jenkins: enforce OIDC via JCasC and pin to arm64
This commit is contained in:
parent
f3335028b1
commit
ce7631f896
@ -54,37 +54,54 @@ spec:
|
|||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: clientId
|
key: clientId
|
||||||
optional: true
|
|
||||||
- name: OIDC_CLIENT_SECRET
|
- name: OIDC_CLIENT_SECRET
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: clientSecret
|
key: clientSecret
|
||||||
optional: true
|
|
||||||
- name: OIDC_AUTH_URL
|
- name: OIDC_AUTH_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: authorizationUrl
|
key: authorizationUrl
|
||||||
optional: true
|
|
||||||
- name: OIDC_TOKEN_URL
|
- name: OIDC_TOKEN_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: tokenUrl
|
key: tokenUrl
|
||||||
optional: true
|
|
||||||
- name: OIDC_USERINFO_URL
|
- name: OIDC_USERINFO_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: userInfoUrl
|
key: userInfoUrl
|
||||||
optional: true
|
|
||||||
- name: OIDC_LOGOUT_URL
|
- name: OIDC_LOGOUT_URL
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: jenkins-oidc
|
name: jenkins-oidc
|
||||||
key: logoutUrl
|
key: logoutUrl
|
||||||
optional: true
|
nodeSelector:
|
||||||
|
kubernetes.io/arch: arm64
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values: [ "arm64" ]
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 90
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: hardware
|
||||||
|
operator: In
|
||||||
|
values: [ "rpi5" ]
|
||||||
|
- weight: 50
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: hardware
|
||||||
|
operator: In
|
||||||
|
values: [ "rpi4" ]
|
||||||
initScripts:
|
initScripts:
|
||||||
oidc.groovy: |
|
oidc.groovy: |
|
||||||
import hudson.util.Secret
|
import hudson.util.Secret
|
||||||
@ -136,6 +153,24 @@ spec:
|
|||||||
}
|
}
|
||||||
JCasC:
|
JCasC:
|
||||||
configScripts:
|
configScripts:
|
||||||
|
security.yaml: |
|
||||||
|
jenkins:
|
||||||
|
securityRealm:
|
||||||
|
oic:
|
||||||
|
clientId: "${OIDC_CLIENT_ID}"
|
||||||
|
clientSecret: "${OIDC_CLIENT_SECRET}"
|
||||||
|
wellKnownOpenIDConfigurationUrl: "${OIDC_ISSUER}/.well-known/openid-configuration"
|
||||||
|
logoutFromOpenidProvider: true
|
||||||
|
postLogoutRedirectUrl: "https://ci.bstein.dev"
|
||||||
|
scopes: "openid profile email"
|
||||||
|
userNameField: "preferred_username"
|
||||||
|
fullNameFieldName: "name"
|
||||||
|
emailFieldName: "email"
|
||||||
|
groupsFieldName: "groups"
|
||||||
|
disableSslVerification: false
|
||||||
|
authorizationStrategy:
|
||||||
|
fullControlOnceLoggedIn:
|
||||||
|
allowAnonymousRead: false
|
||||||
creds.yaml: |
|
creds.yaml: |
|
||||||
credentials:
|
credentials:
|
||||||
system:
|
system:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user