# services/jenkins/helmrelease.yaml apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: jenkins namespace: jenkins spec: interval: 30m chart: spec: chart: jenkins version: 5.8.114 sourceRef: kind: HelmRepository name: jenkins namespace: flux-system install: remediation: retries: 3 upgrade: remediation: retries: 3 remediateLastFailure: true cleanupOnFail: true values: controller: jenkinsUrl: https://ci.bstein.dev ingress: enabled: true hostName: ci.bstein.dev ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/router.entrypoints: websecure tls: - secretName: jenkins-tls hosts: - ci.bstein.dev installPlugins: - kubernetes - workflow-aggregator - git - configuration-as-code - oic-auth containerEnv: - name: ENABLE_OIDC value: "false" - name: OIDC_ISSUER value: "https://sso.bstein.dev/realms/atlas" - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: name: jenkins-oidc key: clientId optional: true - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: jenkins-oidc key: clientSecret optional: true - name: OIDC_AUTH_URL valueFrom: secretKeyRef: name: jenkins-oidc key: authorizationUrl optional: true - name: OIDC_TOKEN_URL valueFrom: secretKeyRef: name: jenkins-oidc key: tokenUrl optional: true - name: OIDC_USERINFO_URL valueFrom: secretKeyRef: name: jenkins-oidc key: userInfoUrl optional: true - name: OIDC_LOGOUT_URL valueFrom: secretKeyRef: name: jenkins-oidc key: logoutUrl optional: true initScripts: oidc.groovy: | import jenkins.model.Jenkins import org.jenkinsci.plugins.oic.OicSecurityRealm def env = System.getenv() def enable = (env['ENABLE_OIDC'] ?: 'false').toBoolean() if (!enable) { println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm") return } def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_AUTH_URL','OIDC_TOKEN_URL','OIDC_USERINFO_URL'] if (!required.every { env[it] }) { println("OIDC enabled but missing vars: ${required.findAll { !env[it] }}") return } try { def realm = new OicSecurityRealm( env['OIDC_CLIENT_ID'], env['OIDC_CLIENT_SECRET'], env['OIDC_TOKEN_URL'], env['OIDC_AUTH_URL'], env['OIDC_USERINFO_URL'], true, // logout from provider env['OIDC_LOGOUT_URL'] ?: "", "", // postLogoutRedirectUrl "openid email profile", "", // prompt "preferred_username", "name", "email", false, // disableSslVerification true, // escapeHatchEnabled "admin", "", // escapeHatchSecret "", // escapeHatchGroup true, // loadUserInfo true, // validateScopes false, // allowUnsignedIdTokens false, // enforceValidIssuers env['OIDC_ISSUER'] ?: "", false // disableUserInfoFetch ) def j = Jenkins.get() j.setSecurityRealm(realm) j.save() println("Configured OIDC realm from init script") } catch (Exception e) { println("Failed to configure OIDC realm: ${e}") } persistence: enabled: true storageClass: astreae size: 50Gi serviceAccount: create: true