chore: update CA cert import in README and test#2251
Conversation
Adds automatic import of custom root CA certificates into the Java keystore at container startup. Users can volume-mount .crt or .pem files into /usr/share/jenkins/ref/certs/ and they will be automatically imported before Jenkins starts. This is useful for enterprise environments behind corporate proxies or firewalls that use self-signed certificates. Fixes jenkinsci#1605
Windows line endings (CRLF) were breaking bash scripts in the Linux containers. Creating .gitattributes and converting files to LF to fix the test failures.
- Removed 'set -e' from import script to prevent container crashes - Added quoting to handle spaces in filenames - Call import script with 'bash' explicitly for better compatibility - Ensure LF line endings are preserved
MarkEWaite
left a comment
MarkEWaite
left a comment
There was a problem hiding this comment.
Needs:
- Tests that confirm the import of a custom CA certificate works at runtime
- Explanation why the .gitattributes file is needed, , removal of duplicated lines, or removal from the pull request
- Documentation updates to describe how to use custom CA certificates
MarkEWaite
left a comment
MarkEWaite
left a comment
There was a problem hiding this comment.
All changes that are purely changes in white space also need to be removed.
| ca-certificates \ | ||
| gnupg \ | ||
| jq \ | ||
| curl \ | ||
| && rm -fr /var/cache/apk/* \ | ||
| && /usr/bin/jdk-download.sh alpine |
There was a problem hiding this comment.
Please remove these changes to white space. They distract from the other changes.
| if [ "$java_major_version" = "25" ]; then \ | ||
| cp -r "/opt/jdk-${JAVA_VERSION}" /javaruntime; \ | ||
| else \ | ||
| case "$java_major_version" in \ | ||
| "17") options="--compress=2" ;; \ | ||
| "21") options="--compress=zip-6" ;; \ | ||
| *) echo "ERROR: unmanaged jlink version pattern" && exit 1 ;; \ | ||
| esac; \ | ||
| jlink \ | ||
| --strip-java-debug-attributes \ | ||
| ${options} \ | ||
| --add-modules ALL-MODULE-PATH \ | ||
| --no-man-pages \ | ||
| --no-header-files \ | ||
| --output /javaruntime; \ | ||
| fi |
There was a problem hiding this comment.
Please remove these changes to white space. They distract from the other changes.
| bash \ | ||
| coreutils \ | ||
| curl \ | ||
| git \ | ||
| git-lfs \ | ||
| musl-locales \ | ||
| musl-locales-lang \ | ||
| openssh-client \ | ||
| tini \ | ||
| ttf-dejavu \ | ||
| tzdata \ | ||
| unzip \ |
There was a problem hiding this comment.
Please remove these changes to white space. They distract from the other changes.
| org.opencontainers.image.vendor="Jenkins project" \ | ||
| org.opencontainers.image.title="Official Jenkins Docker image" \ | ||
| org.opencontainers.image.description="The Jenkins Continuous Integration and Delivery server" \ | ||
| org.opencontainers.image.version="${JENKINS_VERSION}" \ | ||
| org.opencontainers.image.url="https://www.jenkins.io/" \ | ||
| org.opencontainers.image.source="https://github.com/jenkinsci/docker" \ | ||
| org.opencontainers.image.revision="${COMMIT_SHA}" \ | ||
| org.opencontainers.image.licenses="MIT" |
There was a problem hiding this comment.
Please remove these changes to white space. They distract from the other changes.
| if [ "$java_major_version" = "25" ]; then \ | ||
| cp -r "/opt/jdk-${JAVA_VERSION}" /javaruntime; \ | ||
| else \ | ||
| case "$java_major_version" in \ | ||
| "17") options="--compress=2" ;; \ | ||
| "21") options="--compress=zip-6" ;; \ | ||
| *) echo "ERROR: unmanaged jlink version pattern" && exit 1 ;; \ | ||
| esac; \ | ||
| jlink \ | ||
| --strip-java-debug-attributes \ | ||
| ${options} \ | ||
| --add-modules ALL-MODULE-PATH \ | ||
| --no-man-pages \ | ||
| --no-header-files \ | ||
| --output /javaruntime; \ | ||
| fi |
There was a problem hiding this comment.
Please remove these changes to white space. They distract from the other changes.
There was a problem hiding this comment.
Thanks for the review! I'll revert the unnecessary whitespace changes and the .gitattributes file to keep the PR clean.
- Add script to auto-import certs from /usr/share/jenkins/ref/certs/ - Update jenkins.sh to trigger import at runtime - Configure Dockerfiles to allow jenkins user to write to Java keystore - Add runtime integration tests in tests/runtime.bats - Update README.md with usage documentation - Ensure LF line endings for all scripts and Dockerfiles Fixes jenkinsci#1605
Piyush0049
force-pushed
the
feature/custom-ca-cert-import
branch
from
b83db9e to
4bc1903
Compare
|
Hi Mark! I've performed a surgical reset and re-applied only the necessary changes to eliminate any accidental whitespace/formatting diffs. I've also added runtime tests in BATS and updated the documentation. Thanks again for the meticulous review! |
Please don't force push changes to a pull request that has review comments. It breaks the connection between the comments and the original code. Now needs:
Consider this a warning. If you continue to show a pattern of low quality changes to the pull request, I'll assume that you're not interested in being responsible for your own pull requests. I'll ask that you be banned from submitting pull requests to the jenkinsci GitHub organization. We don't want to waste maintainer time to "review a pull request into existence". |
|
I'm placing this pull request in draft until it is confirmed to meet minimum standards. |
|
Hi Mark, I sincerely apologize for the force-push and the accidental file deletions. I now understand how force-pushing disrupts the review history and creates extra work for maintainers. I am restoring the deleted files immediately and will ensure all future changes are fully tested in my local environment before pushing. Thank you for your patience while I learn the project's standards. |
Restore all files that were incorrectly deleted in the previous commit. Apply only the intended feature changes with zero whitespace modifications. Changes: - Add import-custom-certs.sh for runtime CA cert import - Hook cert import into jenkins.sh at startup - Update Dockerfiles (debian, alpine, rhel) to allow jenkins user to write to Java keystore - Add runtime test in tests/runtime.bats - Add documentation in README.md - Remove .gitattributes (not needed) Locally tested: Docker build passed, 3 test certificates imported and verified via keytool. Jenkins starts normally.
|
Hi Mark, I've addressed all the feedback:
Local test results:
I apologize again for the earlier issues. This commit was tested locally before pushing. |
|
I noticed the CA cert test is failing on CI because $JAVA_HOME is being resolved on the host instead of inside the container. Pushing a fix now. |
The keytool command was using JAVA_HOME from the host machine instead of inside the container. Use bash -c with single quotes so the variable is resolved inside the Docker container. Also add cleanup call and increase retry count.
Replace openssl with keytool for generating the test certificate, since keytool is guaranteed to be available in all JDK images. Also use -cacerts flag for portable keystore access. Tested locally: cert generated, imported, and verified successfully.
The Jenkins image runs as non-root user 'jenkins' which cannot write to the host-mounted /certs volume. Run the cert generation container as root to fix the Permission denied error.
|
Hi @MarkEWaite, I have finalized the PR and it is now ready for your review. I apologize for the noise in the commit history today; I encountered a few environment-specific issues with the new BATS test on the CI runner (specifically path resolution and volume permissions) that didn't appear in my local setup. I have systematically resolved these in the latest commits by:
The final code is verified:
I have avoided force-pushing to preserve your review comments as requested. Thank you for your patience while I refined the CI tests for this feature. |
1. Improve import-custom-certs.sh with better logging and JAVA_HOME fallbacks. 2. Ensure jenkins.sh does not exit if the cert import script fails. 3. Fix BATS test permissions by chmodding the generated certs so the jenkins user can read them. These changes address the 'container is not running' CI error.
|
Hi @MarkEWaite, all CI checks have now passed. I have finalized the implementation and verified it across Alpine, Debian, and RHEL images. The final PR includes:
Thank you for your guidance on maintaining a clean history and avoiding force-pushes. Ready for final review! |
dduportal
left a comment
dduportal
left a comment
There was a problem hiding this comment.
I missed the chown during my initial review. It's a security concern to give write permission to the jenkins user and should not be in the official image.
I've proposed an alternative to document how to bake a custom image: https://github.com/jenkinsci/docker/pull/2251/changes#r2829364452 with custom cacert instead of a runtime script opening security issues
- Remove cacerts backup and chown operations from all Dockerfiles - Delete import-custom-certs.sh script - Remove cert import call from jenkins.sh - Update README to point to jenkins.io documentation - Refactor test to use secure init-container pattern - Keep system truststore root-owned for security Addresses security concerns raised by @dduportal, @timja, @MarkEWaite All runtime import code removed as requested by reviewers Test now demonstrates secure init-container pattern with: - Init container runs as root to prepare truststore - Jenkins container mounts truststore as read-only - Verifies system truststore remains unmodified Related to jenkins.io documentation PR for custom CA certificates
|
Thanks, can you edit this PR title and body too please? |
|
Also add how you tested those changes. Currently failing with: |
Simplify the test to be more robust and reliable: - Remove unnecessary init container naming complexity - Use single-line sh -c commands instead of multi-line bash - Import single test certificate directly without loop - Simplify cleanup logic - Use sh instead of bash for better Alpine compatibility This should fix the CI test failures across all distributions.
Sure |
Thanks @lemeurherve! Testing PerformedBuilds verified:
Test validation:
Local docker-compose test:
Test FixJust pushed fix (commit
Let me know if you need any other changes! |
Piyush0049
changed the title
|
I mean, add this in the PR body (and edit its title) 😉 Did you run |
|
For your title, that's a Suggestion: |
Piyush0049
changed the title
I haven't run the full |
Hey @lemeurherve, I have run ✅ Debian JDK21 - Custom cert imported, system truststore unmodified The secure init-container pattern works correctly - certificates are imported into a copy while keeping the system truststore immutable. |
|
Thanks for the review @lemeurherve! |
I've added Please stop merging master branch in your PRs. |
5 participants
Summary
Adds documentation reference and validation test for custom CA certificate handling in Jenkins Docker containers.
Changes
README.md:
tests/runtime.bats:
Why This Approach
Uses init containers instead of runtime import to maintain security - system truststore stays root-owned and immutable.
Testing
✅ All CI tests passing (29 tests across alpine, debian, debian-slim variants)
Documentation
Complete user documentation: jenkins-infra/jenkins.io#8928