From 12d3c32855f7f3536918a1836fc8ea9c7e2e2ae7 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 10 Nov 2023 15:27:38 -0600
Subject: [PATCH] jenkins: RBAC for K8s Credentials Provider

The [Kubernetes Credentials Provider][0] plugin for Jenkins allows
Jenkins to expose Kubernetes Secret resources as Jenkins Credentials.
Jobs can use them like normal Jenkins credentials, e.g. using
`withCredentials`, `sshagent`, etc.  The only drawback is that every
credential exposed this way is available to every job, at least until
[PR #40][1] is merged.  Fortunately, jobs managed by this Jenkins
instance are all trusted; no anonymous pull requests are possible, so
the risk is mitigated.

[0]: https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
[1]: https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/40
---
 jenkins/jenkins.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/jenkins/jenkins.yaml b/jenkins/jenkins.yaml
index 40656b7..d89052b 100644
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -43,6 +43,22 @@ spec:
     requests:
       storage: 20Gi
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -59,6 +75,20 @@ rules:
   verbs:
   - '*'
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+  namespace: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: jenkins
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding