RUM-11897: Add scripts to set/get Vault secrets & Migrate CI

[ambushwork]

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Make sure you discussed the feature or bugfix with the maintaining team in an Issue
• Make sure each commit and the PR mention the Issue number (cf the CONTRIBUTING doc)

[datadog-datadog-prod-us1]

🎯 Code Coverage
• Patch Coverage: 100.00%
• Total Coverage: 70.80% (-0.45%)

View detailed report

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 85c6bfd | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.84%. Comparing base (ee38a9a) to head (5bde49e).
⚠️ Report is 7 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2974      +/-   ##
===========================================
- Coverage    70.91%   70.84%   -0.07%     
===========================================
  Files          829      829              
  Lines        30381    30381              
  Branches      5184     5184              
===========================================
- Hits         21543    21523      -20     
- Misses        7373     7378       +5     
- Partials      1465     1480      +15     

see 29 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[0xnm]

Is there a benefit of using macOS runner for that?

Also if it indeed should be macOS runner, then image directive below has no effect.

[ambushwork]

That's an obligation, only MacOS runner has the correct IAM role to access Vault of our project.

[0xnm]

only MacOS runner has the correct IAM role

Why so? AFAIK every repo has a unique service account associated, so maybe we can list it as well as account which can have this role?

The fleet of macOS runners is much limited in size, while k8s runners are faster to get and run.

Not a blocker though.

[0xnm]

Is it a safe thing to have? it means that anyone with just a basic Gitlab CI access can download this, not only RUM team members.

Moreover, it makes this artifact available for 1 hour, meaning it is still there even after pipeline completed, failed.

Should we maybe fetch secrets only in the boundaries of the particular job?

[ambushwork]

since the default behavior will be only uploading artifacts when success, do you think remove when:always will improve this?
fetching secrets in each job may cause repeat vault login and vault get, it may increase the CI time, I can ask around if this is a safe way

[0xnm]

fetching secrets in each job may cause repeat vault login and vault get

It should be fast. Anyway, by constraining secrets lifetime only to the particular job and removing the possibility to fetch them as an artifact we limit access only to the Repo Admins/Contributors (it is still possible to modify CI script to read them) compared to the Job artifacts access which is possible for everyone with dev access.