From dbbe23aaa5313d7e0cde9f162d6d0c5e250a4b18 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 14 Jul 2025 15:50:09 -0500
Subject: [PATCH] cert-manager: Add role for Jenkins to access certs

Ansible playbook running as Jenkins jobs need to be able to access the
Secret resources containing certificates issued by _cert-manager_ in
order to install them on managed nodes.  Although not all jobs do this
yet, eventually, the _cert-exporter_ will no longer be necessary, as the
_certs.git_ repository will not be used anymore.
---
 cert-manager/jenkins.yaml       | 34 +++++++++++++++++++++++++++++++++
 cert-manager/kustomization.yaml |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 cert-manager/jenkins.yaml

diff --git a/cert-manager/jenkins.yaml b/cert-manager/jenkins.yaml
new file mode 100644
index 0000000..ce7470e
--- /dev/null
+++ b/cert-manager/jenkins.yaml
@@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+  - dustinhatchname-cert
+  - hatchchat-cert
+  - tabitha-cert
+  - chmod777-cert
+  - dustinandtabitha-cert
+  - hlc-cert
+  - appsxyz-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index 342aada..63f5100 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
+- jenkins.yaml
 
 configMapGenerator:
 - name: cert-exporter