titan-iac/services/jenkins/helmrelease.yaml

# services/jenkins/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: jenkins
  namespace: jenkins
spec:
  interval: 30m
  chart:
    spec:
      chart: jenkins
      version: 5.8.114
      sourceRef:
        kind: HelmRepository
        name: jenkins
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
  values:
    controller:
      jenkinsUrl: https://ci.bstein.dev
      ingress:
        enabled: true
        hostName: ci.bstein.dev
        ingressClassName: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        tls:
          - secretName: jenkins-tls
            hosts:
              - ci.bstein.dev
      installPlugins:
        - kubernetes
        - workflow-aggregator
        - git
        - configuration-as-code
        - oic-auth
      containerEnv:
        - name: ENABLE_OIDC
          value: "true"
        - name: OIDC_ISSUER
          value: "https://sso.bstein.dev/realms/atlas"
        - name: OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: clientId
              optional: true
        - name: OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: clientSecret
              optional: true
        - name: OIDC_AUTH_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: authorizationUrl
              optional: true
        - name: OIDC_TOKEN_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: tokenUrl
              optional: true
        - name: OIDC_USERINFO_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: userInfoUrl
              optional: true
        - name: OIDC_LOGOUT_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: logoutUrl
              optional: true
      initScripts:
        oidc.groovy: |
          import hudson.util.Secret
          import jenkins.model.IdStrategy
          import jenkins.model.Jenkins
          import org.jenkinsci.plugins.oic.OicSecurityRealm
          import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
          def env = System.getenv()
          if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
            println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
            return
          }
          def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
          if (!required.every { env[it] }) {
            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
            return
          }
          try {
            def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
            def serverCfg = new OicServerWellKnownConfiguration(wellKnown)
            serverCfg.setScopesOverride('openid profile email')
            def realm = new OicSecurityRealm(
              env['OIDC_CLIENT_ID'],
              Secret.fromString(env['OIDC_CLIENT_SECRET']),
              serverCfg,
              false,
              IdStrategy.CASE_INSENSITIVE,
              IdStrategy.CASE_INSENSITIVE
            )
            realm.createProxyAwareResourceRetriver()
            realm.setLogoutFromOpenidProvider(true)
            realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')
            realm.setUserNameField('preferred_username')
            realm.setFullNameFieldName('name')
            realm.setEmailFieldName('email')
            realm.setGroupsFieldName('groups')
            realm.setRootURLFromRequest(true)
            realm.setSendScopesInTokenRequest(true)
            def j = Jenkins.get()
            j.setSecurityRealm(realm)
            j.save()
            println("Configured OIDC realm from init script (well-known)")
          } catch (Exception e) {
            println("Failed to configure OIDC realm: ${e}")
          }
      JCasC:
        configScripts:
          security.yaml: |
            jenkins:
              securityRealm:
                oic:
                  clientId: "${OIDC_CLIENT_ID}"
                  clientSecret: "${OIDC_CLIENT_SECRET}"
                  wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
                  scopes: "openid profile email"
                  userNameField: "preferred_username"
                  fullNameFieldName: "name"
                  emailFieldName: "email"
                  groupsFieldName: "groups"
                  logoutFromOpenidProvider: true
                  rootURLFromRequest: true
              authorizationStrategy:
                loggedInUsersCanDoAnything:
                  allowAnonymousRead: false
          creds.yaml: |
            credentials:
              system:
                domainCredentials:
                - credentials:
                  - usernamePassword:
                      scope: GLOBAL
                      id: gitea-pat
                      username: "bstein"
                      password: "4693a39ee3f0ebb58e7d1795ab98add6df44ef12"
                      description: "Gitea PAT for harbor-arm-build"
                  - usernamePassword:
                      scope: GLOBAL
                      id: harbor-robot
                      username: "robot$infra+robotuser-pipeline"
                      password: "ouuvMheoTxOQtFSbWnO1OKVujORMPfO7"
                      description: "Harbor robot for pipeline push"
          jobs.yaml: |
            jobs:
              - script: |
                  pipelineJob('harbor-arm-build') {
                    definition {
                      cpsScm {
                        scm {
                          git {
                            remote {
                              url('https://scm.bstein.dev/bstein/harbor-arm-build.git')
                              credentials('gitea-pat')
                            }
                            branches('*/master')
                          }
                        }
                      }
                    }
                    triggers {
                      scm('H/5 * * * *')
                    }
                  }
    persistence:
      enabled: true
      storageClass: astreae
      size: 50Gi
    serviceAccount:
      create: true
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`# services/jenkins/helmrelease.yaml`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: jenkins`
			`namespace: jenkins`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: jenkins`
			`version: 5.8.114`
			`sourceRef:`
			`kind: HelmRepository`
			`name: jenkins`
			`namespace: flux-system`
			`install:`
			`remediation:`
			`retries: 3`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`values:`
			`controller:`
			`jenkinsUrl: https://ci.bstein.dev`
			`ingress:`
			`enabled: true`
			`hostName: ci.bstein.dev`
			`ingressClassName: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`tls:`
			`- secretName: jenkins-tls`
			`hosts:`
			`- ci.bstein.dev`
jenkins: restore plugin list without pinned versions 2025-12-14 17:59:48 -03:00			`installPlugins:`
			`- kubernetes`
			`- workflow-aggregator`
			`- git`
			`- configuration-as-code`
			`- oic-auth`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`containerEnv:`
			`- name: ENABLE_OIDC`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`value: "true"`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`- name: OIDC_ISSUER`
			`value: "https://sso.bstein.dev/realms/atlas"`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`- name: OIDC_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: clientId`
			`optional: true`
			`- name: OIDC_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: clientSecret`
			`optional: true`
			`- name: OIDC_AUTH_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: authorizationUrl`
			`optional: true`
			`- name: OIDC_TOKEN_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: tokenUrl`
			`optional: true`
			`- name: OIDC_USERINFO_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: userInfoUrl`
			`optional: true`
			`- name: OIDC_LOGOUT_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: logoutUrl`
			`optional: true`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`initScripts:`
			`oidc.groovy: \|`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`import hudson.util.Secret`
			`import jenkins.model.IdStrategy`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`import jenkins.model.Jenkins`
			`import org.jenkinsci.plugins.oic.OicSecurityRealm`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def env = System.getenv()`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")`
			`return`
			`}`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`if (!required.every { env[it] }) {`
			`println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")`
			`return`
			`}`
			`try {`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"`
			`def serverCfg = new OicServerWellKnownConfiguration(wellKnown)`
			`serverCfg.setScopesOverride('openid profile email')`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def realm = new OicSecurityRealm(`
			`env['OIDC_CLIENT_ID'],`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`Secret.fromString(env['OIDC_CLIENT_SECRET']),`
			`serverCfg,`
			`false,`
			`IdStrategy.CASE_INSENSITIVE,`
			`IdStrategy.CASE_INSENSITIVE`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`)`
jenkins: fix OIDC retriever null 2025-12-14 21:23:15 -03:00			`realm.createProxyAwareResourceRetriver()`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`realm.setLogoutFromOpenidProvider(true)`
			`realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')`
			`realm.setUserNameField('preferred_username')`
			`realm.setFullNameFieldName('name')`
			`realm.setEmailFieldName('email')`
			`realm.setGroupsFieldName('groups')`
			`realm.setRootURLFromRequest(true)`
			`realm.setSendScopesInTokenRequest(true)`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def j = Jenkins.get()`
			`j.setSecurityRealm(realm)`
			`j.save()`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`println("Configured OIDC realm from init script (well-known)")`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`} catch (Exception e) {`
			`println("Failed to configure OIDC realm: ${e}")`
			`}`
ci: seed harbor-arm-build pipeline in Jenkins 2025-12-16 19:26:46 -03:00			`JCasC:`
			`configScripts:`
fix: pin Jenkins OIDC realm via JCasC 2025-12-16 20:04:21 -03:00			`security.yaml: \|`
			`jenkins:`
			`securityRealm:`
			`oic:`
			`clientId: "${OIDC_CLIENT_ID}"`
			`clientSecret: "${OIDC_CLIENT_SECRET}"`
			`wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"`
			`scopes: "openid profile email"`
			`userNameField: "preferred_username"`
			`fullNameFieldName: "name"`
			`emailFieldName: "email"`
			`groupsFieldName: "groups"`
			`logoutFromOpenidProvider: true`
			`rootURLFromRequest: true`
			`authorizationStrategy:`
			`loggedInUsersCanDoAnything:`
			`allowAnonymousRead: false`
ci: seed harbor-arm-build pipeline in Jenkins 2025-12-16 19:26:46 -03:00			`creds.yaml: \|`
			`credentials:`
			`system:`
			`domainCredentials:`
			`- credentials:`
			`- usernamePassword:`
			`scope: GLOBAL`
			`id: gitea-pat`
			`username: "bstein"`
			`password: "4693a39ee3f0ebb58e7d1795ab98add6df44ef12"`
			`description: "Gitea PAT for harbor-arm-build"`
			`- usernamePassword:`
			`scope: GLOBAL`
			`id: harbor-robot`
			`username: "robot$infra+robotuser-pipeline"`
			`password: "ouuvMheoTxOQtFSbWnO1OKVujORMPfO7"`
			`description: "Harbor robot for pipeline push"`
			`jobs.yaml: \|`
			`jobs:`
			`- script: \|`
			`pipelineJob('harbor-arm-build') {`
			`definition {`
			`cpsScm {`
			`scm {`
			`git {`
			`remote {`
			`url('https://scm.bstein.dev/bstein/harbor-arm-build.git')`
			`credentials('gitea-pat')`
			`}`
			`branches('*/master')`
			`}`
			`}`
			`}`
			`}`
			`triggers {`
			`scm('H/5 * * * *')`
			`}`
			`}`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`persistence:`
			`enabled: true`
			`storageClass: astreae`
			`size: 50Gi`
			`serviceAccount:`
			`create: true`