From f512e0fa29218ae97514c6754dd51ba340428cb7 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 17 Dec 2025 01:11:07 -0300
Subject: [PATCH] jenkins: harden oidc and timeouts

---
 services/jenkins/helmrelease.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml
index d22842f..21f8821 100644
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@@ -15,13 +15,17 @@ spec:
         name: jenkins
         namespace: flux-system
   install:
+    timeout: 15m
     remediation:
       retries: 3
   upgrade:
+    timeout: 15m
     remediation:
       retries: 3
       remediateLastFailure: true
     cleanupOnFail: true
+  rollback:
+    timeout: 15m
   values:
     controller:
       jenkinsUrl: https://ci.bstein.dev
@@ -90,6 +94,7 @@ spec:
               set -euo pipefail
               rm -f /var/jenkins_home/casc_configs/*.yaml || true
           securityContext:
+            runAsNonRoot: true
             runAsUser: 1000
             runAsGroup: 1000
           volumeMounts:
@@ -110,8 +115,7 @@ spec:
           }
           def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
           if (!required.every { env[it] }) {
-            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
-            return
+            throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
           }
           try {
             def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
@@ -143,6 +147,7 @@ spec:
             println("Configured OIDC realm from init script (well-known)")
           } catch (Exception e) {
             println("Failed to configure OIDC realm: ${e}")
+            throw e
           }
       JCasC:
         configScripts: