diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml index d4ccca5..2b8d3ac 100644 --- a/services/jenkins/helmrelease.yaml +++ b/services/jenkins/helmrelease.yaml @@ -45,6 +45,8 @@ spec: containerEnv: - name: ENABLE_OIDC value: "false" + - name: OIDC_ISSUER + value: "https://sso.bstein.dev/realms/atlas" - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: @@ -81,6 +83,55 @@ spec: name: jenkins-oidc key: logoutUrl optional: true + initScripts: + oidc.groovy: | + import jenkins.model.Jenkins + import org.jenkinsci.plugins.oic.OicSecurityRealm + def env = System.getenv() + def enable = (env['ENABLE_OIDC'] ?: 'false').toBoolean() + if (!enable) { + println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm") + return + } + def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_AUTH_URL','OIDC_TOKEN_URL','OIDC_USERINFO_URL'] + if (!required.every { env[it] }) { + println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}") + return + } + try { + def realm = new OicSecurityRealm( + env['OIDC_CLIENT_ID'], + env['OIDC_CLIENT_SECRET'], + env['OIDC_TOKEN_URL'], + env['OIDC_AUTH_URL'], + env['OIDC_USERINFO_URL'], + true, // logout from provider + env['OIDC_LOGOUT_URL'] ?: "", + "", // postLogoutRedirectUrl + "openid email profile", + "", // prompt + "preferred_username", + "name", + "email", + false, // disableSslVerification + true, // escapeHatchEnabled + "admin", + "", // escapeHatchSecret + "", // escapeHatchGroup + true, // loadUserInfo + true, // validateScopes + false, // allowUnsignedIdTokens + false, // enforceValidIssuers + env['OIDC_ISSUER'] ?: "", + false // disableUserInfoFetch + ) + def j = Jenkins.get() + j.setSecurityRealm(realm) + j.save() + println("Configured OIDC realm from init script") + } catch (Exception e) { + println("Failed to configure OIDC realm: ${e}") + } persistence: enabled: true storageClass: astreae