135 lines
4.1 KiB
YAML
135 lines
4.1 KiB
YAML
# services/jenkins/helmrelease.yaml
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: jenkins
|
|
namespace: jenkins
|
|
spec:
|
|
interval: 30m
|
|
chart:
|
|
spec:
|
|
chart: jenkins
|
|
version: 5.8.114
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: jenkins
|
|
namespace: flux-system
|
|
install:
|
|
remediation:
|
|
retries: 3
|
|
upgrade:
|
|
remediation:
|
|
retries: 3
|
|
remediateLastFailure: true
|
|
cleanupOnFail: true
|
|
values:
|
|
controller:
|
|
jenkinsUrl: https://ci.bstein.dev
|
|
ingress:
|
|
enabled: true
|
|
hostName: ci.bstein.dev
|
|
ingressClassName: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
tls:
|
|
- secretName: jenkins-tls
|
|
hosts:
|
|
- ci.bstein.dev
|
|
installPlugins: []
|
|
containerEnv:
|
|
- name: ENABLE_OIDC
|
|
value: "false"
|
|
- name: OIDC_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: clientId
|
|
optional: true
|
|
- name: OIDC_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: clientSecret
|
|
optional: true
|
|
- name: OIDC_AUTH_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: authorizationUrl
|
|
optional: true
|
|
- name: OIDC_TOKEN_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: tokenUrl
|
|
optional: true
|
|
- name: OIDC_USERINFO_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: userInfoUrl
|
|
optional: true
|
|
- name: OIDC_LOGOUT_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: jenkins-oidc
|
|
key: logoutUrl
|
|
optional: true
|
|
JCasC:
|
|
defaultConfig: true
|
|
configScripts:
|
|
01-oidc.groovy: |
|
|
import jenkins.model.*
|
|
def env = System.getenv()
|
|
def enable = (env['ENABLE_OIDC'] ?: 'false').toBoolean()
|
|
if (!enable) {
|
|
println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
|
|
return
|
|
}
|
|
def required = ['OIDC_CLIENT_ID','OIDC_CLIENT_SECRET','OIDC_AUTH_URL','OIDC_TOKEN_URL','OIDC_USERINFO_URL']
|
|
if (!required.every { env[it] }) {
|
|
println("OIDC enabled but missing one or more env vars: ${required}")
|
|
return
|
|
}
|
|
try {
|
|
def realm = new org.jenkinsci.plugins.oic.OicSecurityRealm(
|
|
env['OIDC_CLIENT_ID'],
|
|
env['OIDC_CLIENT_SECRET'],
|
|
env['OIDC_TOKEN_URL'],
|
|
env['OIDC_AUTH_URL'],
|
|
env['OIDC_USERINFO_URL'],
|
|
true, // logout from provider
|
|
env['OIDC_LOGOUT_URL'] ?: "",
|
|
"", // postLogoutRedirectUrl
|
|
"openid email profile",
|
|
"", // prompt
|
|
"preferred_username",
|
|
"name",
|
|
"email",
|
|
false, // disableSslVerification
|
|
true, // escapeHatchEnabled
|
|
"admin",
|
|
"", // escapeHatchSecret
|
|
"", // escapeHatchGroup
|
|
true, // loadUserInfo
|
|
true, // validateScopes
|
|
false, // allowUnsignedIdTokens
|
|
false, // enforceValidIssuers
|
|
"", // issuer
|
|
false // disableUserInfoFetch
|
|
)
|
|
def instance = Jenkins.get()
|
|
instance.setSecurityRealm(realm)
|
|
instance.save()
|
|
println("Configured OIDC security realm from env")
|
|
} catch (Exception e) {
|
|
println("Failed to configure OIDC realm: ${e}")
|
|
}
|
|
persistence:
|
|
enabled: true
|
|
storageClass: astreae
|
|
size: 50Gi
|
|
serviceAccount:
|
|
create: true
|