Skip to content

Commit 75a38a8

Browse files
v1vv1v
authored
ci(release): use the new vault secret path (#258)
1 parent c00c4a3 commit 75a38a8

File tree

1 file changed

+7
-29
lines changed

1 file changed

+7
-29
lines changed

.buildkite/hooks/pre-command

Lines changed: 7 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -13,18 +13,6 @@ if [[ "$BUILDKITE_COMMAND" =~ .*"upload".* ]]; then
1313
exit 0
1414
fi
1515

16-
echo "--- Prepare vault context"
17-
set +x
18-
# TODO: this should be removed.
19-
VAULT_ROLE_ID_SECRET=$(vault read -field=role-id secret/ci/elastic-apm-agent-android/internal-ci-approle)
20-
export VAULT_ROLE_ID_SECRET
21-
VAULT_SECRET_ID_SECRET=$(vault read -field=secret-id secret/ci/elastic-apm-agent-android/internal-ci-approle)
22-
export VAULT_SECRET_ID_SECRET
23-
PROD_VAULT_ADDR=$(vault read -field=vault-url secret/ci/elastic-apm-agent-android/internal-ci-approle)
24-
25-
# Delete the vault specific accessing the ci vault
26-
export VAULT_TOKEN_PREVIOUS=$VAULT_TOKEN
27-
2816
echo "--- Prepare a secure temp :closed_lock_with_key:"
2917
# Prepare a secure temp folder not shared between other jobs to store the key ring
3018
export TMP_WORKSPACE=/tmp/secured
@@ -36,7 +24,6 @@ chmod -R 700 $TMP_WORKSPACE
3624
# Make sure we delete this folder before leaving even in case of failure
3725
clean_up () {
3826
ARG=$?
39-
export VAULT_TOKEN=$VAULT_TOKEN_PREVIOUS
4027
echo "--- Deleting tmp workspace"
4128
rm -rf $TMP_WORKSPACE
4229
exit $ARG
@@ -53,6 +40,13 @@ export ORG_GRADLE_PROJECT_sonatypeUsername
5340
ORG_GRADLE_PROJECT_sonatypePassword=$(vault kv get --field="password" $NEXUS_SECRET)
5441
export ORG_GRADLE_PROJECT_sonatypePassword
5542

43+
# Gradle Plugin portal credentials
44+
GRADLE_SECRET=kv/ci-shared/release-eng/team-release-secrets/apm/gradle_plugin_portal
45+
PLUGIN_PORTAL_KEY=$(vault kv get --field="key" $GRADLE_SECRET)
46+
export PLUGIN_PORTAL_KEY
47+
PLUGIN_PORTAL_SECRET=$(vault kv get --field="secret" $GRADLE_SECRET -format=json)
48+
export PLUGIN_PORTAL_SECRET
49+
5650
# Signing keys
5751
GPG_SECRET=kv/ci-shared/release-eng/team-release-secrets/apm/gpg
5852
vault kv get --field="keyring" $GPG_SECRET | base64 -d > $KEY_FILE
@@ -63,22 +57,6 @@ KEY_ID=$(vault kv get --field="key_id" $GPG_SECRET)
6357
KEY_ID_SECRET=${KEY_ID: -8}
6458
export KEY_ID_SECRET
6559

66-
# TODO: BEGIN - this should be removed.
67-
VAULT_ADDR=$PROD_VAULT_ADDR
68-
unset VAULT_TOKEN
69-
export VAULT_ADDR
70-
VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID_SECRET" secret_id="$VAULT_SECRET_ID_SECRET")
71-
export VAULT_TOKEN
72-
# END - this should be removed.
73-
74-
# TODO: this should be changed with the new vault secrets.
75-
# Gradle Plugin portal credentials
76-
GRADLE_SECRET=secret/release/gradle-plugin-portal
77-
PLUGIN_PORTAL_KEY=$(vault read $GRADLE_SECRET -format=json | jq -r .data.key)
78-
export PLUGIN_PORTAL_KEY
79-
PLUGIN_PORTAL_SECRET=$(vault read $GRADLE_SECRET -format=json | jq -r .data.secret)
80-
export PLUGIN_PORTAL_SECRET
81-
8260
# Import the key into the keyring
8361
echo "$KEYPASS_SECRET" | gpg --batch --import "$KEY_FILE"
8462

0 commit comments

Comments
 (0)