bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: bstein:main
Branches Tags
bstein:main
bstein:feature/sso-hardening
bstein:feature/bstein-dev-home
bstein:feature/ci-gitops
bstein:feature/mailu
bstein:feature/sso
bstein:feature/atlas-monitoring
bstein:restructure/hybrid-clusters
bstein:fea/titan24-gpu
..
compare: bstein:feature/bstein-dev-home
Branches Tags
bstein:feature/sso-hardening
bstein:main
bstein:feature/bstein-dev-home
bstein:feature/ci-gitops
bstein:feature/mailu
bstein:feature/sso
bstein:feature/atlas-monitoring
bstein:restructure/hybrid-clusters
bstein:fea/titan24-gpu

1 Commits
main ... feature/bs

Author SHA1 Message Date
Brad Stein
951eb0f892 jenkins: pin oidc via jcasc 2025-12-19 16:28:46 -03:00
11 changed files with 38 additions and 66 deletions
Show Stats Expand all files Collapse all files

4
clusters/atlas/flux-system/applications/bstein-dev-home/image-automation.yaml
View File

@ -13,14 +13,14 @@ spec:
git: git:
checkout: checkout:
ref: ref:
branch: main branch: feature/bstein-dev-home
commit: commit:
author: author:
email: ops@bstein.dev email: ops@bstein.dev
name: flux-bot name: flux-bot
messageTemplate: "chore(bstein-dev-home): update images to {{range .Updated.Images}}{{.}}{{end}}" messageTemplate: "chore(bstein-dev-home): update images to {{range .Updated.Images}}{{.}}{{end}}"
push: push:
branch: main branch: feature/bstein-dev-home
update: update:
strategy: Setters strategy: Setters
path: services/bstein-dev-home path: services/bstein-dev-home

2
clusters/atlas/flux-system/applications/ci-demo/image-automation.yaml
View File

@ -18,7 +18,7 @@ spec:
author: author:
email: ops@bstein.dev email: ops@bstein.dev
name: flux-bot name: flux-bot
messageTemplate: "chore(ci-demo): apply image updates" messageTemplate: "chore(ci-demo): update image to {{range .Updated.Images}}{{.}}{{end}}"
push: push:
branch: feature/ci-gitops branch: feature/ci-gitops
update: update:

2
clusters/atlas/flux-system/applications/ci-demo/kustomization.yaml
View File

@ -12,6 +12,8 @@ spec:
kind: GitRepository kind: GitRepository
name: flux-system name: flux-system
namespace: flux-system namespace: flux-system
targetNamespace: ci-demo
dependsOn: dependsOn:
- name: core - name: core
wait: false wait: false

2
clusters/atlas/flux-system/applications/harbor/image-automation.yaml
View File

@ -19,7 +19,7 @@ spec:
author: author:
email: ops@bstein.dev email: ops@bstein.dev
name: flux-bot name: flux-bot
messageTemplate: "chore(harbor): apply image updates" messageTemplate: "chore(harbor): update images to {{range .Updated.Images}}{{.}}{{end}}"
push: push:
branch: feature/ci-gitops branch: feature/ci-gitops
update: update:

2
clusters/atlas/flux-system/applications/pegasus/image-automation.yaml
View File

@ -18,7 +18,7 @@ spec:
author: author:
email: ops@bstein.dev email: ops@bstein.dev
name: flux-bot name: flux-bot
messageTemplate: "chore(pegasus): apply image updates" messageTemplate: "chore(pegasus): update image to {{range .Updated.Images}}{{.}}{{end}}"
push: push:
branch: feature/ci-gitops branch: feature/ci-gitops
update: update:

6
clusters/atlas/flux-system/gotk-components.yaml
View File

@ -4478,7 +4478,7 @@ spec:
- args: - args:
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./ - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
- --watch-all-namespaces=true - --watch-all-namespaces=true
- --log-level=info - --log-level=debug
- --log-encoding=json - --log-encoding=json
- --enable-leader-election - --enable-leader-election
- --storage-path=/data - --storage-path=/data
@ -5965,7 +5965,7 @@ spec:
- args: - args:
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./ - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
- --watch-all-namespaces=true - --watch-all-namespaces=true
- --log-level=info - --log-level=debug
- --log-encoding=json - --log-encoding=json
- --enable-leader-election - --enable-leader-election
env: env:
@ -12379,7 +12379,7 @@ spec:
- args: - args:
- --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./ - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
- --watch-all-namespaces=true - --watch-all-namespaces=true
- --log-level=info - --log-level=debug
- --log-encoding=json - --log-encoding=json
- --enable-leader-election - --enable-leader-election
env: env:

2
clusters/atlas/flux-system/gotk-sync.yaml
View File

@ -8,7 +8,7 @@ metadata:
spec: spec:
interval: 1m0s interval: 1m0s
ref: ref:
branch: main branch: feature/bstein-dev-home
secretRef: secretRef:
name: flux-system-gitea name: flux-system-gitea
url: ssh://git@scm.bstein.dev:2242/bstein/titan-iac.git url: ssh://git@scm.bstein.dev:2242/bstein/titan-iac.git

4
services/bstein-dev-home/kustomization.yaml
View File

@ -12,6 +12,6 @@ resources:
- ingress.yaml - ingress.yaml
images: images:
- name: registry.bstein.dev/bstein/bstein-dev-home-frontend - name: registry.bstein.dev/bstein/bstein-dev-home-frontend
newTag: 0.1.1-0 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"} newTag: 0.1.0-11 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}
- name: registry.bstein.dev/bstein/bstein-dev-home-backend - name: registry.bstein.dev/bstein/bstein-dev-home-backend
newTag: 0.1.1-0 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"} newTag: 0.1.0-11 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}

8
services/ci-demo/image.yaml
View File

@ -1,18 +1,18 @@
# services/ci-demo/image.yaml # services/ci-demo/image.yaml
apiVersion: image.toolkit.fluxcd.io/v1 apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageRepository kind: ImageRepository
metadata: metadata:
name: ci-demo name: ci-demo
namespace: flux-system namespace: ci-demo
spec: spec:
image: registry.bstein.dev/infra/ci-demo image: registry.bstein.dev/infra/ci-demo
interval: 1m0s interval: 1m0s
--- ---
apiVersion: image.toolkit.fluxcd.io/v1 apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImagePolicy kind: ImagePolicy
metadata: metadata:
name: ci-demo name: ci-demo
namespace: flux-system namespace: ci-demo
spec: spec:
imageRepositoryRef: imageRepositoryRef:
name: ci-demo name: ci-demo

2
services/ci-demo/kustomization.yaml
View File

@ -8,4 +8,4 @@ resources:
- service.yaml - service.yaml
images: images:
- name: registry.bstein.dev/infra/ci-demo - name: registry.bstein.dev/infra/ci-demo
newTag: registry.bstein.dev/infra/ci-demo:v0.0.0-3 # {"$imagepolicy": "flux-system:ci-demo"} newTag: v0.0.0-2 # {"$imagepolicy": "ci-demo:ci-demo:tag"}

70
services/jenkins/helmrelease.yaml
View File

@ -156,54 +156,6 @@ spec:
- name: jenkins-home - name: jenkins-home
mountPath: /var/jenkins_home mountPath: /var/jenkins_home
initScripts: initScripts:
oidc.groovy: |
import hudson.util.Secret
import jenkins.model.IdStrategy
import jenkins.model.Jenkins
import org.jenkinsci.plugins.oic.OicSecurityRealm
import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
import hudson.security.FullControlOnceLoggedInAuthorizationStrategy
def env = System.getenv()
if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
return
}
def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_ISSUER']
if (!required.every { env[it] }) {
throw new IllegalStateException("OIDC enabled but missing vars: ${required.findAll { !env[it] }}")
}
try {
def wellKnown = "${env['OIDC_ISSUER']}/.well-known/openid-configuration"
def serverCfg = new OicServerWellKnownConfiguration(wellKnown)
serverCfg.setScopesOverride('openid profile email')
def realm = new OicSecurityRealm(
env['OIDC_CLIENT_ID'],
Secret.fromString(env['OIDC_CLIENT_SECRET']),
serverCfg,
false,
IdStrategy.CASE_INSENSITIVE,
IdStrategy.CASE_INSENSITIVE
)
realm.createProxyAwareResourceRetriver()
realm.setLogoutFromOpenidProvider(true)
realm.setPostLogoutRedirectUrl('https://ci.bstein.dev')
realm.setUserNameField('preferred_username')
realm.setFullNameFieldName('name')
realm.setEmailFieldName('email')
realm.setGroupsFieldName('groups')
realm.setRootURLFromRequest(true)
realm.setSendScopesInTokenRequest(true)
def j = Jenkins.get()
j.setSecurityRealm(realm)
def auth = new FullControlOnceLoggedInAuthorizationStrategy()
auth.setAllowAnonymousRead(false)
j.setAuthorizationStrategy(auth)
j.save()
println("Configured OIDC realm from init script (well-known)")
} catch (Exception e) {
println("Failed to configure OIDC realm: ${e}")
throw e
}
theme.groovy: | theme.groovy: |
import jenkins.model.Jenkins import jenkins.model.Jenkins
import org.codefirst.SimpleThemeDecorator import org.codefirst.SimpleThemeDecorator
@ -223,8 +175,26 @@ spec:
} }
JCasC: JCasC:
defaultConfig: false defaultConfig: false
securityRealm: "" securityRealm: |
authorizationStrategy: "" oic:
clientId: "${OIDC_CLIENT_ID}"
clientSecret: "${OIDC_CLIENT_SECRET}"
tokenServerUrl: "${OIDC_TOKEN_URL}"
authorizationServerUrl: "${OIDC_AUTH_URL}"
userInfoUrl: "${OIDC_USERINFO_URL}"
logoutFromOpenIdProvider: true
postLogoutRedirectUrl: "https://ci.bstein.dev"
scopes: "openid profile email"
rootURLFromRequest: true
userNameField: "preferred_username"
fullNameFieldName: "name"
emailFieldName: "email"
groupsFieldName: "groups"
escapeHatchEnabled: false
maxClockSkew: 120
authorizationStrategy: |
loggedInUsersCanDoAnything:
allowAnonymousRead: false
configScripts: configScripts:
base.yaml: | base.yaml: |
jenkins: jenkins: