jenkins: harden oidc and timeouts

services/jenkins/helmrelease.yaml

@@ -15,13 +15,17 @@ spec:
         name: jenkins
         namespace: flux-system
   install:
+    timeout: 15m
     remediation:
       retries: 3
   upgrade:
+    timeout: 15m
     remediation:
       retries: 3
       remediateLastFailure: true
     cleanupOnFail: true
+  rollback:
+    timeout: 15m
   values:
     controller:
       jenkinsUrl: https://ci.bstein.dev
@@ -90,6 +94,7 @@ spec:
               set -euo pipefail
               rm -f /var/jenkins_home/casc_configs/*.yaml || true
           securityContext:
+            runAsNonRoot: true
             runAsUser: 1000
             runAsGroup: 1000
           volumeMounts:
@@ -110,8 +115,7 @@ spec:
           }
           def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
           if (!required.every { env[it] }) {
-            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
+            throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
-            return
           }
           try {
             def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
@@ -143,6 +147,7 @@ spec:
             println("Configured OIDC realm from init script (well-known)")
           } catch (Exception e) {
             println("Failed to configure OIDC realm: ${e}")
+            throw e
           }
       JCasC:
         configScripts: