bk(refactor): use bk plugins for the DRA secrets

.buildkite/hooks/pre-command

@@ -13,26 +13,10 @@ if [[ -z "${GO_VERSION-""}" ]]; then
     export GO_VERSION=$(cat "${WORKSPACE}/.go-version")
 fi
 
-CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role"
 CI_GCP_OBS_PATH="kv/ci-shared/observability-ingest/cloud/gcp"
 # This key exists for backward compatibility with OGC framework
 # see https://github.com/elastic/elastic-agent/issues/8536
 CI_ESS_PATH="kv/ci-shared/platform-ingest/platform-ingest-ec-prod"
-CI_DRA_ROLE_PATH="kv/ci-shared/release/dra-role"
-
-function release_manager_login {
-  DRA_CREDS_SECRET=$(retry 5 vault kv get -field=data -format=json ${CI_DRA_ROLE_PATH})
-  VAULT_ADDR_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.vault_addr')
-  VAULT_ROLE_ID_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.role_id')
-  VAULT_SECRET=$(echo ${DRA_CREDS_SECRET} | jq -r '.secret_id')
-  export VAULT_ADDR_SECRET VAULT_ROLE_ID_SECRET VAULT_SECRET
-}
-
-if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" ]]; then
-  if [[ "$BUILDKITE_STEP_KEY" == "dra-publish" || "$BUILDKITE_STEP_KEY" == "bk-api-publish-independent-agent" ]]; then
-    release_manager_login
-  fi
-fi
 
 if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
   echo "Setting credentials"
@@ -47,11 +31,3 @@ if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
   echo ${API_KEY_TOKEN} > ./apiKey
   export TEST_INTEG_AUTH_ESS_APIKEY_FILE=$(realpath ./apiKey)
 fi
-
-if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-binary-dra" ]]; then
-  if [[ ("$BUILDKITE_STEP_KEY" == "publish-dra-snapshot" || "$BUILDKITE_STEP_KEY" == "publish-dra-staging") ]]; then
-    echo "+++ Setting DRA params"
-    # Shared secret path containing the dra creds for project teams
-    release_manager_login
-  fi
-fi

.buildkite/pipeline.elastic-agent-binary-dra.yml

@@ -13,6 +13,21 @@ common:
   - docker_login_plugin: &docker_login_plugin
       elastic/vault-docker-login#v0.5.2:
         secret_path: 'kv/ci-shared/platform-ingest/elastic_docker_registry'
+  - vault_addr: &vault_addr
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "vault_addr"
+          env_var: "VAULT_ADDR"
+  - vault_role_id: &vault_role_id
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "role_id"
+          env_var: "VAULT_ROLE_ID"
+  - vault_secret_id: &vault_secret_id
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "secret_id"
+          env_var: "VAULT_SECRET_ID"
 
 steps:
   - group: ":beats: DRA Elastic-Agent Core Snapshot :beats:"
@@ -93,6 +108,9 @@ steps:
         DRA_WORKFLOW: "snapshot"
       plugins:
         - *docker_login_plugin
+        - *vault_addr
+        - *vault_role_id
+        - *vault_secret_id
 
     - label: ":hammer: Publish helm chart snapshot"
       trigger: elastic-agent-helm-charts
@@ -188,6 +206,9 @@ steps:
         DRA_WORKFLOW: "staging"
       plugins:
         - *docker_login_plugin
+        - *vault_addr
+        - *vault_role_id
+        - *vault_secret_id
 
 notify:
   - slack: "#ingest-notifications"

.buildkite/pipeline.elastic-agent-package.yml

@@ -5,6 +5,25 @@ env:
   # after moving elastic-agent out of beats, we should update the URL of the packaging.
   BEAT_URL: "https://www.elastic.co/elastic-agent"
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - vault_addr: &vault_addr
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "vault_addr"
+          env_var: "VAULT_ADDR"
+  - vault_role_id: &vault_role_id
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "role_id"
+          env_var: "VAULT_ROLE_ID"
+  - vault_secret_id: &vault_secret_id
+      elastic/vault-secrets#v0.1.0:
+          path: "kv/ci-shared/release/dra-role"
+          field: "secret_id"
+          env_var: "VAULT_SECRET_ID"
+
 steps:
   - input: "Build parameters"
     if: build.env("MANIFEST_URL") == null
@@ -129,6 +148,10 @@ steps:
     env:
       DRA_PROJECT_ID: "elastic-agent-package"
       DRA_PROJECT_ARTIFACT_ID: "agent-package"
+    plugins:
+      - *vault_addr
+      - *vault_role_id
+      - *vault_secret_id
     command: |
       echo "+++ Restoring Artifacts"
       buildkite-agent artifact download "build/**/*" .
@@ -169,6 +192,10 @@ steps:
       DRA_PROJECT_ARTIFACT_ID: "agent-package"
     artifact_paths:
       - "build/distributions/**/*"
+    plugins:
+      - *vault_addr
+      - *vault_role_id
+      - *vault_secret_id
     command: |
       echo "+++ Restoring Artifacts"
       buildkite-agent artifact download "build/**/*" .

.buildkite/scripts/steps/dra-publish.sh

@@ -40,9 +40,9 @@ function run_release_manager() {
     # shellcheck disable=SC2086
     docker run --rm \
         --name release-manager \
-        -e VAULT_ADDR="${VAULT_ADDR_SECRET}" \
-        -e VAULT_ROLE_ID="${VAULT_ROLE_ID_SECRET}" \
-        -e VAULT_SECRET_ID="${VAULT_SECRET}" \
+        -e VAULT_ADDR \
+        -e VAULT_ROLE_ID \
+        -e VAULT_SECRET_ID \
         --mount type=bind,readonly=false,src="${PWD}",target=/artifacts \
         docker.elastic.co/infra/release-manager:latest \
         cli "${_command}" \