jenkins: harden oidc and timeouts

2025-12-17 01:11:07 -03:00 · 2025-12-17 01:11:07 -03:00 · f512e0fa29
commit f512e0fa29
parent 4e479147ec
1 changed files with 7 additions and 2 deletions
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@ -15,13 +15,17 @@ spec:
        name: jenkins
        namespace: flux-system
  install:
+    timeout: 15m
    remediation:
      retries: 3
  upgrade:
+    timeout: 15m
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
+  rollback:
+    timeout: 15m
  values:
    controller:
      jenkinsUrl: https://ci.bstein.dev
@ -90,6 +94,7 @@ spec:
              set -euo pipefail
              rm -f /var/jenkins_home/casc_configs/*.yaml || true
          securityContext:
+            runAsNonRoot: true
            runAsUser: 1000
            runAsGroup: 1000
          volumeMounts:
@ -110,8 +115,7 @@ spec:
          }
          def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
          if (!required.every { env[it] }) {
-            println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
-            return
+            throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
          }
          try {
            def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
@ -143,6 +147,7 @@ spec:
            println("Configured OIDC realm from init script (well-known)")
          } catch (Exception e) {
            println("Failed to configure OIDC realm: ${e}")
+            throw e
          }
      JCasC:
        configScripts: