ci(release): use new set of credentials for GPG and Maven Central (#222)

elastic · Jan 16, 2024 · 5288006 · 5288006
1 parent 7dbf50e
commit 5288006
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 23 deletions.
diff --git a/.buildkite/README.md b/.buildkite/README.md
@@ -0,0 +1,27 @@
+# Buildkite
+This README overviews the Buildkite pipelines that automate the build and publishing processes.
+
+## Release pipeline
+
+The Buildkite pipeline for the ECS Logging Java is responsible for the releases.
+
+### Pipeline Configuration
+
+To view the pipeline and its configuration, click [here](https://buildkite.com/elastic/ecs-logging-java-release) or
+go to the definition in the `elastic/ci` repository.
+
+### Credentials
+
+The release team provides the credentials required to publish the artifacts in Maven Central and sign them
+with the GPG.
+
+If further details are needed, please go to [pre-command](hooks/pre-command).
+
+## Snapshot pipeline
+
+The Buildkite pipeline for the APM Agent Java is responsible for the snapshots.
+
+### Pipeline Configuration
+
+To view the pipeline and its configuration, click [here](https://buildkite.com/elastic/ecs-logging-java-snapshot) or
+go to the definition in the `elastic/ci` repository.
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -8,21 +8,6 @@
 
 set -eo pipefail
 
-echo "--- Prepare vault context :vault:"
-VAULT_ROLE_ID_SECRET=$(vault read -field=role-id secret/ci/elastic-ecs-logging-java/internal-ci-approle)
-export VAULT_ROLE_ID_SECRET
-
-VAULT_SECRET_ID_SECRET=$(vault read -field=secret-id secret/ci/elastic-ecs-logging-java/internal-ci-approle)
-export VAULT_SECRET_ID_SECRET
-
-VAULT_ADDR=$(vault read -field=vault-url secret/ci/elastic-ecs-logging-java/internal-ci-approle)
-export VAULT_ADDR
-
-# Delete the vault specific accessing the ci vault
-PREVIOUS_VAULT_TOKEN=$VAULT_TOKEN
-export PREVIOUS_VAULT_TOKEN
-unset VAULT_TOKEN
-
 echo "--- Prepare a secure temp :closed_lock_with_key:"
 # Prepare a secure temp folder not shared between other jobs to store the key ring
 export TMP_WORKSPACE=/tmp/secured
@@ -34,20 +19,22 @@ mkdir -p $GNUPGHOME
 chmod -R 700 $TMP_WORKSPACE
 
 echo "--- Prepare keys context :key:"
-VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID_SECRET" secret_id="$VAULT_SECRET_ID_SECRET")
-export VAULT_TOKEN
-
 # Nexus credentials
-SERVER_USERNAME=$(vault read -field username secret/release/nexus)
+NEXUS_SECRET=kv/ci-shared/release-eng/team-release-secrets/ecs-logging/maven_central
+SERVER_USERNAME=$(vault kv get --field="username" $NEXUS_SECRET)
 export SERVER_USERNAME
-SERVER_PASSWORD=$(vault read -field password secret/release/nexus)
+SERVER_PASSWORD=$(vault kv get --field="password" $NEXUS_SECRET)
 export SERVER_PASSWORD
 
 # Signing keys
-vault read -field=key secret/release/signing >$KEY_FILE
-KEYPASS_SECRET=$(vault read -field=passphrase secret/release/signing)
+GPG_SECRET=kv/ci-shared/release-eng/team-release-secrets/ecs-logging/gpg
+vault kv get --field="keyring" $GPG_SECRET | base64 -d > $KEY_FILE
+## NOTE: This is not a typo. "passphase" is the name of the field.
+KEYPASS_SECRET=$(vault kv get --field="passphase" $GPG_SECRET)
 export KEYPASS_SECRET
-export KEY_ID_SECRET=D88E42B4
+KEY_ID=$(vault kv get --field="key_id" $GPG_SECRET)
+KEY_ID_SECRET=${KEY_ID: -8}
+export KEY_ID_SECRET
 
 # Import the key into the keyring
 echo "$KEYPASS_SECRET" | gpg --batch --import "$KEY_FILE"