RHTAP: Allow jenkins builds in any namespace (#8916)

* RHTAP: Allow jenkins builds in any namespace

* update

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/tasks/setup_jenkins.yml

@@ -13,47 +13,6 @@
     oc delete pod $JENKINS_POD -n {{ ocp4_workload_trusted_application_pipeline_jenkins_namespace
     }}
 
-- name: Create Jenkins Secrets
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ lookup('file', item) | from_yaml }}"
-    namespace: "{{ ocp4_workload_trusted_application_pipeline_jenkins_namespace }}"
-  loop:
-  - external-secret-trustification.yml
-  - external-secret-gitlab-webhook.yml
-  - external-secret-common-password.yml
-  - external-secret-stackrox-token.yml
-
-- name: Create Jenkins Job Runner Resources
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ lookup('template', item) | from_yaml }}"
-  loop:
-  - cluster-role-binding-job-runner-sa-cluster-edit.yml.j2
-  - sa-jenkins-job-runner.yml.j2
-
-- name: Retrieve cosign signing secret
-  kubernetes.core.k8s_info:
-    api_version: v1
-    kind: Secret
-    name: signing-secrets
-    namespace: "{{ ocp4_workload_trusted_application_pipeline_pipelines_namespace }}"
-  register: r_signing_secrets
-  retries: 120
-  delay: 10
-  until:
-  - r_signing_secrets is defined
-  - r_signing_secrets.resources is defined
-  - r_signing_secrets.resources | length > 0
-
-- name: Creating Cosign Signing Secret
-  shell: |
-    oc create secret generic signing-secrets -n {{
-    ocp4_workload_trusted_application_pipeline_jenkins_namespace }} \
-    --from-literal=cosign.key={{ r_signing_secrets.resources[0].data['cosign.key'] }} \
-    --from-literal=cosign.pub={{ r_signing_secrets.resources[0].data['cosign.pub'] }} \
-    --from-literal=cosign.password={{ r_signing_secrets.resources[0].data['cosign.password'] | b64decode }}
-
 - name: Wait until Jenkins is fully up and running
   k8s_info:
     api_version: v1
@@ -85,6 +44,13 @@
   set_fact:
     ocp4_workload_trusted_application_pipeline_jenkins_token: "{{ r_jenkins_token.json.data.tokenValue }}"
 
+- name: Create vaulted Jenkins token
+  kubernetes.core.k8s_exec:
+    namespace: "{{ ocp4_workload_trusted_application_pipeline_vault_namespace }}"
+    pod: vault-0
+    command: |
+      vault kv put kv/secrets/janusidp/jenkins token={{ ocp4_workload_trusted_application_pipeline_jenkins_token }}
+
 - name: Deploy Nginx
   kubernetes.core.k8s:
     state: present

ansible/roles_ocp_workloads/ocp4_workload_trusted_application_pipeline/tasks/setup_tekton_chains.yml

@@ -20,6 +20,30 @@
     args:
       chdir: /tmp
 
+  - name: Get signing secrets
+    kubernetes.core.k8s_info:
+      api_version: v1
+      kind: Secret
+      name: signing-secrets
+      namespace: "{{ ocp4_workload_trusted_application_pipeline_pipelines_namespace }}"
+    register: r_signing_secrets
+    retries: 120
+    delay: 10
+    until:
+    - r_signing_secrets is defined
+    - r_signing_secrets.resources is defined
+    - r_signing_secrets.resources | length > 0
+
+  - name: Create vault secrets for Cosign (Encoded)
+    kubernetes.core.k8s_exec:
+      namespace: "{{ ocp4_workload_trusted_application_pipeline_vault_namespace }}"
+      pod: vault-0
+      command: "{{ item }}"
+    loop:
+    - "vault kv put kv/secrets/janusidp/cosign/key value={{ r_signing_secrets.resources[0].data['cosign.key'] }}"
+    - "vault kv put kv/secrets/janusidp/cosign/password value={{ r_signing_secrets.resources[0].data['cosign.password'] }}"
+    - "vault kv put kv/secrets/janusidp/cosign/pub value={{ r_signing_secrets.resources[0].data['cosign.pub'] }}"
+
   - name: Retrieve cosign public key
     run_once: true
     ansible.builtin.fetch: