jenkins: pin oidc via jcasc

2025-12-19 16:24:13 -03:00 · 2025-12-19 16:24:13 -03:00 · 951eb0f892
commit 951eb0f892
parent a2b34c5712
1 changed files with 20 additions and 50 deletions
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@ -156,54 +156,6 @@ spec:
            - name: jenkins-home
              mountPath: /var/jenkins_home
      initScripts:
-        oidc.groovy: |
-          import hudson.util.Secret
-          import jenkins.model.IdStrategy
-          import jenkins.model.Jenkins
-          import org.jenkinsci.plugins.oic.OicSecurityRealm
-          import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
-          import hudson.security.FullControlOnceLoggedInAuthorizationStrategy
-          def env = System.getenv()
-          if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
-            println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
-            return
-          }
-          def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
-          if (!required.every { env[it] }) {
-            throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
-          }
-          try {
-            def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
-            def serverCfg = new OicServerWellKnownConfiguration(wellKnown)
-            serverCfg.setScopesOverride('openid profile email')
-            def realm = new OicSecurityRealm(
-              env['OIDC_CLIENT_ID'],
-              Secret.fromString(env['OIDC_CLIENT_SECRET']),
-              serverCfg,
-              false,
-              IdStrategy.CASE_INSENSITIVE,
-              IdStrategy.CASE_INSENSITIVE
-            )
-            realm.createProxyAwareResourceRetriver()
-            realm.setLogoutFromOpenidProvider(true)
-            realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')
-            realm.setUserNameField('preferred_username')
-            realm.setFullNameFieldName('name')
-            realm.setEmailFieldName('email')
-            realm.setGroupsFieldName('groups')
-            realm.setRootURLFromRequest(true)
-            realm.setSendScopesInTokenRequest(true)
-            def j = Jenkins.get()
-            j.setSecurityRealm(realm)
-            def auth = new FullControlOnceLoggedInAuthorizationStrategy()
-            auth.setAllowAnonymousRead(false)
-            j.setAuthorizationStrategy(auth)
-            j.save()
-            println("Configured OIDC realm from init script (well-known)")
-          } catch (Exception e) {
-            println("Failed to configure OIDC realm: ${e}")
-            throw e
-          }
        theme.groovy: |
          import jenkins.model.Jenkins
          import org.codefirst.SimpleThemeDecorator
@ -223,8 +175,26 @@ spec:
          }
      JCasC:
        defaultConfig: false
-        securityRealm: ""
-        authorizationStrategy: ""
+        securityRealm: |
+          oic:
+            clientId: "${OIDC_CLIENT_ID}"
+            clientSecret: "${OIDC_CLIENT_SECRET}"
+            tokenServerUrl: "${OIDC_TOKEN_URL}"
+            authorizationServerUrl: "${OIDC_AUTH_URL}"
+            userInfoUrl: "${OIDC_USERINFO_URL}"
+            logoutFromOpenIdProvider: true
+            postLogoutRedirectUrl: "https://ci.bstein.dev"
+            scopes: "openid profile email"
+            rootURLFromRequest: true
+            userNameField: "preferred_username"
+            fullNameFieldName: "name"
+            emailFieldName: "email"
+            groupsFieldName: "groups"
+            escapeHatchEnabled: false
+            maxClockSkew: 120
+        authorizationStrategy: |
+          loggedInUsersCanDoAnything:
+            allowAnonymousRead: false
        configScripts:
          base.yaml: |
            jenkins: