From b951058dc66162b95cdde400cbd4910d6eaab8e4 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 16 Dec 2025 20:16:18 -0300 Subject: [PATCH] fix: enforce Jenkins OIDC via init groovy only --- services/jenkins/helmrelease.yaml | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml index ac6b8b6..4778219 100644 --- a/services/jenkins/helmrelease.yaml +++ b/services/jenkins/helmrelease.yaml @@ -90,6 +90,7 @@ spec: import jenkins.model.Jenkins import org.jenkinsci.plugins.oic.OicSecurityRealm import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration + import hudson.security.GlobalMatrixAuthorizationStrategy def env = System.getenv() if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) { println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm") @@ -123,6 +124,9 @@ spec: realm.setSendScopesInTokenRequest(true) def j = Jenkins.get() j.setSecurityRealm(realm) + def auth = new GlobalMatrixAuthorizationStrategy() + auth.add(Jenkins.ADMINISTER, "authenticated") + j.setAuthorizationStrategy(auth) j.save() println("Configured OIDC realm from init script (well-known)") } catch (Exception e) { @@ -130,25 +134,6 @@ spec: } JCasC: configScripts: - security.yaml: | - jenkins: - securityRealm: - oic: - clientId: "${OIDC_CLIENT_ID}" - clientSecret: "${OIDC_CLIENT_SECRET}" - tokenServerUrl: "${OIDC_TOKEN_URL}" - authorizationServerUrl: "${OIDC_AUTH_URL}" - userInfoServerUrl: "${OIDC_USERINFO_URL}" - logoutUrl: "${OIDC_LOGOUT_URL}" - userNameField: "preferred_username" - fullNameFieldName: "name" - emailFieldName: "email" - groupsFieldName: "groups" - logoutFromOpenidProvider: true - rootURLFromRequest: true - authorizationStrategy: - loggedInUsersCanDoAnything: - allowAnonymousRead: false creds.yaml: | credentials: system: