Files

ReachableCEO c8c4bd4e9b feat(jenkins): complete Jenkins package with OIDC support and production methodology

- Add comprehensive OIDC authentication configuration for Jenkins
- Include CloudronManifest.json in Docker image root directory
- Create production packaging methodology template
- Add OIDC authentication audit document
- Jenkins package ready for live Cloudron testing

Next: Test installation on live Cloudron instance

2025-10-17 10:32:28 -05:00

3.3 KiB

Raw Blame History

OIDC Authentication Audit for KNEL Cloudron Packages

CRITICAL REQUIREMENT: OIDC Authentication Support

All production Cloudron packages MUST support OIDC (OpenID Connect) authentication for mission-critical, revenue-generating workloads.

Current Package Status

✅ FULL OIDC SUPPORT

1. Jenkins CI/CD Platform

Status: ✅ FULL OIDC SUPPORT
Method: OpenID Connect Authentication Plugin
Configuration: Via Jenkins plugin system
Documentation: https://plugins.jenkins.io/openid-connect-authentication/
Cloudron Integration: Configured via environment variables

2. Apache APISIX API Gateway

Status: ✅ FULL OIDC SUPPORT
Method: Built-in OpenID Connect Plugin
Configuration: Via APISIX admin API
Documentation: https://apisix.apache.org/docs/apisix/plugins/openid-connect/
Cloudron Integration: Configured via admin API

3. Rundeck Job Scheduler

Status: ✅ FULL OIDC SUPPORT (Commercial Version)
Method: OAuth2 Resource Server with JWT validation
Configuration: Via rundeck-config.properties
Documentation: https://docs.rundeck.com/docs/administration/security/sso/
Cloudron Integration: Configured via environment variables
Note: Requires Rundeck Pro/Enterprise for full OIDC support

⚠️ LIMITED AUTHENTICATION SUPPORT

4. Rathole Reverse Proxy

Status: ❌ NO OIDC SUPPORT
Authentication: None (tunnel proxy)
Security Model: Network-level security via tokens
Recommendation: Use behind authenticated reverse proxy
Documentation: Document as network-level security only

Implementation Requirements

For Each Package with OIDC Support:

Environment Variables Required:

CLOUDRON_OIDC_ISSUER_URL=https://your-oidc-provider.com
CLOUDRON_OIDC_CLIENT_ID=your-client-id
CLOUDRON_OIDC_CLIENT_SECRET=your-client-secret
CLOUDRON_OIDC_REDIRECT_URI=https://your-app.cloudron.me/oidc/callback

Configuration Files:
- Jenkins: jenkins_home/org.jenkinsci.plugins.openid_connect.OpenIdConnectSecurityRealm.xml
- APISIX: Route configuration with OIDC plugin
- Rundeck: rundeck-config.properties with OAuth settings
Health Check Endpoints:
- Must verify OIDC configuration on startup
- Must test OIDC provider connectivity
- Must validate JWT token processing

Production Readiness Checklist

OIDC provider configuration tested
JWT token validation working
User session management configured
Logout functionality working
Error handling for OIDC failures
Fallback authentication method (if applicable)
Security headers configured
CORS settings for OIDC callbacks

Documentation Requirements

Each package must include:

OIDC configuration instructions
Required environment variables
Troubleshooting guide
Security considerations
Fallback authentication methods (if any)

Next Steps

Immediate: Configure OIDC for Jenkins, APISIX, and Rundeck
Document: Rathole's network-level security model
Test: All OIDC configurations in staging environment
Validate: Production-ready OIDC integration

CRITICAL: No package will be considered production-ready without proper OIDC authentication support and comprehensive testing.

3.3 KiB Raw Blame History