Skip to content

feat(oidc): for using EC credentials #13926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 29, 2025
Merged

Conversation

v1v
Copy link
Member

@v1v v1v commented May 16, 2025

Proposed commit message

Use the google secrets to fetch the EC credentials we provide and they are ephemeral.

Use https://github.com/avaly/gcp-secret-manager-buildkite-plugin.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

In the CI, see this build based on https://github.com/elastic/integrations/tree/test/use-google-secrets

Related issues

Screenshots

image

@elastic-vault-github-plugin-prod

🚀 Benchmarks report

Package crowdstrike 👍(3) 💚(0) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
alert 1569.86 1288.66 -281.2 (-17.91%) 💔
vulnerability 3802.28 2994.01 -808.27 (-21.26%) 💔

To see the full report comment with /test benchmark fullreport

@v1v
Copy link
Member Author

v1v commented May 19, 2025

test serverless

v1v added 2 commits May 26, 2025 10:31
* main: (42 commits)
  [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904)
  apm: Add config for tail-based sampling discard on write (elastic#13950)
  [CI] Add dev/coverage into backport script (elastic#13987)
  Update configuration updatecli for 8.x snapshot (elastic#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969)
  o365: Ignore failures in rename processors for organization fields (elastic#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978)
  mimecast: resolve field data type conflicts between data streams (elastic#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
  [Cribl] Fix handling of metric event type (elastic#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755)
  Adding agentless deployment to the sublime security integration (elastic#13963)
  [integration/system] add use_performance_counters in system integration (elastic#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959)
  github: squelch errors from pagination ends (elastic#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964)
  [Cloud Security] Cloud Asset Inventory:  fixed cloud formation URL (elastic#13971)
  ...
@elasticmachine
Copy link

elasticmachine commented May 26, 2025

- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this secret is not really a secret, shall we use the value instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible I think it would be interesting to keep both values as secrets. It would be quick to change and both values are in the same location.

Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@v1v v1v self-assigned this May 26, 2025
@v1v v1v requested review from a team May 26, 2025 10:00
@v1v v1v marked this pull request as ready for review May 26, 2025 10:00
@v1v v1v requested a review from a team as a code owner May 26, 2025 10:00
- avaly/gcp-secret-manager#v1.2.0:
env:
EC_API_KEY: elastic-cloud-observability-team-qa-api-key
EC_HOST: elastic-cloud-observability-team-qa-endpoint
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this feature was implemented, I was not totally sure if that URL should be public or not. That's why I added that as a secret.

@v1v v1v merged commit d20ee73 into elastic:main May 29, 2025
8 checks passed
@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-security_detection_engine-8.18 backport-security_detection_engine-8.17

Copy link
Contributor

mergify bot commented May 29, 2025

backport backport-security_detection_engine-8.18 backport-security_detection_engine-8.17

✅ Backports have been created

@v1v
Copy link
Member Author

v1v commented May 29, 2025

PENDING BACKPORTS

  • backport-apm-8.15
  • backport-cloud_security_posture-1.13
  • backport-security_detection_engine-8.16
  • backport-crowdstrike-1.52
  • backport-ti_abusech-2.6
  • backport-crowdstrike-1.46

@mrodm
Copy link
Contributor

mrodm commented May 29, 2025

PENDING BACKPORTS

  • backport-cloud_security_posture-1.13
  • backport-security_detection_engine-8.16
  • backport-crowdstrike-1.52
  • backport-ti_abusech-2.6
  • backport-crowdstrike-1.46 backport-aws-2.30`

@v1v please backport these changes to this branch too: backport-apm-8.15 🙏
It was created a few hours ago too, and probably that branch would be used in the future too.

Thanks!

@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-apm-8.15 backport-cloud_security_posture-1.13

Copy link
Contributor

mergify bot commented May 29, 2025

backport backport-apm-8.15 backport-cloud_security_posture-1.13

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
mergify bot pushed a commit that referenced this pull request May 29, 2025
@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-security_detection_engine-8.16 backport-crowdstrike-1.52

Copy link
Contributor

mergify bot commented May 29, 2025

backport backport-security_detection_engine-8.16 backport-crowdstrike-1.52

✅ Backports have been created

@v1v
Copy link
Member Author

v1v commented May 29, 2025

@Mergifyio backport backport-ti_abusech-2.6 backport-crowdstrike-1.46

Copy link
Contributor

mergify bot commented May 29, 2025

backport backport-ti_abusech-2.6 backport-crowdstrike-1.46

✅ Backports have been created

mergify bot pushed a commit that referenced this pull request May 29, 2025
mergify bot pushed a commit that referenced this pull request May 29, 2025
(cherry picked from commit d20ee73)

# Conflicts:
#	.buildkite/pipeline.serverless.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants