Update signArtifacts lib env vars with credentials

tests/jenkins/TestPromoteArtifacts.groovy

@@ -43,10 +43,12 @@ class TestPromoteArtifacts extends BuildPipelineTest {
         binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name')
         binding.setVariable('WORKSPACE', 'tests/jenkins')
         binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name')
-        binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role')
-        binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id')
-        binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket')
-        binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket')
+        def signer_client_creds = ["role": "dummy_role",
+                       "external_id": "dummy_ID",
+                       "unsigned_bucket": "dummy_unsigned_bucket",
+                       "signed_bucket": "dummy_signed_bucket"]
+        binding.setVariable('configs', signer_client_creds)
+        helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds})
 
         helper.registerAllowedMethod("git", [Map])
         helper.registerAllowedMethod("s3Download", [Map])

tests/jenkins/TestPromoteYumRepos.groovy

@@ -24,10 +24,12 @@ class TestPromoteYumRepos extends BuildPipelineTest {
         binding.setVariable('AWS_ACCOUNT_ARTIFACT', 'artifactsAccount')
         binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name')
         binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name')
-        binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role')
-        binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id')
-        binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket')
-        binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket')
+        def signer_client_creds = ["role": "dummy_role",
+                       "external_id": "dummy_ID",
+                       "unsigned_bucket": "dummy_unsigned_bucket",
+                       "signed_bucket": "dummy_signed_bucket"]
+        binding.setVariable('configs', signer_client_creds)
+        helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds})
         helper.registerAllowedMethod("git", [Map])
         helper.registerAllowedMethod("withAWS", [Map, Closure], { args, closure ->
             closure.delegate = delegate

tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt

@@ -17,14 +17,16 @@
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                   signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                  signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                     signArtifacts.readJSON({text=signer_client_creds})
                      signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 /tmp/workspace/sign.sh /tmp/workspace/archive --sigtype=.sig --platform=linux
             )
@@ -89,14 +91,16 @@
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                   signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                  signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                     signArtifacts.readJSON({text=signer_client_creds})
                      signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 /tmp/workspace/sign.sh /tmp/workspace/maven --type=maven --platform=linux
             )

tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt

@@ -16,14 +16,16 @@
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                   signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                  signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                     signArtifacts.readJSON({text=signer_client_creds})
                      signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 /tmp/workspace/sign.sh /tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml --type=maven --platform=linux
             )

tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt

@@ -14,14 +14,16 @@
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                   signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                  signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                     signArtifacts.readJSON({text=signer_client_creds})
                      signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux
             )

tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt

@@ -13,11 +13,11 @@
                   BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123)
                   assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64)
                   assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux})
-                     signArtifacts.echo(RPM Add Sign)
-                     signArtifacts.withAWS({role=sign_asm_role, roleAccount=sign_asm_account, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure)
-                        signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-pass-id, variable=SIGNING_PASS_ID})
-                        signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-secret-id, variable=SIGNING_SECRET_ID})
-                        signArtifacts.withCredentials([SIGNING_PASS_ID, SIGNING_SECRET_ID], groovy.lang.Closure)
+                     signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs})
+                     signArtifacts.withCredentials([configs], groovy.lang.Closure)
+                        signArtifacts.readJSON({text=configs})
+                        signArtifacts.echo(RPM Add Sign)
+                        signArtifacts.withAWS({role=jenki-jenki-asm-assume-role, roleAccount=1234, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure)
                            signArtifacts.sh(
                         set -e
                         set +x
@@ -57,8 +57,8 @@
 
                         echo "------------------------------------------------------------------------"
                         echo "Import OpenSearch keys"
-                        aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_PASS_ID" | jq -r .SecretBinary | base64 --decode > passphrase
-                        aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_SECRET_ID" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase -
+                        aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::123456" | jq -r .SecretBinary | base64 --decode > passphrase
+                        aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::56789" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase -
 
                         echo "------------------------------------------------------------------------"
                         echo "Start Signing Rpm"
@@ -85,8 +85,8 @@
 
                         echo "------------------------------------------------------------------------"
                         echo "Clean up gpg"
-                        gpg --batch --yes --delete-secret-keys sign_asm_keyid
-                        gpg --batch --yes --delete-keys sign_asm_keyid
+                        gpg --batch --yes --delete-secret-keys abcd1234
+                        gpg --batch --yes --delete-keys abcd1234
                         rm -v passphrase
 
                     )

tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt

@@ -29,14 +29,16 @@
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                      signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                     signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                        signArtifacts.readJSON({text=signer_client_creds})
                         signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
             )
@@ -60,14 +62,16 @@
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                      signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                     signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                        signArtifacts.readJSON({text=signer_client_creds})
                         signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
             )

tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt

@@ -29,14 +29,16 @@
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                      signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                     signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                        signArtifacts.readJSON({text=signer_client_creds})
                         signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
             )
@@ -60,14 +62,16 @@
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
                      signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
-                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                     signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure)
+                        signArtifacts.readJSON({text=signer_client_creds})
                         signArtifacts.sh(
                 #!/bin/bash
                 set +x
-                export ROLE=dummy_signer_client_role
-                export EXTERNAL_ID=signer_client_external_id
-                export UNSIGNED_BUCKET=signer_client_unsigned_bucket
-                export SIGNED_BUCKET=signer_client_signed_bucket
+                export ROLE=dummy_role
+                export EXTERNAL_ID=dummy_ID
+                export UNSIGNED_BUCKET=dummy_unsigned_bucket
+                export SIGNED_BUCKET=dummy_signed_bucket
 
                 tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig
             )