Skip to content

feat(oidc): for using EC credentials #13926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 29, 2025
Merged

feat(oidc): for using EC credentials #13926

merged 3 commits into from
May 29, 2025

Conversation

v1v
Copy link
Member

@v1v v1v commented May 16, 2025
edited
Loading

Proposed commit message

Use the google secrets to fetch the EC credentials we provide and they are ephemeral.

Use https://github.com/avaly/gcp-secret-manager-buildkite-plugin.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

In the CI, see this build based on https://github.com/elastic/integrations/tree/test/use-google-secrets

Related issues

Screenshots

image

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

Package crowdstrike 👍(3) 💚(0) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
alert 1569.86 1288.66 -281.2 (-17.91%) 💔
vulnerability 3802.28 2994.01 -808.27 (-21.26%) 💔

To see the full report comment with /test benchmark fullreport

@v1v
Copy link
Member Author

v1v commented May 19, 2025

test serverless

v1v added 2 commits May 26, 2025 10:31
@v1v
Merge branch 'main' into feature/use-google-secrets
52daeaf 
* main: (42 commits)
  [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904)
  apm: Add config for tail-based sampling discard on write (elastic#13950)
  [CI] Add dev/coverage into backport script (elastic#13987)
  Update configuration updatecli for 8.x snapshot (elastic#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969)
  o365: Ignore failures in rename processors for organization fields (elastic#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978)
  mimecast: resolve field data type conflicts between data streams (elastic#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
  [Cribl] Fix handling of metric event type (elastic#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755)
  Adding agentless deployment to the sublime security integration (elastic#13963)
  [integration/system] add use_performance_counters in system integration (elastic#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959)
  github: squelch errors from pagination ends (elastic#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964)
  [Cloud Security] Cloud Asset Inventory:  fixed cloud formation URL (elastic#13971)
  ...
@v1v
use -ci account
ca8359e
@elasticmachine
Copy link

elasticmachine commented May 26, 2025
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

History

cc @v1v

v1v
v1v commented May 26, 2025
View reviewed changes
.buildkite/pipeline.serverless.yml
- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this secret is not really a secret, shall we use the value instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible I think it would be interesting to keep both values as secrets. It would be quick to change and both values are in the same location.

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@v1v v1v self-assigned this May 26, 2025
@v1v v1v requested review from a team May 26, 2025 10:00
@v1v v1v marked this pull request as ready for review May 26, 2025 10:00
@v1v v1v requested a review from a team as a code owner May 26, 2025 10:00
v1v
v1v commented May 26, 2025
View reviewed changes
@v1v v1v mentioned this pull request May 26, 2025
Merged
mrodm
mrodm approved these changes May 27, 2025
View reviewed changes
.buildkite/pipeline.serverless.yml
- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

@v1v v1v merged commit d20ee73 into elastic:main May 29, 2025
8 checks passed
@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-security_detection_engine-8.18 backport-security_detection_engine-8.17

@mergify Mergify
Copy link
Contributor

mergify bot commented May 29, 2025
edited
Loading

backport backport-security_detection_engine-8.18 backport-security_detection_engine-8.17

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
c31261d 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
96665fa 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
@v1v
Copy link
Member Author

v1v commented May 29, 2025
edited
Loading

PENDING BACKPORTS

  • backport-apm-8.15
  • backport-cloud_security_posture-1.13
  • backport-security_detection_engine-8.16
  • backport-crowdstrike-1.52
  • backport-ti_abusech-2.6
  • backport-crowdstrike-1.46

@mrodm
Copy link
Contributor

mrodm commented May 29, 2025

PENDING BACKPORTS

  • backport-cloud_security_posture-1.13
  • backport-security_detection_engine-8.16
  • backport-crowdstrike-1.52
  • backport-ti_abusech-2.6
  • backport-crowdstrike-1.46 backport-aws-2.30`

@v1v please backport these changes to this branch too: backport-apm-8.15 🙏
It was created a few hours ago too, and probably that branch would be used in the future too.

Thanks!

@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-apm-8.15 backport-cloud_security_posture-1.13

@mergify Mergify
Copy link
Contributor

mergify bot commented May 29, 2025
edited
Loading

backport backport-apm-8.15 backport-cloud_security_posture-1.13

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
9959aeb 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
3761107 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-security_detection_engine-8.16 backport-crowdstrike-1.52

@mergify Mergify
Copy link
Contributor

mergify bot commented May 29, 2025
edited
Loading

backport backport-security_detection_engine-8.16 backport-crowdstrike-1.52

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
258d9bb 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
fbc9c07 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-ti_abusech-2.6 backport-crowdstrike-1.46

@mergify Mergify
Copy link
Contributor

mergify bot commented May 29, 2025
edited
Loading

backport backport-ti_abusech-2.6 backport-crowdstrike-1.46

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
3e83bcb 
(cherry picked from commit d20ee73)
@mergify mergify bot mentioned this pull request May 29, 2025
Merged
5 tasks
mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v @mergify
feat(oidc): for using EC credentials (#13926)
ef1e92b 
(cherry picked from commit d20ee73)

# Conflicts:
#	.buildkite/pipeline.serverless.yml
@mergify mergify bot mentioned this pull request May 29, 2025
Closed
5 tasks
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14060)
b5ef185
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14062)
6279ca9
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14063)
7e28c45
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14061)
5e4b6fa
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14058)
30de43c
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14057)
c6507b9
v1v pushed a commit that referenced this pull request May 29, 2025
@mergify
feat(oidc): for using EC credentials (#13926) (#14059)
ed21ff8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrodm mrodm mrodm approved these changes

Assignees

@v1v v1v

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@v1v @elasticmachine @mrodm