Skip to content

chore: update CA cert import in README and test #2251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Piyush0049 wants to merge 21 commits into
base: master
Choose a base branch
from
+51 −0
Open

chore: update CA cert import in README and test #2251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
74f9daa
feat: add custom root CA certificate import support
Piyush0049 Feb 13, 2026
b474ae5
fix: force LF line endings for scripts and Dockerfiles
Piyush0049 Feb 13, 2026
c161d52
fix: refine CA cert import and improve script robustness
Piyush0049 Feb 13, 2026
4bc1903
feat: add support for custom root CA certificates
Piyush0049 Feb 13, 2026
f050b58
fix: restore files and apply clean custom CA cert feature
Piyush0049 Feb 13, 2026
f6a80a6
fix: resolve JAVA_HOME inside container in CA cert test
Piyush0049 Feb 13, 2026
a6daba6
fix: use keytool instead of openssl for test cert generation
Piyush0049 Feb 13, 2026
15f288b
fix: run cert generation as root to avoid permission denied
Piyush0049 Feb 13, 2026
d0e9b6b
Merge remote-tracking branch 'upstream/master' into feature/custom-ca…
Piyush0049 Feb 14, 2026
d5aab3a
fix: address CI test failures with improved robustness and permissions
Piyush0049 Feb 14, 2026
bf2bc9d
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Feb 15, 2026
287486e
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Feb 15, 2026
96d58c0
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Feb 20, 2026
2368d53
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Mar 6, 2026
a9e5b71
refactor: remove CA cert import feature per reviewer feedback
Piyush0049 Mar 6, 2026
fa410e0
fix: simplify CA certificate init-container test
Piyush0049 Mar 6, 2026
9d373c7
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Mar 16, 2026
bf4eb34
Merge branch 'master' into feature/custom-ca-cert-import
Piyush0049 Mar 16, 2026
6b54858
Merge branch 'master' into feature/custom-ca-cert-import
lemeurherve May 22, 2026
0bb6014
final jenkins.io link
lemeurherve Jun 19, 2026
3d6655e
Merge branch 'master' into feature/custom-ca-cert-import
lemeurherve Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,10 @@ To potentially solve the issue, start the container specifying a DNS server (for
docker run -p 8080:8080 -p 50000:50000 --restart=on-failure --dns 1.1.1.1 --dns 8.8.8.8 jenkins/jenkins:lts-jdk21
```

## Custom CA Certificates

If your Jenkins instance needs to trust custom root CA certificates (for corporate proxies, internal services, or self-signed certificates), see the documentation on jenkins.io for detailed instructions on using init containers or building custom images at https://www.jenkins.io/doc/book/pipeline/docker/#custom-registry.

## Passing Jenkins launcher parameters

Arguments you pass to docker running the Jenkins image are passed to the Jenkins launcher, so for example you can run:
Expand Down
47 changes: 47 additions & 0 deletions tests/runtime.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,3 +161,50 @@ runInScriptConsole() {
@test "[${SUT_DESCRIPTION}] ensure that 'ps' command is available" {
command -v ps # Check for binary presence in the current PATH
}

@test "[${SUT_DESCRIPTION}] custom CA certificate is imported via init-container pattern" {
local container_name test_cert_dir cacerts_vol
container_name="$(get_sut_container_name)"
cleanup "${container_name}"
test_cert_dir="$(mktemp -d)"
cacerts_vol="${container_name}-cacerts"

# Clean up any leftover volume
docker volume rm "${cacerts_vol}" 2>/dev/null || true

# Generate a self-signed test CA certificate
docker run --rm --user root -v "${test_cert_dir}:/certs" "${SUT_IMAGE}" \
bash -c '"${JAVA_HOME}/bin/keytool" -genkeypair -alias testca -keyalg RSA -keysize 2048 \
-dname "CN=Test CA" -validity 1 -keypass changeit \
-keystore /tmp/test.jks -storepass changeit 2>/dev/null && \
"${JAVA_HOME}/bin/keytool" -exportcert -alias testca -rfc \
-keystore /tmp/test.jks -storepass changeit \
-file /certs/test-ca.crt 2>/dev/null && \
chmod 644 /certs/test-ca.crt'

# Run init container as root: copy system cacerts and import custom cert
docker run --rm --user root \
-v "${test_cert_dir}:/certs:ro" \
-v "${cacerts_vol}:/cacerts-volume" \
"${SUT_IMAGE}" \
sh -c 'cp "${JAVA_HOME}/lib/security/cacerts" /cacerts-volume/cacerts && "${JAVA_HOME}/bin/keytool" -importcert -noprompt -keystore /cacerts-volume/cacerts -storepass changeit -alias custom-test-ca -file /certs/test-ca.crt'

# Start Jenkins with the custom truststore (read-only)
docker run -d --name "${container_name}" \
-v "${cacerts_vol}:/cacerts:ro" \
--env JAVA_OPTS="-Djavax.net.ssl.trustStore=/cacerts/cacerts" \
"${SUT_IMAGE}"

# Verify custom cert exists in custom truststore
retry 10 2 docker exec "${container_name}" \
sh -c '"${JAVA_HOME}/bin/keytool" -list -keystore /cacerts/cacerts -storepass changeit -alias custom-test-ca'

# Verify system truststore was NOT modified
run docker exec "${container_name}" \
sh -c '"${JAVA_HOME}/bin/keytool" -list -keystore "${JAVA_HOME}/lib/security/cacerts" -storepass changeit -alias custom-test-ca'
assert_failure

# Cleanup
rm -rf "${test_cert_dir}"
docker volume rm "${cacerts_vol}" 2>/dev/null || true
}