Update Jenkins templates with global variables

Currently, every environment variable is treated as a credential and
thus masked in the logs.
Some of the environment variables should be visible in the logs.
Change the templates so they use global variables in Jenkins for them.

Signed-off-by: Tomáš Nevrlka <tnevrlka@redhat.com>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: tnevrlka

generated/gitops-template/jenkins/Jenkinsfile

@@ -11,26 +11,25 @@ pipeline {
         COSIGN_SECRET_PASSWORD = 'dummy'
         COSIGN_SECRET_KEY = 'dummy'
         /* Used to verify the image signature and attestation */
-        COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
+        COSIGN_PUBLIC_KEY = "${ env.COSIGN_PUBLIC_KEY }"
         /* URL of the BOMbastic api host (e.g. https://sbom.trustification.dev) */
-        TRUSTIFICATION_BOMBASTIC_API_URL = credentials('TRUSTIFICATION_BOMBASTIC_API_URL')
+        TRUSTIFICATION_BOMBASTIC_API_URL = "${ env.TRUSTIFICATION_BOMBASTIC_API_URL }"
         /* URL of the OIDC token issuer (e.g. https://sso.trustification.dev/realms/chicken) */
-        TRUSTIFICATION_OIDC_ISSUER_URL = credentials('TRUSTIFICATION_OIDC_ISSUER_URL')
-        TRUSTIFICATION_OIDC_CLIENT_ID = credentials('TRUSTIFICATION_OIDC_CLIENT_ID')
-        TRUSTIFICATION_OIDC_CLIENT_SECRET = credentials('TRUSTIFICATION_OIDC_CLIENT_SECRET')
-        TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = credentials('TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION')
+        TRUSTIFICATION_OIDC_ISSUER_URL = "${ env.TRUSTIFICATION_OIDC_ISSUER_URL }"
+        TRUSTIFICATION_OIDC_CLIENT_ID = "${ env.TRUSTIFICATION_OIDC_CLIENT_ID }"
+        TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION = "${ env.TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION }"
+        /* Set when using Jenkins on non-local cluster and using an external Rekor instance */
+        /* REKOR_HOST = "${ env.REKOR_HOST }" */
+        /* Set when using Jenkins on non-local cluster and using an external TUF instance */
+        /* TUF_MIRROR = "${ env.TUF_MIRROR }" */
         /* Set this to the user for your specific registry */
-        /* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
+        /* IMAGE_REGISTRY_USER = "${ env.IMAGE_REGISTRY_USER }" */
+        TRUSTIFICATION_OIDC_CLIENT_SECRET = credentials('TRUSTIFICATION_OIDC_CLIENT_SECRET')
         /* Set this password for your specific registry */
         /* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
         QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
         /* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
-        /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
-        /* Set when using Jenkins on non-local cluster and using an external Rekor instance */
-        /* REKOR_HOST = credentials('REKOR_HOST') */
-        /* Set when using Jenkins on non-local cluster and using an external TUF instance */
-        /* TUF_MIRROR = credentials('TUF_MIRROR') */
-    }
+        /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */}
     stages {
         stage('Verify EC') {
             steps {

generated/source-repo/jenkins/Jenkinsfile

@@ -7,27 +7,25 @@ library identifier: 'RHTAP_Jenkins@main', retriever: modernSCM(
 pipeline {
     agent any
     environment {
+        ROX_CENTRAL_ENDPOINT = "${ env.ROX_CENTRAL_ENDPOINT }"
+        /* GITOPS_AUTH_USERNAME = "${ env.GITOPS_AUTH_USERNAME }" */
+        /* Set this to the user for your specific registry */
+        /* IMAGE_REGISTRY_USER = "${ env.IMAGE_REGISTRY_USER }" */
+        /* Set this only when using an external Rekor instance */
+        /* REKOR_HOST = "${ env.REKOR_HOST }" */
+        /* Set this only when using an external TUF instance */
+        /* TUF_MIRROR = "${ env.TUF_MIRROR }" */
+        COSIGN_PUBLIC_KEY = "${ env.COSIGN_PUBLIC_KEY }"
         ROX_API_TOKEN = credentials('ROX_API_TOKEN')
-        ROX_CENTRAL_ENDPOINT = credentials('ROX_CENTRAL_ENDPOINT')
         GITOPS_AUTH_PASSWORD = credentials('GITOPS_AUTH_PASSWORD')
-        /* Uncomment this when using Gitlab */
-        /* GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME') */
-        /* Set this to the user for your specific registry */
-        /* IMAGE_REGISTRY_USER = credentials('IMAGE_REGISTRY_USER') */
         /* Set this password for your specific registry */
         /* IMAGE_REGISTRY_PASSWORD = credentials('IMAGE_REGISTRY_PASSWORD') */
         /* Default registry is set to quay.io */
         QUAY_IO_CREDS = credentials('QUAY_IO_CREDS')
         /* ARTIFACTORY_IO_CREDS = credentials('ARTIFACTORY_IO_CREDS') */
         /* NEXUS_IO_CREDS = credentials('NEXUS_IO_CREDS') */
         COSIGN_SECRET_PASSWORD = credentials('COSIGN_SECRET_PASSWORD')
-        COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')
-        COSIGN_PUBLIC_KEY = credentials('COSIGN_PUBLIC_KEY')
-        /* Set when using Jenkins on non-local cluster and using an external Rekor instance */
-        /* REKOR_HOST = credentials('REKOR_HOST') */
-        /* Set when using Jenkins on non-local cluster and using an external TUF instance */
-        /* TUF_MIRROR = credentials('TUF_MIRROR') */
-    }
+        COSIGN_SECRET_KEY = credentials('COSIGN_SECRET_KEY')}
     stages {
         stage('init') {
             steps {

templates/gitops-template/Jenkinsfile.njk

@@ -8,9 +8,14 @@ pipeline {
         /* Not used but init.sh will fail if they're missing */
         COSIGN_SECRET_PASSWORD = 'dummy'
         COSIGN_SECRET_KEY = 'dummy'
+        {%- filter indent(8) -%}
+        {%- for var in gitops_variables -%}
+        {%- include "jenkins-variable.njk" -%}
+        {%- endfor %}
         {%- for secret in gitops_secrets -%}
         {%- include "jenkins-secret.njk" -%}
         {%- endfor %}
+        {%- endfilter -%}
     }
     stages {
         {%- for step in gitops_steps %}

templates/partials/jenkins-secret.njk

@@ -1,6 +1,6 @@
-        {%- if secret | eval_if_condition %}
-        {%- if secret.comment %}
-        /* {{ secret.comment }} */
-        {%- endif %}
-        {% if secret.commented_out %}/* {% endif %}{{ secret.name }} = credentials('{{ secret.name }}'){% if secret.commented_out %} */{% endif -%}
-        {%- endif -%}
+{%- if secret | eval_if_condition %}
+{%- if secret.comment %}
+/* {{ secret.comment }} */
+{%- endif %}
+{% if secret.commented_out %}/* {% endif %}{{ secret.name }} = credentials('{{ secret.name }}'){% if secret.commented_out %} */{% endif -%}
+{%- endif -%}

templates/partials/jenkins-variable.njk

@@ -0,0 +1,6 @@
+{%- if var | eval_if_condition %}
+{%- if var.comment %}
+/* {{ var.comment }} */
+{%- endif %}
+{% if var.commented_out %}/* {% endif %}{{ var.name }} = "${ env.{{ var.name }} }"{% if var.commented_out %} */{% endif -%}
+{%- endif -%}

templates/source-repo/Jenkinsfile.njk

@@ -5,9 +5,14 @@
 pipeline {
     agent any
     environment {
+        {%- filter indent(8) -%}
+        {%- for var in build_variables -%}
+        {%- include "jenkins-variable.njk" -%}
+        {%- endfor %}
         {%- for secret in build_secrets -%}
         {%- include "jenkins-secret.njk" -%}
         {%- endfor %}
+        {%- endfilter -%}
     }
     stages {
         {%- for step in build_steps %}