From ce7631f896e00849b216bc727cd33cbc44b7194c Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 16 Dec 2025 23:38:08 -0300
Subject: [PATCH] jenkins: enforce OIDC via JCasC and pin to arm64

---
 services/jenkins/helmrelease.yaml | 47 +++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 6 deletions(-)

diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml
index 9ae7d39..6118f35 100644
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@@ -54,37 +54,54 @@ spec:
             secretKeyRef:
               name: jenkins-oidc
               key: clientId
-              optional: true
         - name: OIDC_CLIENT_SECRET
           valueFrom:
             secretKeyRef:
               name: jenkins-oidc
               key: clientSecret
-              optional: true
         - name: OIDC_AUTH_URL
           valueFrom:
             secretKeyRef:
               name: jenkins-oidc
               key: authorizationUrl
-              optional: true
         - name: OIDC_TOKEN_URL
           valueFrom:
             secretKeyRef:
               name: jenkins-oidc
               key: tokenUrl
-              optional: true
         - name: OIDC_USERINFO_URL
           valueFrom:
             secretKeyRef:
               name: jenkins-oidc
               key: userInfoUrl
-              optional: true
         - name: OIDC_LOGOUT_URL
           valueFrom:
             secretKeyRef:
               name: jenkins-oidc
               key: logoutUrl
-              optional: true
+      nodeSelector:
+        kubernetes.io/arch: arm64
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values: [ "arm64" ]
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: [ "rpi5" ]
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: [ "rpi4" ]
       initScripts:
         oidc.groovy: |
           import hudson.util.Secret
@@ -136,6 +153,24 @@ spec:
           }
       JCasC:
         configScripts:
+          security.yaml: |
+            jenkins:
+              securityRealm:
+                oic:
+                  clientId: "${OIDC_CLIENT_ID}"
+                  clientSecret: "${OIDC_CLIENT_SECRET}"
+                  wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
+                  logoutFromOpenidProvider: true
+                  postLogoutRedirectUrl: "https://ci.bstein.dev"
+                  scopes: "openid profile email"
+                  userNameField: "preferred_username"
+                  fullNameFieldName: "name"
+                  emailFieldName: "email"
+                  groupsFieldName: "groups"
+                  disableSslVerification: false
+              authorizationStrategy:
+                fullControlOnceLoggedIn:
+                  allowAnonymousRead: false
           creds.yaml: |
             credentials:
               system: