "${MAKEFILE}" build"${is_arm}" GS_BUCKET_PATH=golang-crossbuild-ci-internal -echo "--- List Docker images staging"xd +echo "--- List Docker images staging" docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${STAGING_IMAGE}/golang-crossbuild" -<<<<<<< HEAD -echo ":: List Docker images production ::" -docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="${DOCKER_REGISTRY}/beats-dev/golang-crossbuild" - - -======= echo "--- List Docker images production" docker images --format "table {{.Repository}}:{{.Tag}}\t{{.Size}}" --filter=reference="docker.elastic.co/beats-dev/golang-crossbuild" ->>>>>>> d64e748 (bk: use docker login plugin (#631))