jenkins: auto-configure OIDC via init script

2025-12-14 19:22:47 -03:00 · 2025-12-14 19:22:47 -03:00 · 04602a2914
commit 04602a2914
parent fc0fa59981
1 changed files with 51 additions and 0 deletions
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@ -45,6 +45,8 @@ spec:
      containerEnv:
        - name: ENABLE_OIDC
          value: "false"
        - name: OIDC_ISSUER
          value: "https://sso.bstein.dev/realms/atlas"
        - name: OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
@ -81,6 +83,55 @@ spec:
              name: jenkins-oidc
              key: logoutUrl
              optional: true
      initScripts:
        oidc.groovy: |
          import jenkins.model.Jenkins
          import org.jenkinsci.plugins.oic.OicSecurityRealm
          def env = System.getenv()
          def enable = (env['ENABLE_OIDC'] ?: 'false').toBoolean()
          if (!enable) {
            println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
            return
          }
          def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_AUTH_URL','OIDC_TOKEN_URL','OIDC_USERINFO_URL']
          if (!required.every { env[it] }) {
            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
            return
          }
          try {
            def realm = new OicSecurityRealm(
              env['OIDC_CLIENT_ID'],
              env['OIDC_CLIENT_SECRET'],
              env['OIDC_TOKEN_URL'],
              env['OIDC_AUTH_URL'],
              env['OIDC_USERINFO_URL'],
              true, // logout from provider
              env['OIDC_LOGOUT_URL'] ?: "",
              "", // postLogoutRedirectUrl
              "openid email profile",
              "", // prompt
              "preferred_username",
              "name",
              "email",
              false, // disableSslVerification
              true,  // escapeHatchEnabled
              "admin",
              "",    // escapeHatchSecret
              "",    // escapeHatchGroup
              true,  // loadUserInfo
              true,  // validateScopes
              false, // allowUnsignedIdTokens
              false, // enforceValidIssuers
              env['OIDC_ISSUER'] ?: "",
              false  // disableUserInfoFetch
            )
            def j = Jenkins.get()
            j.setSecurityRealm(realm)
            j.save()
            println("Configured OIDC realm from init script")
          } catch (Exception e) {
            println("Failed to configure OIDC realm: ${e}")
          }
    persistence:
      enabled: true
      storageClass: astreae