Review buildkite scripts cleanup process #1487
Conversation
This reverts commit f25127f.
| @@ -87,12 +95,11 @@ upload_safe_logs() { | |||
| return | |||
| fi | |||
|
|
|||
| local gsUtilLocation=$(google_cloud_auth_safe_logs) | |||
| google_cloud_auth_safe_logs | |||
There was a problem hiding this comment.
Calling this function as $(google_cloud_auth_safe_logs) make that the variable that was exported in that function (GOOGLE_APPLICATION_CREDENTIALS) was not available for the rest of the function. It seems that it creates a subshell and that variable does not exist outside of it.
| @@ -67,14 +77,12 @@ if [[ "${TARGET}" == "" ]]; then | |||
| fi | |||
|
|
|||
| google_cloud_auth_safe_logs() { | |||
| local gsUtilLocation=$(mktemp -d -p . -t ${TMP_FOLDER_TEMPLATE}) | |||
| local gsUtilLocation=$(mktemp -d -p ${WORKSPACE} -t ${TMP_FOLDER_TEMPLATE}) | |||
There was a problem hiding this comment.
Ensure that the temporal folder is created under WORKSPACE
| cleanup() { | ||
| local error_code=$? | ||
|
|
||
| if [ $error_code != 0 ] ; then | ||
| if [ -f ${GOOGLE_APPLICATION_CREDENTIALS+x} ]; then | ||
| google_cloud_logout_active_account | ||
| fi | ||
| fi | ||
|
|
||
| echo "Deleting temporal files..." | ||
| cd ${WORKSPACE} | ||
| rm -rf "${TMP_FOLDER_TEMPLATE_BASE}.*" | ||
| echo "Done." | ||
|
|
||
| exit $error_code | ||
| } | ||
| trap cleanup EXIT |
There was a problem hiding this comment.
I didn't want to move this function to tooling.sh to avoid more refactors in this PR.
Each pipeline (script) has its own cleanup and the one from release pipeline is different.
There was a problem hiding this comment.
The command trap cleanup EXIT will run every time before exit.
But the variable GOOGLE_APPLICATION_CREDENTIALS can be not defined yet, for example, when the script finishes with an error before google_cloud_auth* func. Perhaps, in this case, we have to look for the google-cloud-credentials.json file in the ${WORKSPACE}/* folder and subfolders instead of using the variable.
@mrodm WDYT?
There was a problem hiding this comment.
I tried to take into account this by using this parameter expansion ${var+x}
if [ -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]; thenIn that case, if the variable is not defined the logout is not executed.
I think that it could be a good approach, since that variable is set by the google_cloud_auth just after the login command
elastic-package/.buildkite/scripts/tooling.sh
Lines 23 to 25 in f1b90c7
In this commit I added two conditions that the variable is defined and the file pointing that variable exists. Maybe it can be just leave that the variable is defined. If the variable is defined, run the logout function
@sharbuz WDYT ?
| if [ $error_code != 0 ] ; then | ||
| if [ -f ${GOOGLE_APPLICATION_CREDENTIALS+x} ]; then | ||
| google_cloud_logout_active_account | ||
| fi | ||
| fi |
There was a problem hiding this comment.
Ensure that in case of failure, the active account is logged out.
There was a problem hiding this comment.
perfect! we check the variable and if it exists we check the file!
.buildkite/hooks/pre-exit
Outdated
| unset ELASTIC_PACKAGE_AWS_ACCESS_KEY | ||
| unset ELASTIC_PACKAGE_AWS_SECRET_KEY | ||
| unset AWS_ACCESS_KEY_ID | ||
| unset AWS_SECRET_ACCESS_KEY |
There was a problem hiding this comment.
Can we update the unset_secrets func to unset _KEY and _KEY_ID secrets to exclude whole this condition in the pre-exit hook?
There was a problem hiding this comment.
Also, if we already have a great cleanup func that checks the current GCP connection I suppose we can add running of this func in the pre-exit hook right after unset_secrets to avoid plenty of conditions with gcp_logout* calls.
WDYT?
There was a problem hiding this comment.
look at the example: https://github.com/elastic/package-storage-infra/pull/570
refactored cleanup and unset_secrets funcs in the common.sh and pre-exit hook.
There was a problem hiding this comment.
Can we update the
unset_secretsfunc to unset_KEYand_KEY_IDsecrets to exclude whole this condition in thepre-exithook?
It's not a good idea :) I've checked it. in this case, we will unset all BUILDKITE_*_KEY and similar variables needed for the pipeline.
There was a problem hiding this comment.
This unset_secrets function is the same as in other repositories, and I didn't want to deviate much from the other usages in case it could be moved to a shared location.
| local error_code=$? | ||
|
|
||
| if [ $error_code != 0 ] ; then | ||
| # if variable is defined, run the logout | ||
| if [ -n "${GOOGLE_APPLICATION_CREDENTIALS+x}" ]; then | ||
| google_cloud_logout_active_account | ||
| fi | ||
| fi | ||
|
|
There was a problem hiding this comment.
Perhaps it's better to move the cleanup func into tooling.sh script to avoid duplicating the code in the signAndPublishPackage.sh and integration_tests.sh. @mrodm WDYT?
There was a problem hiding this comment.
I wanted to avoid that in this PR at least, I added a comment about this in this other thread:
#1487 (comment)
.buildkite/hooks/pre-exit
Outdated
| unset ELASTIC_PACKAGE_AWS_ACCESS_KEY | ||
| unset ELASTIC_PACKAGE_AWS_SECRET_KEY | ||
| unset AWS_ACCESS_KEY_ID | ||
| unset AWS_SECRET_ACCESS_KEY |
There was a problem hiding this comment.
Also, if we already have a great cleanup func that checks the current GCP connection I suppose we can add running of this func in the pre-exit hook right after unset_secrets to avoid plenty of conditions with gcp_logout* calls.
WDYT?
.buildkite/hooks/pre-exit
Outdated
| unset ELASTIC_PACKAGE_AWS_ACCESS_KEY | ||
| unset ELASTIC_PACKAGE_AWS_SECRET_KEY | ||
| unset AWS_ACCESS_KEY_ID | ||
| unset AWS_SECRET_ACCESS_KEY |
There was a problem hiding this comment.
look at the example: https://github.com/elastic/package-storage-infra/pull/570
refactored cleanup and unset_secrets funcs in the common.sh and pre-exit hook.
.buildkite/hooks/pre-exit
Outdated
| unset ELASTIC_PACKAGE_AWS_ACCESS_KEY | ||
| unset ELASTIC_PACKAGE_AWS_SECRET_KEY | ||
| unset AWS_ACCESS_KEY_ID | ||
| unset AWS_SECRET_ACCESS_KEY |
There was a problem hiding this comment.
Can we update the
unset_secretsfunc to unset_KEYand_KEY_IDsecrets to exclude whole this condition in thepre-exithook?
It's not a good idea :) I've checked it. in this case, we will unset all BUILDKITE_*_KEY and similar variables needed for the pipeline.
Co-authored-by: sharbuz <87968844+sharbuz@users.noreply.github.com>
|
/test |
3 similar comments
|
/test |
|
/test |
|
/test |
|
/test |
mrodm
changed the title
.buildkite/hooks/pre-exit
Outdated
| unset_secrets | ||
|
|
||
| # unset the environment variables not managged by "unset_secrets" | ||
| if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package" && "$BUILDKITE_STEP_KEY" == "integration-parallel-gcp" ]]; then |
There was a problem hiding this comment.
There would be any problem with unsetting all these variables always?
| if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-package" && "$BUILDKITE_STEP_KEY" == "integration-parallel-gcp" ]]; then |
There was a problem hiding this comment.
mmm yes , and it probably it would be safer.
Executing those unset commands even if the variable does not exist should not cause any issue.
I'll change it.
💛 Build succeeded, but was flaky
Failed CI StepsHistory
cc @mrodm |
No description provided.