fix: enforce Jenkins OIDC via init groovy only

services/jenkins/helmrelease.yaml

@@ -90,6 +90,7 @@ spec:
           import jenkins.model.Jenkins
           import org.jenkinsci.plugins.oic.OicSecurityRealm
           import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
+          import hudson.security.GlobalMatrixAuthorizationStrategy
           def env = System.getenv()
           if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
             println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
@@ -123,6 +124,9 @@ spec:
             realm.setSendScopesInTokenRequest(true)
             def j = Jenkins.get()
             j.setSecurityRealm(realm)
+            def auth = new GlobalMatrixAuthorizationStrategy()
+            auth.add(Jenkins.ADMINISTER, "authenticated")
+            j.setAuthorizationStrategy(auth)
             j.save()
             println("Configured OIDC realm from init script (well-known)")
           } catch (Exception e) {
@@ -130,25 +134,6 @@ spec:
           }
       JCasC:
         configScripts:
-          security.yaml: |
-            jenkins:
-              securityRealm:
-                oic:
-                  clientId: "${OIDC_CLIENT_ID}"
-                  clientSecret: "${OIDC_CLIENT_SECRET}"
-                  tokenServerUrl: "${OIDC_TOKEN_URL}"
-                  authorizationServerUrl: "${OIDC_AUTH_URL}"
-                  userInfoServerUrl: "${OIDC_USERINFO_URL}"
-                  logoutUrl: "${OIDC_LOGOUT_URL}"
-                  userNameField: "preferred_username"
-                  fullNameFieldName: "name"
-                  emailFieldName: "email"
-                  groupsFieldName: "groups"
-                  logoutFromOpenidProvider: true
-                  rootURLFromRequest: true
-              authorizationStrategy:
-                loggedInUsersCanDoAnything:
-                  allowAnonymousRead: false
           creds.yaml: |
             credentials:
               system: