From 162fe3339f97816fe4cc8418cf56bdf471aed219 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 16 Dec 2025 20:04:21 -0300
Subject: [PATCH] fix: pin Jenkins OIDC realm via JCasC

---
 services/jenkins/helmrelease.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml
index d750b15..9d2e450 100644
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@@ -130,6 +130,23 @@ spec:
           }
       JCasC:
         configScripts:
+          security.yaml: |
+            jenkins:
+              securityRealm:
+                oic:
+                  clientId: "${OIDC_CLIENT_ID}"
+                  clientSecret: "${OIDC_CLIENT_SECRET}"
+                  wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
+                  scopes: "openid profile email"
+                  userNameField: "preferred_username"
+                  fullNameFieldName: "name"
+                  emailFieldName: "email"
+                  groupsFieldName: "groups"
+                  logoutFromOpenidProvider: true
+                  rootURLFromRequest: true
+              authorizationStrategy:
+                loggedInUsersCanDoAnything:
+                  allowAnonymousRead: false
           creds.yaml: |
             credentials:
               system: