feat(oidc): google secret source of truth (#13465)

elastic · Jun 25, 2024 · 5f48823 · 5f48823
1 parent 477584b
commit 5f48823
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -37,6 +37,9 @@ jobs:
     defaults:
       run:
         working-directory: ${{ env.WORKING_DIRECTORY }}
+    permissions:
+      contents: read
+      id-token: write
     env:
       SSH_KEY: ./id_rsa_terraform
       TF_VAR_private_key: ./id_rsa_terraform
@@ -50,7 +53,6 @@ jobs:
       GOBENCH_USERNAME: ${{ secrets.GOBENCH_USERNAME }}
       GOBENCH_HOST: ${{ secrets.GOBENCH_HOST }}
       # TODO: use keyless
-      EC_API_KEY: ${{ secrets.OBSERVABILITY_EC_API_KEY }}
       AWS_ACCESS_KEY_ID: ${{ secrets.OBSERVABILITY_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.OBSERVABILITY_AWS_SECRET_ACCESS_KEY }}
     steps:
@@ -84,6 +86,15 @@ jobs:
           username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
           password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
 
+
+      - uses: elastic/oblt-actions/google/auth@v1
+
+      - uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          export_to_environment: true
+          secrets: |-
+            EC_API_KEY:elastic-observability/elastic-cloud-observability-team-pro-api-key
+
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.3.7

diff --git a/.github/workflows/smoke-tests-ess.yml b/.github/workflows/smoke-tests-ess.yml
@@ -35,14 +35,15 @@ jobs:
     name: Run smoke tests ${{ matrix.test }} for ${{ matrix.version }}
     runs-on: ubuntu-latest
     needs: prepare
+    permissions:
+      contents: read
+      id-token: write
     env:
       TF_VAR_BUILD_ID: ${{ github.run_id }}
       TF_VAR_ENVIRONMENT: 'ci'
       TF_VAR_BRANCH: ${{ github.ref_name }}
       TF_VAR_REPO: ${{ github.repository }}
       TF_VAR_CREATED_DATE: ${{ needs.prepare.outputs.date }}
-      # TODO: use keyless
-      EC_API_KEY: ${{ secrets.OBSERVABILITY_EC_API_KEY }}
     strategy:
       fail-fast: false
       matrix:
@@ -59,6 +60,16 @@ jobs:
         with:
           aws-csv-file: ${{ secrets.OBSERVABILITY_AWS_CSV_FILE }}
           aws-profile: ${{ secrets.OBSERVABILITY_AWS_PROFILE }}
+
+
+      - uses: elastic/oblt-actions/google/auth@v1
+
+      - uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          export_to_environment: true
+          secrets: |-
+            EC_API_KEY:elastic-observability/elastic-cloud-observability-team-pro-api-key
+
       - name: Run smoke tests ${{ matrix.test }} for ${{ matrix.version }}
         run: make smoketest/run-version TEST_DIR=${{ matrix.test }} SMOKETEST_VERSION=${{ matrix.version }}
       - if: always()

diff --git a/.github/workflows/smoke-tests-os.yml b/.github/workflows/smoke-tests-os.yml
@@ -40,8 +40,9 @@ jobs:
       TF_VAR_BRANCH: ${{ github.ref_name }}
       TF_VAR_REPO: ${{ github.repository }}
       TF_VAR_CREATED_DATE: ${{ needs.prepare.outputs.date }}
-      # TODO: use keyless
-      EC_API_KEY: ${{ secrets.OBSERVABILITY_EC_API_KEY }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -53,6 +54,14 @@ jobs:
         with:
           aws-csv-file: ${{ secrets.OBSERVABILITY_AWS_CSV_FILE }}
           aws-profile: ${{ secrets.OBSERVABILITY_AWS_PROFILE }}
+
+      - uses: elastic/oblt-actions/google/auth@v1
+
+      - uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          export_to_environment: true
+          secrets: |-
+            EC_API_KEY:elastic-observability/elastic-cloud-observability-team-pro-api-key
       - name: Run smoke tests OS
         working-directory: ${{ github.workspace }}/testing/smoke/supported-os
         run: ./test.sh ${VERSION}-SNAPSHOT