From 951eb0f892c2e3785516f5ef30f62eb49fe234c4 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 19 Dec 2025 16:24:13 -0300 Subject: [PATCH] jenkins: pin oidc via jcasc --- services/jenkins/helmrelease.yaml | 70 +++++++++---------------------- 1 file changed, 20 insertions(+), 50 deletions(-) diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml index 4cdede0..df75acc 100644 --- a/services/jenkins/helmrelease.yaml +++ b/services/jenkins/helmrelease.yaml @@ -156,54 +156,6 @@ spec: - name: jenkins-home mountPath: /var/jenkins_home initScripts: - oidc.groovy: | - import hudson.util.Secret - import jenkins.model.IdStrategy - import jenkins.model.Jenkins - import org.jenkinsci.plugins.oic.OicSecurityRealm - import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration - import hudson.security.FullControlOnceLoggedInAuthorizationStrategy - def env = System.getenv() - if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) { - println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm") - return - } - def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER'] - if (!required.every { env[it] }) { - throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}") - } - try { - def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration" - def serverCfg = new OicServerWellKnownConfiguration(wellKnown) - serverCfg.setScopesOverride('openid profile email') - def realm = new OicSecurityRealm( - env['OIDC_CLIENT_ID'], - Secret.fromString(env['OIDC_CLIENT_SECRET']), - serverCfg, - false, - IdStrategy.CASE_INSENSITIVE, - IdStrategy.CASE_INSENSITIVE - ) - realm.createProxyAwareResourceRetriver() - realm.setLogoutFromOpenidProvider(true) - realm.setPostLogoutRedirectUrl('https://ci.bstein.dev') - realm.setUserNameField('preferred_username') - realm.setFullNameFieldName('name') - realm.setEmailFieldName('email') - realm.setGroupsFieldName('groups') - realm.setRootURLFromRequest(true) - realm.setSendScopesInTokenRequest(true) - def j = Jenkins.get() - j.setSecurityRealm(realm) - def auth = new FullControlOnceLoggedInAuthorizationStrategy() - auth.setAllowAnonymousRead(false) - j.setAuthorizationStrategy(auth) - j.save() - println("Configured OIDC realm from init script (well-known)") - } catch (Exception e) { - println("Failed to configure OIDC realm: ${e}") - throw e - } theme.groovy: | import jenkins.model.Jenkins import org.codefirst.SimpleThemeDecorator @@ -223,8 +175,26 @@ spec: } JCasC: defaultConfig: false - securityRealm: "" - authorizationStrategy: "" + securityRealm: | + oic: + clientId: "${OIDC_CLIENT_ID}" + clientSecret: "${OIDC_CLIENT_SECRET}" + tokenServerUrl: "${OIDC_TOKEN_URL}" + authorizationServerUrl: "${OIDC_AUTH_URL}" + userInfoUrl: "${OIDC_USERINFO_URL}" + logoutFromOpenIdProvider: true + postLogoutRedirectUrl: "https://ci.bstein.dev" + scopes: "openid profile email" + rootURLFromRequest: true + userNameField: "preferred_username" + fullNameFieldName: "name" + emailFieldName: "email" + groupsFieldName: "groups" + escapeHatchEnabled: false + maxClockSkew: 120 + authorizationStrategy: | + loggedInUsersCanDoAnything: + allowAnonymousRead: false configScripts: base.yaml: | jenkins: