lfit · vvalderrv · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
diff --git a/base/jenkins/jcasc_yamls/02-security-emergency.yaml b/base/jenkins/jcasc_yamls/02-security-emergency.yaml
diff --git a/base/jenkins/jcasc_yamls/02-security.yaml b/base/jenkins/jcasc_yamls/02-security.yaml
@@ -1,47 +1,12 @@
 # jcasc/02-security.yaml
-# CSRF Protection: Prevents cross-site request forgery attacks
-# NOTE: If automated scripts/API calls start failing with 403 errors,
-# they may need to be updated to include CSRF tokens (crumbs)
 ---
 jenkins:
-  # Enable CSRF protection
-  crumbIssuer:
-    standard:
-      excludeClientIPFromCrumb: false
-  # Disable "Remember me" functionality for better security
-  # Users will need to re-authenticate after session expires
-  disableRememberMe: true
-  # SAML SSO Authentication via Linux Foundation SSO
-  # Emergency Access: Use 02-security-emergency.yaml if LF SSO is down
   securityRealm:
-    saml:
-      binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-      displayNameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
-      emailAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-      groupsAttributeName: "http://schemas.xmlsoap.org/claims/Group"
-      idpMetadataConfiguration:
-        period: 60
-        url: "${SAML_METADATA_URL}"
-      logoutUrl: "${SAML_LOGOUT_URL}"
-      maximumAuthenticationLifetime: 86400
-      usernameCaseConversion: "none"
-      usernameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
+    local:
+      allowsSignup: false
+      users:
+        - id: "admin"
+          password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}'
   authorizationStrategy:
-    projectMatrix:
-      permissions:
-        # SAML Group-based Admin Access (Linux Foundation Staff)
-        # Security Review: Replaced hardcoded individual usernames with SAML groups
-        # for better maintainability and security
-        # 'staff': Members of the Linux Foundation staff who require full administrative access to Jenkins
-        - "Overall/Administer:staff"
-        # 'lf-releng': Members of the Linux Foundation Release Engineering team responsible for CI/CD infrastructure management
-        - "Overall/Administer:lf-releng"
-        # Emergency fallback admin account (local authentication)
-        - "Overall/Administer:lf-jenkins"
-        # Standard authenticated users - limited permissions
-        - "Overall/Read:authenticated"
-        - "Job/Build:authenticated"
-        - "Job/Cancel:authenticated"
-        - "Job/Read:authenticated"
-        - "Job/Workspace:authenticated"
-        - "View/Read:authenticated"
+    loggedInUsersCanDoAnything:
+      allowAnonymousRead: false
diff --git a/base/jenkins/templates/jcasc-configmap.yaml b/base/jenkins/templates/jcasc-configmap.yaml
@@ -5,7 +5,6 @@ metadata:
   labels:
     {{- include "jenkins.labels" . | nindent 4 }}
     app.kubernetes.io/component: jcasc
-    {{ include "jenkins.fullname" . }}-jenkins-config: "true"
 data:
 {{- $files := .Files.Glob "jcasc_yamls/*.yaml" }}
 {{- range $path, $_ := $files }}

diff --git a/base/jenkins/templates/networkpolicies.yaml b/base/jenkins/templates/networkpolicies.yaml
diff --git a/base/jenkins/values.yaml b/base/jenkins/values.yaml
@@ -26,8 +26,93 @@ jenkins:
 
     JCasC:
       defaultConfig: false
-      configScripts: {}
+      configScripts:
 
-# Network security configuration
-networkPolicy:
-  enabled: true
+        01-global-env-vars: |
+          jenkins:
+            globalNodeProperties:
+            - envVars:
+                env:
+                - key: "GLOBAL_LOG_LEVEL"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_LOGLEVEL}'
+                - key: "ARTIFACTORY_URL"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_ARTIFACTORYURL}'
+                - key: "COMPANY_NAME"
+                  value: "OpenSearch Project"
+                - key: "DOCKER_REGISTRY"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_DOCKERREGISTRY}'
+                - key: "GIT_BASE"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_GITBASEURL}/$PROJECT'
+                - key: "GIT_URL"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_GITURL}'
+                - key: "PACKAGECLOUDPROXY"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_PACKAGECLOUDPROXY}'
+                - key: "PCIO_CO"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_PCIOCO}'
+                - key: "RELEASE_EMAIL"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_RELEASEEMAIL}'
+                - key: "RELEASE_USERNAME"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_RELEASEUSERNAME}'
+                - key: "S3_BUCKET"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_S3BUCKET}'
+                - key: "CDN_URL"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_CDNURL}'
+                - key: "SIGUL_KEY"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_SIGULKEY}'
+                - key: "SILO"
+                  value: '${JCASC_JENKINSGLOBALENVVARS_SILO}'
+
+        02-security: |
+          jenkins:
+            securityRealm:
+              local:
+                allowsSignup: false
+                users:
+                  - id: "admin"
+                    password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}'
+            authorizationStrategy:
+              loggedInUsersCanDoAnything:
+                allowAnonymousRead: false
+
+        03-tools: |
+          tool:
+            jdk:
+              installations:
+                - name: "jdk-17"
+                  home: "/opt/java/openjdk"
+            git:
+              installations:
+                - name: "Default"
+                  home: "git"
+
+        04-global-libraries: |
+          # Jenkins global pipeline library configurations placeholder
+
+        05-plugins-config: |
+          unclassified:
+            gitHubConfiguration:
+              apiRateLimitChecker: ThrottleForNormalize
+            gitHubPluginConfig:
+              configs:
+                - name: "opensearch-project"
+                  credentialsId: "github-api-token-placeholder"
+              hookUrl: "http://jenkins.placeholder.example.com/github-webhook/"
+            ghprbTrigger:
+              cron: "H/5 * * * *"
+              githubAuth:
+                - id: "opensearch-project-ghprb-auth"
+                  serverAPIUrl: "https://api.github.com"
+                  credentialsId: "github-api-token-placeholder"
+                  description: "GitHub auth for opensearch-project PR builder"
+              adminlist: ""
+              manageWebhooks: false
+              okToTestPhrase: ".*ok to test.*"
+              retestPhrase: ".*test this please.*"
+              skipBuildPhrase: ".*\\[skip ci\\].*"
+
+        06-credentials: |
+          # Jenkins credential configurations placeholder
+
+        07-cloud-agents: |
+          # Cloud agents configuration moved to separate jcasc_yamls file
+          # See: base/jenkins/jcasc_yamls/07-cloud-agents.yaml