fix(kbn-evals): default VAULT_ADDR and auto-login on init (#270194)

Engineers running `node scripts/evals init` previously had to manually
export `VAULT_ADDR=https://secrets.elastic.co:8200` and pre-run `vault
login --method oidc` before the script would work. Apply the Elastic
Vault address as the default for all vault CLI invocations from
kbn-evals, and auto-trigger an OIDC login when no valid token is present
(matching the behavior already in kbn-es/eis_setup).

## Summary

Summarize your PR. If it involves visual changes include a screenshot or
gif.


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

Author: ruflin

x-pack/platform/packages/shared/kbn-evals/scripts/vault/manage_secrets.ts

@@ -12,6 +12,9 @@ import { writeFile, readFile } from 'fs/promises';
 import { REPO_ROOT } from '@kbn/repo-info';
 import { schema } from '@kbn/config-schema';
 
+const DEFAULT_VAULT_ADDR = 'https://secrets.elastic.co:8200';
+const getVaultAddr = (): string => process.env.VAULT_ADDR || DEFAULT_VAULT_ADDR;
+
 /**
  * Vault-backed config used by @kbn/evals CI.
  *
@@ -137,6 +140,10 @@ export const retrieveFromVault = async (vaultPath: string, filePath: string, fie
   const { stdout } = await execa('vault', ['read', `-field=${field}`, vaultPath], {
     cwd: REPO_ROOT,
     buffer: true,
+    env: {
+      ...process.env,
+      VAULT_ADDR: getVaultAddr(),
+    },
   });
 
   const value = Buffer.from(stdout, 'base64').toString('utf-8').trim();
@@ -160,6 +167,10 @@ export const uploadToVault = async (vaultPath: string, filePath: string, field:
   await execa('vault', ['write', vaultPath, `${field}=${asB64}`], {
     cwd: REPO_ROOT,
     buffer: true,
+    env: {
+      ...process.env,
+      VAULT_ADDR: getVaultAddr(),
+    },
   });
 };
 

x-pack/platform/packages/shared/kbn-evals/src/cli/commands/init.ts

@@ -5,15 +5,15 @@
  * 2.0.
  */
 
-import { execSync, spawnSync } from 'child_process';
+import { execSync, spawnSync, spawn } from 'child_process';
 import Fs from 'fs';
 import Os from 'os';
 import Path from 'path';
 import inquirer from 'inquirer';
 import type { Command } from '@kbn/dev-cli-runner';
 import { set } from '@kbn/safer-lodash-set';
 import { parseConnectorsFromEnv, parseConnectorsFromKibanaDevYml } from '../prompts';
-import { safeExec, VAULT_SECRET_PATH } from '../utils';
+import { safeExec, getVaultAddr, VAULT_SECRET_PATH } from '../utils';
 import { VAULT_CONFIG_DIR } from '../profiles';
 import { buildApiKeyPayload } from '../../api_key/build_api_key_payload';
 
@@ -380,6 +380,49 @@ const checkVaultAuth = (): boolean => {
   return safeExec('vault', ['token', 'lookup', '-format=json']) !== null;
 };
 
+const vaultLogin = async (log: {
+  info: (msg: string) => void;
+  error: (msg: string) => void;
+}): Promise<void> => {
+  const vaultAddr = getVaultAddr();
+  log.info(`Launching Vault OIDC login against ${vaultAddr}...`);
+  log.info('A browser window should open. If it does not, follow the URL printed below.');
+
+  const child = spawn('vault', ['login', '--method', 'oidc'], {
+    env: { ...process.env, VAULT_ADDR: vaultAddr },
+    stdio: 'inherit',
+  });
+
+  const exitCode = await new Promise<number | null>((resolve, reject) => {
+    child.on('error', (err) => reject(err));
+    child.on('exit', (code) => resolve(code));
+  });
+
+  if (exitCode !== 0) {
+    throw new Error(
+      [
+        `Vault login failed (exit code ${exitCode}).`,
+        '',
+        'See https://docs.elastic.dev/vault for setup instructions.',
+      ].join('\n')
+    );
+  }
+};
+
+const ensureVaultAuth = async (log: {
+  info: (msg: string) => void;
+  error: (msg: string) => void;
+}): Promise<void> => {
+  if (checkVaultAuth()) {
+    return;
+  }
+  log.info('Vault session expired or not found — attempting login...');
+  await vaultLogin(log);
+  if (!checkVaultAuth()) {
+    throw new Error('Vault authentication still failing after login attempt.');
+  }
+};
+
 const fetchCcmApiKey = (log: { info: (msg: string) => void }): string => {
   log.info('Fetching EIS CCM API key from Vault...');
   const result = safeExec('vault', ['read', '-field=key', VAULT_SECRET_PATH]);
@@ -560,15 +603,11 @@ export const initCmd: Command<void> = {
     // --- EIS path ---
     log.info('');
 
-    // 1. Check Vault auth
-    log.info('Checking Vault auth...');
-    if (!checkVaultAuth()) {
-      log.error('Vault authentication failed. Please log in first:');
-      log.error('  vault login --method oidc');
-      log.error('');
-      log.error('Then re-run: node scripts/evals init');
-      throw new Error('Vault authentication required');
-    }
+    const vaultAddr = getVaultAddr();
+
+    // 1. Check Vault auth (auto-login if not authenticated)
+    log.info(`Checking Vault auth (VAULT_ADDR=${vaultAddr})...`);
+    await ensureVaultAuth(log);
     log.info('Vault auth OK');
 
     // 2. Fetch CCM API key

x-pack/platform/packages/shared/kbn-evals/src/cli/utils.ts

@@ -8,12 +8,19 @@
 import { execFileSync } from 'child_process';
 
 export const VAULT_SECRET_PATH = 'secret/kibana-issues/dev/inference/kibana-eis-ccm';
+export const DEFAULT_VAULT_ADDR = 'https://secrets.elastic.co:8200';
+
+export const getVaultAddr = (): string => process.env.VAULT_ADDR || DEFAULT_VAULT_ADDR;
 
 export const safeExec = (command: string, args: string[]): string | null => {
   try {
     return execFileSync(command, args, {
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'ignore'],
+      env: {
+        ...process.env,
+        VAULT_ADDR: getVaultAddr(),
+      },
     }).trim();
   } catch {
     return null;