RUM-11897: Add scripts to set/get Vault secrets

Author: ambushwork

ci/scripts/get-secret.sh

@@ -0,0 +1,41 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+source ./ci/scripts/vault_config.sh
+source ./ci/scripts/list-secrets.sh
+
+# Usage:
+#   get_secret <secret_name>
+#
+# Notes:
+# - For <secret_name> use constants defined in './ci/scripts/vault_config.sh'
+# - Requires `vault` to be installed
+get_secret() {
+    local secret_name=$SECRET_NAME
+
+    export VAULT_ADDR=$DD_VAULT_ADDR
+    if vault token lookup &>/dev/null; then
+        echo "Reading '$secret_name' secret in local env. You are already authenticated with 'vault'." >&2
+    else
+        echo "Reading '$secret_name' secret in local env. You will now be authenticated with OIDC in your web browser." >&2
+        vault login -method=oidc -no-print
+    fi
+
+    local secret_value=$(vault kv get -field=value "$DD_ANDROID_SECRETS_PATH_PREFIX/$secret_name")
+
+    if [[ -z "$secret_value" ]]; then
+        echo "Error" "Failed to retrieve the '$secret_name' secret or the secret is empty." >&2
+        exit 1
+    fi
+
+    echo $secret_value
+}
+
+list_secrets
+select_secret
+get_secret "$@"

ci/scripts/list-secrets.sh

@@ -0,0 +1,38 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+source ./ci/scripts/vault_config.sh
+
+list_secrets() {
+    GREEN="\e[32m"
+    RESET="\e[0m"
+
+    echo "Available secrets:"
+    for key in ${(k)DD_ANDROID_SECRETS}; do
+        IFS=" | " read -r name description <<< "${DD_ANDROID_SECRETS[$key]}"
+        echo "$key) ${GREEN}$name${RESET} - $description"
+    done | sort -n
+
+    echo ""
+    echo "To add a new secret, first define it in 'tools/secrets/config.sh' and retry."
+}
+
+
+select_secret() {
+    echo
+    while true; do
+        echo "Enter the number of the secret you want to continue:"
+        read "secret_number"
+        if [[ -n ${DD_ANDROID_SECRETS[$secret_number]} ]]; then
+            IFS=" | " read -r SECRET_NAME SECRET_DESC <<< "${DD_ANDROID_SECRETS[$secret_number]}"
+            break
+        else
+            echo_err "Invalid selection. Please enter a valid number."
+        fi
+    done
+}

ci/scripts/set-secret.sh

@@ -0,0 +1,76 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+# Usage:
+# $ ./ci/scripts/vault_config.sh
+#
+# Note:
+# - Requires `vault` to be installed
+
+source ./ci/scripts/vault_config.sh
+source ./ci/scripts/list-secrets.sh
+
+select_input_method() {
+    echo
+    echo "How would you like to provide the secret value?"
+    echo "1) Enter manually"
+    echo "2) Read from text file"
+    while true; do
+        echo "Enter your choice:"
+        read "input_method"
+        case $input_method in
+            1)
+                get_secret_value_from_input
+                break
+                ;;
+            2)
+                get_secret_value_from_file
+                break
+                ;;
+            *)
+                echo "Invalid choice."
+                ;;
+        esac
+    done
+}
+
+get_secret_value_from_file() {
+    echo "Enter the file path to read the value for '$SECRET_NAME':"
+    read "SECRET_FILE"
+    echo
+
+    SECRET_FILE=${SECRET_FILE/#\~/$HOME} # Expand ~ to home directory if present
+    echo "Using '$SECRET_FILE'"
+
+    if [[ -f "$SECRET_FILE" ]]; then
+        SECRET_VALUE=$(cat "$SECRET_FILE")
+    else
+        echo "Error: File '$SECRET_FILE' does not exist."
+        exit 1
+    fi
+}
+
+get_secret_value_from_input() {
+    echo "Enter the new value for '$SECRET_NAME':"
+    read "SECRET_VALUE"
+    echo
+}
+
+set_secret_value() {
+    echo "You will now be authenticated with OIDC in your web browser. Press ENTER to continue."
+    read
+    export VAULT_ADDR=$DD_VAULT_ADDR
+    vault login -method=oidc -no-print
+    vault kv put "$DD_ANDROID_SECRETS_PATH_PREFIX/$SECRET_NAME" value="$SECRET_VALUE"
+    echo "Secret '$SECRET_NAME' set successfully."
+}
+
+list_secrets
+select_secret
+select_input_method
+set_secret_value

ci/scripts/vault_config.sh

@@ -0,0 +1,70 @@
+#!/bin/zsh
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+DD_VAULT_ADDR=https://vault.us1.ddbuild.io
+DD_ANDROID_SECRETS_PATH_PREFIX='kv/aws/arn:aws:iam::486234852809:role/ci-dd-sdk-android/'
+
+DD_ANDROID_SECRET__TEST_SECRET="test.secret"
+DD_ANDROID_SECRET__GRADLE_PROPERTIES="gradle.properties"
+DD_ANDROID_SECRET__SIGNING_GPG_PRIVATE_KEY="signing.gpg_private_key"
+DD_ANDROID_SECRET__SIGNING_GPG_PASSPHRASE="signing.gpg_passphrase"
+DD_ANDROID_SECRET__SIGNING_GPG_PUBLIC_KEY="signing.gpg_public_key"
+DD_ANDROID_SECRET__PUBLISHING_CENTRAL_USERNAME="publishing.central_username"
+DD_ANDROID_SECRET__PUBLISHING_CENTRAL_PWD="publishing.central_password"
+DD_ANDROID_SECRET__API_KEY="api_key"
+DD_ANDROID_SECRET__APP_KEY="app_key"
+DD_ANDROID_SECRET__CODECOV_TOKEN="codecov-token"
+DD_ANDROID_SECRET__KEYSTORE="keystore"
+DD_ANDROID_SECRET__KEYSTORE_PWD="keystore-password"
+DD_ANDROID_SECRET__E2E_CONFIG_JSON="e2e_config_json"
+DD_ANDROID_SECRET__E2E_API_KEY="e2e_api_key"
+DD_ANDROID_SECRET__E2E_APP_KEY="e2e_app_key"
+DD_ANDROID_SECRET__E2E_MOBILE_APP_ID="e2e_mobile_app_id"
+DD_ANDROID_SECRET__E2E_STAGING_CONFIG_JSON="e2e_staging_config_json"
+DD_ANDROID_SECRET__E2E_STAGING_API_KEY="e2e_staging_api_key"
+DD_ANDROID_SECRET__E2E_STAGING_APP_KEY="e2e_staging_app_key"
+DD_ANDROID_SECRET__E2E_STAGING_APP_ID="e2e_staging_mobile_app_id"
+DD_ANDROID_SECRET__WEBVIEW_CONFIG_JSON="webview_config_json"
+DD_ANDROID_SECRET__WEBVIEW_API_KEY="webview_api_key"
+DD_ANDROID_SECRET__WEBVIEW_APP_KEY="webview_app_key"
+DD_ANDROID_SECRET__WEBVIEW_MOBILE_APP_ID="webview_mobile_app_id"
+DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON="benchmark_config_json"
+DD_ANDROID_SECRET__BENCHMARK_API_KEY="benchmark_api_key"
+DD_ANDROID_SECRET__BENCHMARK_APP_KEY="benchmark_app_key"
+DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID="benchmark_mobile_app_id"
+
+idx=0
+declare -A DD_ANDROID_SECRETS
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__TEST_SECRET | Test secret to verify functionality. Can be changed but not deleted."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__GRADLE_PROPERTIES | Content of the gradle.properties file, providing options to speed up CI jobs."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__SIGNING_GPG_PRIVATE_KEY | GPG private key for signing artifacts published to Sonatype Maven repository."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__SIGNING_GPG_PASSPHRASE | GPG passphrase for signing artifacts published to Sonatype Maven repository."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__SIGNING_GPG_PUBLIC_KEY | GPG public key for signing artifacts published to Sonatype Maven repository."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__PUBLISHING_CENTRAL_USERNAME | Username for publishing artifacts to Sonatype Maven repository."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__PUBLISHING_CENTRAL_PWD | Password for publishing artifacts to Sonatype Maven repository."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__API_KEY | API key for sending CI App reports to org2."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__APP_KEY | Application key for sending CI App reports to org2."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__CODECOV_TOKEN | CodeCov token for unit test jobs."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__KEYSTORE | Android signing keystore for building all APKs for synthetics."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__KEYSTORE_PWD | Android signing password for building all APKs for synthetics."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_CONFIG_JSON | config.json for uploading an end-to-end APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_API_KEY | API key for uploading an end-to-end APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_APP_KEY | App key for uploading an end-to-end APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_MOBILE_APP_ID | Application ID for uploading an end-to-end APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_STAGING_CONFIG_JSON | config.json for uploading an end-to-end APK to the Staging org."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_STAGING_API_KEY | API key for uploading an end-to-end APK to synthetics on the Staging org."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_STAGING_APP_KEY | App key for uploading an end-to-end APK to synthetics on the Staging org."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__E2E_STAGING_APP_ID | Application ID for uploading an end-to-end APK to synthetics on the Staging org."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__WEBVIEW_CONFIG_JSON | config.json for uploading an end-to-end APK (for webview integration) to the RUM Synthetics Playground org (478292, https://rum-synthetics.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__WEBVIEW_API_KEY | API key for uploading an end-to-end APK (for webview integration) to the RUM Synthetics Playground org (478292, https://rum-synthetics.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__WEBVIEW_APP_KEY | App key for uploading an end-to-end APK (for webview integration) to the RUM Synthetics Playground org (478292, https://rum-synthetics.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__WEBVIEW_MOBILE_APP_ID | Application ID for uploading an end-to-end APK (for webview integration) to the RUM Synthetics Playground org (478292, https://rum-synthetics.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON | config.json for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_API_KEY | API key for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_APP_KEY | App key for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID | Application ID for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."