Compare commits
12 Commits
feature/bs
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| f306baad35 | |||
| 9e7ded298e | |||
| 8afae161a0 | |||
| f5964439b0 | |||
| f1fb0450b4 | |||
| ba12854639 | |||
| aa1c7d62c1 | |||
|
3de36441f4 | ||
| e5238a7f91 | |||
| d8077798db | |||
| 5a52c8606b | |||
| be23851878 |
@ -13,14 +13,14 @@ spec:
|
||||
git:
|
||||
checkout:
|
||||
ref:
|
||||
branch: feature/bstein-dev-home
|
||||
branch: main
|
||||
commit:
|
||||
author:
|
||||
email: ops@bstein.dev
|
||||
name: flux-bot
|
||||
messageTemplate: "chore(bstein-dev-home): update images to {{range .Updated.Images}}{{.}}{{end}}"
|
||||
push:
|
||||
branch: feature/bstein-dev-home
|
||||
branch: main
|
||||
update:
|
||||
strategy: Setters
|
||||
path: services/bstein-dev-home
|
||||
|
||||
@ -18,7 +18,7 @@ spec:
|
||||
author:
|
||||
email: ops@bstein.dev
|
||||
name: flux-bot
|
||||
messageTemplate: "chore(ci-demo): update image to {{range .Updated.Images}}{{.}}{{end}}"
|
||||
messageTemplate: "chore(ci-demo): apply image updates"
|
||||
push:
|
||||
branch: feature/ci-gitops
|
||||
update:
|
||||
|
||||
@ -12,8 +12,6 @@ spec:
|
||||
kind: GitRepository
|
||||
name: flux-system
|
||||
namespace: flux-system
|
||||
targetNamespace: ci-demo
|
||||
dependsOn:
|
||||
- name: core
|
||||
wait: false
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ spec:
|
||||
author:
|
||||
email: ops@bstein.dev
|
||||
name: flux-bot
|
||||
messageTemplate: "chore(harbor): update images to {{range .Updated.Images}}{{.}}{{end}}"
|
||||
messageTemplate: "chore(harbor): apply image updates"
|
||||
push:
|
||||
branch: feature/ci-gitops
|
||||
update:
|
||||
|
||||
@ -18,7 +18,7 @@ spec:
|
||||
author:
|
||||
email: ops@bstein.dev
|
||||
name: flux-bot
|
||||
messageTemplate: "chore(pegasus): update image to {{range .Updated.Images}}{{.}}{{end}}"
|
||||
messageTemplate: "chore(pegasus): apply image updates"
|
||||
push:
|
||||
branch: feature/ci-gitops
|
||||
update:
|
||||
|
||||
@ -4478,7 +4478,7 @@ spec:
|
||||
- args:
|
||||
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
|
||||
- --watch-all-namespaces=true
|
||||
- --log-level=debug
|
||||
- --log-level=info
|
||||
- --log-encoding=json
|
||||
- --enable-leader-election
|
||||
- --storage-path=/data
|
||||
@ -5965,7 +5965,7 @@ spec:
|
||||
- args:
|
||||
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
|
||||
- --watch-all-namespaces=true
|
||||
- --log-level=debug
|
||||
- --log-level=info
|
||||
- --log-encoding=json
|
||||
- --enable-leader-election
|
||||
env:
|
||||
@ -12379,7 +12379,7 @@ spec:
|
||||
- args:
|
||||
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
|
||||
- --watch-all-namespaces=true
|
||||
- --log-level=debug
|
||||
- --log-level=info
|
||||
- --log-encoding=json
|
||||
- --enable-leader-election
|
||||
env:
|
||||
|
||||
@ -8,7 +8,7 @@ metadata:
|
||||
spec:
|
||||
interval: 1m0s
|
||||
ref:
|
||||
branch: feature/bstein-dev-home
|
||||
branch: main
|
||||
secretRef:
|
||||
name: flux-system-gitea
|
||||
url: ssh://git@scm.bstein.dev:2242/bstein/titan-iac.git
|
||||
|
||||
@ -12,6 +12,6 @@ resources:
|
||||
- ingress.yaml
|
||||
images:
|
||||
- name: registry.bstein.dev/bstein/bstein-dev-home-frontend
|
||||
newTag: 0.1.0-11 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}
|
||||
newTag: 0.1.1-0 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}
|
||||
- name: registry.bstein.dev/bstein/bstein-dev-home-backend
|
||||
newTag: 0.1.0-11 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
|
||||
newTag: 0.1.1-0 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
|
||||
|
||||
@ -1,18 +1,18 @@
|
||||
# services/ci-demo/image.yaml
|
||||
apiVersion: image.toolkit.fluxcd.io/v1beta2
|
||||
apiVersion: image.toolkit.fluxcd.io/v1
|
||||
kind: ImageRepository
|
||||
metadata:
|
||||
name: ci-demo
|
||||
namespace: ci-demo
|
||||
namespace: flux-system
|
||||
spec:
|
||||
image: registry.bstein.dev/infra/ci-demo
|
||||
interval: 1m0s
|
||||
---
|
||||
apiVersion: image.toolkit.fluxcd.io/v1beta2
|
||||
apiVersion: image.toolkit.fluxcd.io/v1
|
||||
kind: ImagePolicy
|
||||
metadata:
|
||||
name: ci-demo
|
||||
namespace: ci-demo
|
||||
namespace: flux-system
|
||||
spec:
|
||||
imageRepositoryRef:
|
||||
name: ci-demo
|
||||
|
||||
@ -8,4 +8,4 @@ resources:
|
||||
- service.yaml
|
||||
images:
|
||||
- name: registry.bstein.dev/infra/ci-demo
|
||||
newTag: v0.0.0-2 # {"$imagepolicy": "ci-demo:ci-demo:tag"}
|
||||
newTag: registry.bstein.dev/infra/ci-demo:v0.0.0-3 # {"$imagepolicy": "flux-system:ci-demo"}
|
||||
|
||||
@ -156,6 +156,54 @@ spec:
|
||||
- name: jenkins-home
|
||||
mountPath: /var/jenkins_home
|
||||
initScripts:
|
||||
oidc.groovy: |
|
||||
import hudson.util.Secret
|
||||
import jenkins.model.IdStrategy
|
||||
import jenkins.model.Jenkins
|
||||
import org.jenkinsci.plugins.oic.OicSecurityRealm
|
||||
import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
|
||||
import hudson.security.FullControlOnceLoggedInAuthorizationStrategy
|
||||
def env = System.getenv()
|
||||
if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
|
||||
println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
|
||||
return
|
||||
}
|
||||
def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
|
||||
if (!required.every { env[it] }) {
|
||||
throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
|
||||
}
|
||||
try {
|
||||
def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
|
||||
def serverCfg = new OicServerWellKnownConfiguration(wellKnown)
|
||||
serverCfg.setScopesOverride('openid profile email')
|
||||
def realm = new OicSecurityRealm(
|
||||
env['OIDC_CLIENT_ID'],
|
||||
Secret.fromString(env['OIDC_CLIENT_SECRET']),
|
||||
serverCfg,
|
||||
false,
|
||||
IdStrategy.CASE_INSENSITIVE,
|
||||
IdStrategy.CASE_INSENSITIVE
|
||||
)
|
||||
realm.createProxyAwareResourceRetriver()
|
||||
realm.setLogoutFromOpenidProvider(true)
|
||||
realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')
|
||||
realm.setUserNameField('preferred_username')
|
||||
realm.setFullNameFieldName('name')
|
||||
realm.setEmailFieldName('email')
|
||||
realm.setGroupsFieldName('groups')
|
||||
realm.setRootURLFromRequest(true)
|
||||
realm.setSendScopesInTokenRequest(true)
|
||||
def j = Jenkins.get()
|
||||
j.setSecurityRealm(realm)
|
||||
def auth = new FullControlOnceLoggedInAuthorizationStrategy()
|
||||
auth.setAllowAnonymousRead(false)
|
||||
j.setAuthorizationStrategy(auth)
|
||||
j.save()
|
||||
println("Configured OIDC realm from init script (well-known)")
|
||||
} catch (Exception e) {
|
||||
println("Failed to configure OIDC realm: ${e}")
|
||||
throw e
|
||||
}
|
||||
theme.groovy: |
|
||||
import jenkins.model.Jenkins
|
||||
import org.codefirst.SimpleThemeDecorator
|
||||
@ -175,26 +223,8 @@ spec:
|
||||
}
|
||||
JCasC:
|
||||
defaultConfig: false
|
||||
securityRealm: |
|
||||
oic:
|
||||
clientId: "${OIDC_CLIENT_ID}"
|
||||
clientSecret: "${OIDC_CLIENT_SECRET}"
|
||||
tokenServerUrl: "${OIDC_TOKEN_URL}"
|
||||
authorizationServerUrl: "${OIDC_AUTH_URL}"
|
||||
userInfoUrl: "${OIDC_USERINFO_URL}"
|
||||
logoutFromOpenIdProvider: true
|
||||
postLogoutRedirectUrl: "https://ci.bstein.dev"
|
||||
scopes: "openid profile email"
|
||||
rootURLFromRequest: true
|
||||
userNameField: "preferred_username"
|
||||
fullNameFieldName: "name"
|
||||
emailFieldName: "email"
|
||||
groupsFieldName: "groups"
|
||||
escapeHatchEnabled: false
|
||||
maxClockSkew: 120
|
||||
authorizationStrategy: |
|
||||
loggedInUsersCanDoAnything:
|
||||
allowAnonymousRead: false
|
||||
securityRealm: ""
|
||||
authorizationStrategy: ""
|
||||
configScripts:
|
||||
base.yaml: |
|
||||
jenkins:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user