Skip to content

feat(oidc): for using EC credentials #13926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(oidc): for using EC credentials #13926

wants to merge 3 commits into from

Conversation

v1v
Copy link
Member

@v1v v1v commented May 16, 2025
edited
Loading

Proposed commit message

Use the google secrets to fetch the EC credentials we provide and they are ephemeral.

Use https://github.com/avaly/gcp-secret-manager-buildkite-plugin.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

In the CI, see this build based on https://github.com/elastic/integrations/tree/test/use-google-secrets

Related issues

Screenshots

image

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

Package crowdstrike 👍(3) 💚(0) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
alert 1569.86 1288.66 -281.2 (-17.91%) 💔
vulnerability 3802.28 2994.01 -808.27 (-21.26%) 💔

To see the full report comment with /test benchmark fullreport

@v1v
Copy link
Member Author

v1v commented May 19, 2025

test serverless

v1v added 2 commits May 26, 2025 10:31
@v1v
Merge branch 'main' into feature/use-google-secrets
52daeaf 
* main: (42 commits)
  [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904)
  apm: Add config for tail-based sampling discard on write (elastic#13950)
  [CI] Add dev/coverage into backport script (elastic#13987)
  Update configuration updatecli for 8.x snapshot (elastic#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969)
  o365: Ignore failures in rename processors for organization fields (elastic#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978)
  mimecast: resolve field data type conflicts between data streams (elastic#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
  [Cribl] Fix handling of metric event type (elastic#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755)
  Adding agentless deployment to the sublime security integration (elastic#13963)
  [integration/system] add use_performance_counters in system integration (elastic#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959)
  github: squelch errors from pagination ends (elastic#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964)
  [Cloud Security] Cloud Asset Inventory:  fixed cloud formation URL (elastic#13971)
  ...
@v1v
use -ci account
ca8359e
@elasticmachine
Copy link

elasticmachine commented May 26, 2025
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

History

cc @v1v

v1v
v1v commented May 26, 2025
View reviewed changes
.buildkite/pipeline.serverless.yml
- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this secret is not really a secret, shall we use the value instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@v1v v1v self-assigned this May 26, 2025
@v1v v1v requested review from a team May 26, 2025 10:00
@v1v v1v marked this pull request as ready for review May 26, 2025 10:00
@v1v v1v requested a review from a team as a code owner May 26, 2025 10:00
v1v
v1v commented May 26, 2025
View reviewed changes
@v1v v1v mentioned this pull request May 26, 2025
Open
mrodm
mrodm approved these changes May 27, 2025
View reviewed changes
.buildkite/pipeline.serverless.yml
- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrodm mrodm mrodm approved these changes

Assignees

@v1v v1v

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@v1v @elasticmachine @mrodm