fix: pin Jenkins OIDC realm via JCasC

2025-12-16 20:04:21 -03:00 · 2025-12-16 20:04:21 -03:00 · 162fe3339f
commit 162fe3339f
parent fc858fc8df
1 changed files with 17 additions and 0 deletions
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@ -130,6 +130,23 @@ spec:
          }
      JCasC:
        configScripts:
+          security.yaml: |
+            jenkins:
+              securityRealm:
+                oic:
+                  clientId: "${OIDC_CLIENT_ID}"
+                  clientSecret: "${OIDC_CLIENT_SECRET}"
+                  wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
+                  scopes: "openid profile email"
+                  userNameField: "preferred_username"
+                  fullNameFieldName: "name"
+                  emailFieldName: "email"
+                  groupsFieldName: "groups"
+                  logoutFromOpenidProvider: true
+                  rootURLFromRequest: true
+              authorizationStrategy:
+                loggedInUsersCanDoAnything:
+                  allowAnonymousRead: false
          creds.yaml: |
            credentials:
              system: