Skip to content

Jenkins security realm and authorization strategies

In the context of the Jenkins Helm chart, the Security Realm and Authorization Strategy define how users authenticate and what permissions they hold within the system.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

These configurations are managed via Jenkins Configuration as Code (JCasC) and are applied through the Helm values under the controller key.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Default Configuration

By default, the chart is configured with a local security realm and a permissive authorization strategy.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

The default configuration creates a single administrative user.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md] While this is sufficient for initial setup, it must be adjusted for production environments.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Authorization Strategies

The Authorization Strategy determines the permissions assigned to authenticated users.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

  • loggedInUsersCanDoAnything: The default strategy used by the chart.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md] As the name implies, it grants full capabilities to any logged-in user.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]
  • globalMatrix: A recommended strategy for serious environments that allows for fine-grained permission configuration.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Security Realms

The Security Realm defines where Jenkins looks for user accounts and how it verifies credentials.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

The Helm chart supports various backend configurations, including:

  • Local: Users are defined directly within the Jenkins configuration (the default).^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]
  • LDAP: Integrates with an external LDAP directory service.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]
  • OIDC/OIC: Integrates with OpenID Connect identity providers.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Configuring External Identity Providers

When using external providers like LDAP or OIDC, it is often necessary to provide credentials or secrets (e.g., service account client IDs or manager passwords).^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

These secrets should not be hardcoded in values.yaml. Instead, they can be referenced in the JCasC configuration using the ${...} syntax after being mounted into the controller as Kubernetes Secrets.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

For example, an OIDC configuration might reference client secrets defined in additionalSecrets:^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

controller:
  JCasC:
    securityRealm: |-
      oic:
        clientId: ${client_id}
        clientSecret: ${client_secret}

Similarly, LDAP configurations can reference secret keys:^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

controller:
  JCasC:
    configScripts:
      ldap-settings: |-
        jenkins:
          securityRealm:
            ldap:
              configurations:
                - server: "ldap.acme.com"
                  managerPasswordSecret: ${LDAP_PASSWORD}

Migration and Overrides

In versions 2.0.0 and 3.0.0 of the chart, the adoption of JCasC became the default.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md] A consequence of this is that manual configuration changes may be reset to match the values defined in the Helm chart.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Specifically regarding security, manually altered user configurations or permissions will be overridden by the securityRealm and authorizationStrategy defined in values.yaml upon upgrade or restart.^[400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md]

Sources

  • 400-devops__06-Kubernetes__devops-helm__devops-jenkins__README.md