Remove COSIGN_PUBLIC_KEY from Jenkins secrets

Since the public key does not contain sensitive information, it is now
accessed via a regular variables instead of a credential.

Signed-off-by: Luiz Carvalho <[email protected]>

Author: lcarva

generated/gitops-template/jenkins/Jenkinsfile

@@ -11,7 +11,7 @@ pipeline {
         COSIGN_SECRET_PASSWORD = 'dummy'
         COSIGN_SECRET_KEY = 'dummy'
         /* Used to verify the image signature and attestation */
-        COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
+        /* COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY') */
         /* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
         TRUSTIFICATION_BOMBASTIC_API_URL = credentials('TRUSTIFICATION_BOMBASTIC_API_URL')
         /* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

@@ -26,6 +26,7 @@ env:
   # QUAY_IO_CREDS_USR: ${{ vars.QUAY_IO_CREDS_USR }}
   # ARTIFACTORY_IO_CREDS_USR: ${{ vars.ARTIFACTORY_IO_CREDS_USR }}
   # NEXUS_IO_CREDS_USR: ${{ vars.NEXUS_IO_CREDS_USR }}
+  # Used to verify the image signature and attestation
   COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
   # Secrets
   ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}
@@ -84,6 +85,7 @@ jobs:
             /*QUAY_IO_CREDS_USR: `${{ vars.QUAY_IO_CREDS_USR }}`, */
             /*ARTIFACTORY_IO_CREDS_USR: `${{ vars.ARTIFACTORY_IO_CREDS_USR }}`, */
             /*NEXUS_IO_CREDS_USR: `${{ vars.NEXUS_IO_CREDS_USR }}`, */
+            /* Used to verify the image signature and attestation */
             COSIGN_PUBLIC_KEY: `${{ vars.COSIGN_PUBLIC_KEY }}`, 
           };
 

hack/jenkins-get-secrets

@@ -11,4 +11,3 @@ bash $SCRIPTDIR/jenkins-get-credentials GITOPS_AUTH_PASSWORD
 bash $SCRIPTDIR/jenkins-get-credentials QUAY_IO_CREDS
 bash $SCRIPTDIR/jenkins-get-credentials COSIGN_SECRET_PASSWORD
 bash $SCRIPTDIR/jenkins-get-credentials COSIGN_SECRET_KEY
-bash $SCRIPTDIR/jenkins-get-credentials COSIGN_PUBLIC_KEY

hack/jenkins-set-secrets

@@ -3,7 +3,7 @@ set -euo pipefail
 
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
-ENV="MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY COSIGN_PUBLIC_KEY "
+ENV="MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY "
 
 ENV+=" ACS__API_TOKEN ACS__CENTRAL_ENDPOINT GITOPS_AUTH_PASSWORD "
 source $SCRIPTDIR/../rhtap/verify-deps-exist "$ENV" "curl"
@@ -13,7 +13,6 @@ bash $SCRIPTDIR/jenkins-create-secret ROX_CENTRAL_ENDPOINT "${ACS__CENTRAL_ENDPO
 bash $SCRIPTDIR/jenkins-create-secret GITOPS_AUTH_PASSWORD "${GITOPS_AUTH_PASSWORD}"
 bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_PASSWORD "${COSIGN_SECRET_PASSWORD}"
 bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_KEY "${COSIGN_SECRET_KEY}"
-bash $SCRIPTDIR/jenkins-create-secret COSIGN_PUBLIC_KEY "${COSIGN_PUBLIC_KEY}"
 if [[ -n "${TRUSTIFICATION_BOMBASTIC_API_URL:-}" ]]; then
     bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_BOMBASTIC_API_URL "${TRUSTIFICATION_BOMBASTIC_API_URL}"
 fi

templates/data.yaml

@@ -64,6 +64,12 @@ build_variables:
     commented_out: true
 
   - name: COSIGN_PUBLIC_KEY
+    if: 'isGitHub || isAzure'
+    comment: Used to verify the image signature and attestation
+  - name: COSIGN_PUBLIC_KEY
+    if: '!isGitHub && !isAzure'
+    commented_out: true
+    comment: Used to verify the image signature and attestation
 
 build_secrets:
   - name: ROX_API_TOKEN
@@ -81,27 +87,27 @@ build_secrets:
   - name: IMAGE_REGISTRY_PASSWORD
     if: '!isGitHub && !isAzure'
     commented_out: true
-    comment: "Set this password for your specific registry" 
+    comment: "Set this password for your specific registry"
 
   - name: QUAY_IO_CREDS
     if: isJenkins
     comment: "Default registry is set to quay.io"
   - name: QUAY_IO_CREDS_PSW
-    if: '!isJenkins' 
+    if: '!isJenkins'
     commented_out: true
 
   - name: ARTIFACTORY_IO_CREDS
     if: isJenkins
     commented_out: true
   - name: ARTIFACTORY_IO_CREDS_PSW
-    if: '!isJenkins'  
+    if: '!isJenkins'
     commented_out: true
 
   - name: NEXUS_IO_CREDS
     if: isJenkins
     commented_out: true
   - name: NEXUS_IO_CREDS_PSW
-    if: '!isJenkins'  
+    if: '!isJenkins'
     commented_out: true
 
   - name: COSIGN_SECRET_PASSWORD
@@ -115,6 +121,11 @@ gitops_steps:
 
 gitops_variables:
   - name: COSIGN_PUBLIC_KEY
+    if: 'isGitHub || isAzure'
+    comment: Used to verify the image signature and attestation
+  - name: COSIGN_PUBLIC_KEY
+    if: '!isGitHub && !isAzure'
+    commented_out: true
     comment: Used to verify the image signature and attestation
 
   - name: TRUSTIFICATION_BOMBASTIC_API_URL
@@ -174,24 +185,24 @@ gitops_secrets:
   - name: IMAGE_REGISTRY_PASSWORD
     if: '!isGitHub && !isAzure'
     commented_out: true
-    comment: "Set this password for your specific registry" 
+    comment: "Set this password for your specific registry"
   # show all the values options in the jenkins file and other CIs
   # this gives users a way to know what to set. Not perfect but better
-  # to be documented 
+  # to be documented
   - name: QUAY_IO_CREDS
     if: isJenkins
   - name: QUAY_IO_CREDS_PSW
-    if: '!isJenkins' 
-    commented_out: true 
+    if: '!isJenkins'
+    commented_out: true
   - name: ARTIFACTORY_IO_CREDS
     if: isJenkins
     commented_out: true
   - name: ARTIFACTORY_IO_CREDS_PSW
-    if: '!isJenkins'  
-    commented_out: true 
+    if: '!isJenkins'
+    commented_out: true
   - name: NEXUS_IO_CREDS
     if: isJenkins
     commented_out: true
   - name: NEXUS_IO_CREDS_PSW
-    if: '!isJenkins'  
+    if: '!isJenkins'
     commented_out: true