titan-iac/services/jenkins/helmrelease.yaml

# services/jenkins/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: jenkins
  namespace: jenkins
spec:
  interval: 30m
  chart:
    spec:
      chart: jenkins
      version: 5.8.114
      sourceRef:
        kind: HelmRepository
        name: jenkins
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
  values:
    controller:
      jenkinsUrl: https://ci.bstein.dev
      ingress:
        enabled: true
        hostName: ci.bstein.dev
        ingressClassName: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        tls:
          - secretName: jenkins-tls
            hosts:
              - ci.bstein.dev
      installPlugins:
        - kubernetes
        - workflow-aggregator
        - git
        - configuration-as-code
        - oic-auth
      containerEnv:
        - name: ENABLE_OIDC
          value: "true"
        - name: OIDC_ISSUER
          value: "https://sso.bstein.dev/realms/atlas"
        - name: OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: clientId
              optional: true
        - name: OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: clientSecret
              optional: true
        - name: OIDC_AUTH_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: authorizationUrl
              optional: true
        - name: OIDC_TOKEN_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: tokenUrl
              optional: true
        - name: OIDC_USERINFO_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: userInfoUrl
              optional: true
        - name: OIDC_LOGOUT_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: logoutUrl
              optional: true
      initScripts:
        oidc.groovy: |
          import hudson.util.Secret
          import jenkins.model.IdStrategy
          import jenkins.model.Jenkins
          import org.jenkinsci.plugins.oic.OicSecurityRealm
          import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
          def env = System.getenv()
          if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
            println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
            return
          }
          def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
          if (!required.every { env[it] }) {
            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
            return
          }
          try {
            def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
            def serverCfg = new OicServerWellKnownConfiguration(wellKnown)
            serverCfg.setScopesOverride('openid profile email')
            def realm = new OicSecurityRealm(
              env['OIDC_CLIENT_ID'],
              Secret.fromString(env['OIDC_CLIENT_SECRET']),
              serverCfg,
              false,
              IdStrategy.CASE_INSENSITIVE,
              IdStrategy.CASE_INSENSITIVE
            )
            realm.setLogoutFromOpenidProvider(true)
            realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')
            realm.setUserNameField('preferred_username')
            realm.setFullNameFieldName('name')
            realm.setEmailFieldName('email')
            realm.setGroupsFieldName('groups')
            realm.setRootURLFromRequest(true)
            realm.setSendScopesInTokenRequest(true)
            def j = Jenkins.get()
            j.setSecurityRealm(realm)
            j.save()
            println("Configured OIDC realm from init script (well-known)")
          } catch (Exception e) {
            println("Failed to configure OIDC realm: ${e}")
          }
    persistence:
      enabled: true
      storageClass: astreae
      size: 50Gi
    serviceAccount:
      create: true
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`# services/jenkins/helmrelease.yaml`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: jenkins`
			`namespace: jenkins`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: jenkins`
			`version: 5.8.114`
			`sourceRef:`
			`kind: HelmRepository`
			`name: jenkins`
			`namespace: flux-system`
			`install:`
			`remediation:`
			`retries: 3`
			`upgrade:`
			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
			`cleanupOnFail: true`
			`values:`
			`controller:`
			`jenkinsUrl: https://ci.bstein.dev`
			`ingress:`
			`enabled: true`
			`hostName: ci.bstein.dev`
			`ingressClassName: traefik`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
			`tls:`
			`- secretName: jenkins-tls`
			`hosts:`
			`- ci.bstein.dev`
jenkins: restore plugin list without pinned versions 2025-12-14 17:59:48 -03:00			`installPlugins:`
			`- kubernetes`
			`- workflow-aggregator`
			`- git`
			`- configuration-as-code`
			`- oic-auth`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`containerEnv:`
			`- name: ENABLE_OIDC`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`value: "true"`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`- name: OIDC_ISSUER`
			`value: "https://sso.bstein.dev/realms/atlas"`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`- name: OIDC_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: clientId`
			`optional: true`
			`- name: OIDC_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: clientSecret`
			`optional: true`
			`- name: OIDC_AUTH_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: authorizationUrl`
			`optional: true`
			`- name: OIDC_TOKEN_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: tokenUrl`
			`optional: true`
			`- name: OIDC_USERINFO_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: userInfoUrl`
			`optional: true`
			`- name: OIDC_LOGOUT_URL`
			`valueFrom:`
			`secretKeyRef:`
			`name: jenkins-oidc`
			`key: logoutUrl`
			`optional: true`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`initScripts:`
			`oidc.groovy: \|`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`import hudson.util.Secret`
			`import jenkins.model.IdStrategy`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`import jenkins.model.Jenkins`
			`import org.jenkinsci.plugins.oic.OicSecurityRealm`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def env = System.getenv()`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")`
			`return`
			`}`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`if (!required.every { env[it] }) {`
			`println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")`
			`return`
			`}`
			`try {`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"`
			`def serverCfg = new OicServerWellKnownConfiguration(wellKnown)`
			`serverCfg.setScopesOverride('openid profile email')`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def realm = new OicSecurityRealm(`
			`env['OIDC_CLIENT_ID'],`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`Secret.fromString(env['OIDC_CLIENT_SECRET']),`
			`serverCfg,`
			`false,`
			`IdStrategy.CASE_INSENSITIVE,`
			`IdStrategy.CASE_INSENSITIVE`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`)`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`realm.setLogoutFromOpenidProvider(true)`
			`realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')`
			`realm.setUserNameField('preferred_username')`
			`realm.setFullNameFieldName('name')`
			`realm.setEmailFieldName('email')`
			`realm.setGroupsFieldName('groups')`
			`realm.setRootURLFromRequest(true)`
			`realm.setSendScopesInTokenRequest(true)`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`def j = Jenkins.get()`
			`j.setSecurityRealm(realm)`
			`j.save()`
ci: enable oidc for jenkins/gitops/gitea 2025-12-14 20:58:57 -03:00			`println("Configured OIDC realm from init script (well-known)")`
jenkins: auto-configure OIDC via init script 2025-12-14 19:22:47 -03:00			`} catch (Exception e) {`
			`println("Failed to configure OIDC realm: ${e}")`
			`}`
jenkins: add helm release with ingress + astreae storage 2025-12-14 15:57:42 -03:00			`persistence:`
			`enabled: true`
			`storageClass: astreae`
			`size: 50Gi`
			`serviceAccount:`
			`create: true`