[FIXED] How do I deploy HTTPS enabled Jenkins container using docker-compose WITHOUT a reverse proxy container?

Issue

I need to deploy a Jenkins container with https enabled using docker-compose without using a reverse-proxy like Nginx, how can I accomplish this?

I have read this post, href="http://balodeamit.blogspot.com/2014/03/jenkins-switch-to-ssl-https-mode.html" rel="nofollow noreferrer">this blog post, and this blog post all of witch require me to deploy the .war file with java parameters like --httpPort and --httpsPort.

Where do I put these options in my docker-compose file? I also have a Dockerfile where I run some commands post install, is it possible to put these options there?

Here is my current docker-compose file, which works. Note I am not trying to adjust the http or https ports in this file:

version: '3.7'
services:
  jenkins:
    #image: jenkins/jenkins:lts
    build:
        context: ./
        dockerfile: jenkins.Dockerfile
    privileged: true
    user: root
    expose:
      - 8080
    ports:
      - 50000:50000
    container_name: jenkins
    volumes:
      - ./jenkins_data:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      DOCKER_SOCKET: /var/run/docker.sock
    privileged: true
    networks:
      - jenkins_nw
    restart: unless-stopped

networks:
  jenkins_nw:
    driver: bridge

Here is my jenkins.Dockerfile:

FROM jenkins/jenkins:lts

ENV http_proxy http://our.proxy.com:2222
ENV https_proxy http://our.proxy.com:2222

USER root


COPY ["./certs/ourrootchain.cer", "/var/jenkins_home"]
RUN \
    cd /tmp \
    && keytool -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ourrootchain -file /var/jenkins_home/ourrootchain.cer


RUN apt-get update && apt-get install tcpdump procps net-tools -y

Troubleshooting

• I installed procps and checked the java command being run to start jenkins in the conatiner. The output is the following. I still yet to figure out how to adjust the parameters this command runs, is there a way?

  java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -jar /usr/share/jenkins/jenkins.war
  

• I tried using JAVA_OPTS: "--httpsPort:8443" as well as https_port: 8443 in my environment: section in docker-compose file. using JAVA_OPTS: --httpsPort:8443 gave errors, and the container existed as the command was not recognized. https_port: 8443 did nothing and netstat inside of the container after deployment shows the server is not listening on on https nor did the java command change from a grep on ps -aux.

I believe I need to import my pkcs12 file into the keystore. All the guides I read online state I need to create a new keystore. Is it possible to import my pkcs12 into an existing keystore?

Is there a place I can define the java command that is being run?

UPDATE:

I am no java expert so I did not know that "-D" was used for virtual machine options. I adjusted the "JAVA_OPTS" to look like the following now JAVA_OPTS: "-DhttpsPort=8443 -DhttpsCertificate=/var/jenkins_certs/jenkins.crt -DhttpsPrivateKey=/var/jenkins_certs/jenkins.key. I also adjusted my Dockerfile to create the /var/jenkins_certs directory, and copy over the actual cert and private key. The container deploys successfully, and using a ps -aux | grep java I can see my options are actually being used. However netstat -tulpn still shows only "8080" is open. Why does the Jenkins container refuses to use HTTPS or open up the HTTPS port I configured?

Solution

I found this docker hub image jenkins-ssl Looking at the github I found how they configured their certs and added the "JENKINS_OPTS" statement to actually change the parameters I needed. I edited the following lines in the Dockerfile to use my custom certs to get this to finally work!

#Commenting this out
#ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate="$CERT_FOLDER/jenkins.pem" --httpsPrivateKey="$CERT_FOLDER/jenkins.key"

#Copy over custom certs change permissions to jenkins:jenkins
COPY ["./certs/", "/var/jenkins_certs"]
RUN chown -R jenkins:jenkins "/var/jenkins_certs"

#Update root ca with custom trust chain (For web only)
RUN cp /var/jenkins_certs/attrootchain.cer /usr/local/share/ca-certificates && update-ca-certificates

#Update root ca with custom trust chain (for java env)
RUN keytool -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ourrootchain -file /var/jenkins_certs/ourrootchain.cer

#run Jenkins options using the custom cert and key
ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate="/var/jenkins_certs/jenkins.crt" --httpsPrivateKey="/var/jenkins_certs/jenkins.key"

Then ran docker build -t jenkins-ssl ./

Now I can use this image in my docker-compose file. Or run as a simple docker run statement like this:

docker run --name jenkins-ssl -p 443:8443 -p 50000:50000 jenkins-ssl

Answered By - Dave
Answer Checked By - Pedro (JavaFixing Volunteer)