search

jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
27 stars 56 forks source link

How to Configure AzureAd Security Realm using JCasC on Kuberentes #582

Closed max-blue closed 1 week ago

max-blue commented 1 week ago

Describe your use-case which is not covered by existing documentation.

There is not documentation on how to configure Azure AD as security realm using Jenkins Config as Code (JCasC). Currently I am using the config below with no luck 

JCasC:
  securityRealm: |-
    azuread:
      clientId: "${client_id]"
      clientSecret: "${client_secret]"
      tenant: "${tenant]"
      cacheduration: 3600
      fromrequest: false
      environmentName: Azure
      disableGraphIntegration: false
      promptAccount: false
      singleLogout: false

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

Are you interested in contributing to the documentation?

yes

timja commented 1 week ago

There is, see https://github.com/jenkinsci/azure-ad-plugin#configuration-as-code-and-job-dsl-support

max-blue commented 1 week ago

I followed the documentation provided in the link you sent and crafted the yaml below. My Jenkins master pods are crashing looping with long string of exceptions in the logs that I cannot tell where the error is. See below:

JCasC:
        securityRealm: |-
          azureSecurityRealm:
            clientid: "12345678990ABCDEFGHIKJLMNOP123456"
            clientsecret: "${CLIENT_SECRET}"
            tenant: "12345678990ABCDEFGHIKJLMNOP123456"
            cacheduration: 3600
            fromrequest: false
            environmentName: Azure
            disableGraphIntegration: false
            promptAccount: false
            singleLogout: false
        authorizationStrategy: |-
          azureAdMatrix:
            entries:
              - group:
                  name: 0jfh3724-aBCD-9999-56hgj-1234567890
                  permissions:
                    - Overall/Administer
              - group:
                  name: 934884-aBCD-9999-56hgj-0987654321
                  permissions:
                    - View/Read
                    - Job/Cancel
                    - Job/Create
                    - Job/Discover
                    - Job/Read
                    - Job/Workspace   
              - user:
                  name: 689741-EFJH-9999-56hgj-1234567890
                  permissions:
                    - Overall/Administer
              - user:
                  name: kdljdeo8372-LKJHD-0000-56hgj-1234567890
                  permissions:
                    - Job/Build
                    - Job/Cancel
                    - Job/Read
                    - Agent/Connect
timja commented 1 week ago

The easiest way to do it is to configure it in the UI and then go to the configuration as code page and then click view export

max-blue commented 1 week ago

fair - thank you for the guidance. I will respond back if I face any issues.

max-blue commented 1 week ago

I was able to use the exported config-as-code and the pod is healthy now. Thanks for your help. I do have to point out that it is not azureSecurityRealm it is just azure under SecurityRealm

timja commented 1 week ago

Odd https://github.com/jenkinsci/azure-ad-plugin/blob/9db6446b6c0b37c6373feca048f5691e6ecfadf1/src/test/java/com/microsoft/jenkins/azuread/integrations/casc/ConfigAsCodeTest.java#L55

the test works.

But I see in my production setup its using azure

Lets see if this PR works: https://github.com/jenkinsci/azure-ad-plugin/pull/583