jenkins: enforce OIDC via JCasC and pin to arm64

2025-12-16 23:38:08 -03:00 · 2025-12-16 23:38:08 -03:00 · ce7631f896
commit ce7631f896
parent f3335028b1
1 changed files with 41 additions and 6 deletions
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@ -54,37 +54,54 @@ spec:
            secretKeyRef:
              name: jenkins-oidc
              key: clientId
-              optional: true
        - name: OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: clientSecret
-              optional: true
        - name: OIDC_AUTH_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: authorizationUrl
-              optional: true
        - name: OIDC_TOKEN_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: tokenUrl
-              optional: true
        - name: OIDC_USERINFO_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: userInfoUrl
-              optional: true
        - name: OIDC_LOGOUT_URL
          valueFrom:
            secretKeyRef:
              name: jenkins-oidc
              key: logoutUrl
-              optional: true
+      nodeSelector:
+        kubernetes.io/arch: arm64
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values: [ "arm64" ]
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: [ "rpi5" ]
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: [ "rpi4" ]
      initScripts:
        oidc.groovy: |
          import hudson.util.Secret
@ -136,6 +153,24 @@ spec:
          }
      JCasC:
        configScripts:
+          security.yaml: |
+            jenkins:
+              securityRealm:
+                oic:
+                  clientId: "${OIDC_CLIENT_ID}"
+                  clientSecret: "${OIDC_CLIENT_SECRET}"
+                  wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
+                  logoutFromOpenidProvider: true
+                  postLogoutRedirectUrl: "https://ci.bstein.dev"
+                  scopes: "openid profile email"
+                  userNameField: "preferred_username"
+                  fullNameFieldName: "name"
+                  emailFieldName: "email"
+                  groupsFieldName: "groups"
+                  disableSslVerification: false
+              authorizationStrategy:
+                fullControlOnceLoggedIn:
+                  allowAnonymousRead: false
          creds.yaml: |
            credentials:
              system: