Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for Unix Domain Sockets in Pomerium Reverse Proxy #7772

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Added support for Unix Domain Sockets in Pomerium Reverse Proxy #7772

Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6645955
added support for unix domain sockets in pomerium reverse proxy
biru-codeastromer Dec 21, 2024
ef9471b
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 21, 2024
dc33691
Update reverse-proxy-configuration-pomerium.adoc
biru-codeastromer Dec 21, 2024
930674c
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 21, 2024
14213dc
Updated reverse-proxy-configuration-pomerium.adoc
biru-codeastromer Dec 21, 2024
0f0a484
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 21, 2024
2af9558
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 24, 2024
b4913e1
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 26, 2024
5f512ca
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Dec 30, 2024
32514f8
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Jan 4, 2025
5d01523
Apply suggestions from code review
biru-codeastromer Jan 6, 2025
b89f254
Merge branch 'master' into update-pomerium-docs
kmartens27 Jan 6, 2025
e956c35
Merge branch 'master' into update-pomerium-docs
biru-codeastromer Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions ...erse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,3 +296,100 @@ For example:

- You can build a policy that only allows users to access Jenkins at certain times of day or days of the week, or limit access to certain devices
- You can import custom groups claims from your IdP and only allow access to members of the group

== Configuring Pomerium with Unix Domain Sockets
biru-codeastromer marked this conversation as resolved.
Show resolved Hide resolved

Starting from Jenkins version 2.452.1 , Jenkins supports Unix domain sockets. This can be particularly useful for improving security and performance.
biru-codeastromer marked this conversation as resolved.
Show resolved Hide resolved

### Prerequisites
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Prerequisites
=== Prerequisites

Suggestion to use the same type of formatting as elsewhere on the page.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’ll update the header formatting for consistency with the rest of the document by changing it.


Ensure that you have Pomerium installed and configured according to the [Pomerium documentation](https://www.pomerium.com/docs/).
biru-codeastromer marked this conversation as resolved.
Show resolved Hide resolved

### Configuration Steps

## 1. Update Pomerium Configuration :
Comment on lines +309 to +311
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Configuration Steps
## 1. Update Pomerium Configuration :
=== Configuration steps
==== Update you Pomerium configuration:

Adjust header formatting to match the rest of the page, remove number from step to match rest of the page formatting, ensure the step is a smaller heading size than the Configuration Steps header. Adjust to use sentence case for header.

If these are all steps to configure, they may not need their own headers. They can be listed under the configuration steps header with their respective order (1 -> 2 -> 3) or smaller headers if they have a bunch of information attached, but since steps 3 and 4 have only one sentence, using the steps as headers is unnecessary.

Copy link
Contributor Author

@biru-codeastromer biru-codeastromer Jan 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sir for the feedback. I’ll update the headers to be smaller and ensure they are consistent with the rest of the page, combining some of the steps to make the flow more natural.


Add and update the following to your Pomerium configuration to enable Unix domain sockets:
biru-codeastromer marked this conversation as resolved.
Show resolved Hide resolved

```yaml
authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback

idp_provider: REPLACE_ME
idp_provider_url: REPLACE_ME
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

signing_key: REPLACE_ME

routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
pass_identity_headers: true
allow_websockets: true
policy:
- allow:
and:
- email:
is: [email protected]
- from: https://jenkins.localhost.pomerium.io
to: http://jenkins:8080
host_rewrite_header: true
pass_identity_headers: true
policy:
- allow:
and:
- domain:
is: example.com
- user:
is: username
```

## 2. Configure Jenkins :
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## 2. Configure Jenkins :
==== Configure Jenkins:

Adjusting formatting to be aligned with the rest of the page/site. Again, if these steps are all part of the Configuration Steps header, they do not need to be their own separate headings and could just be listed steps underneath "Configuration Steps".


Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows:
biru-codeastromer marked this conversation as resolved.
Show resolved Hide resolved

```yaml
networks:
main: {}
services:
pomerium:
image: pomerium/pomerium:latest
volumes:
- ./config.yaml:/pomerium/config.yaml:ro
- /var/run/jenkins.sock:/var/run/jenkins.sock
ports:
- 443:443
networks:
main:
aliases:
- authenticate.localhost.pomerium.io

verify:
networks:
main: {}
image: pomerium/verify:latest
expose:
- 8000

jenkins:
networks:
main: {}
image: jenkins/jenkins:lts-jdk11
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also be cautious to use lts-jdk11 as we do not support Java 11 any longer. If this documentation needs to be updated overall to use lts-jdk17 that can be a separate PR, but I would advise testing using a supported version.

privileged: true
user: root
environment:
JAVA_OPTS: "-Djenkins.httpListenAddress=unix:/var/run/jenkins/jenkins.socket"
JENKINS_UNIX_DOMAIN_PATH: "/var/run/jenkins/jenkins.socket"
volumes:
- ./home/jenkins_compose/jenkins_configuration:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
- /var/run/jenkins:/var/run/jenkins
```

## 3. Restart Services :
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## 3. Restart Services :
==== Restart services:

Adjusting formatting and capitalization for sentence case.

This is very minimal content and would not need its own header section. This would fit better a listed step with the other steps underneath Configuration Steps.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out. I will remove the header for "Restart Services" and integrate it into the rest of the steps under "Configuration Steps."


Restart both Jenkins and Pomerium to apply the new configuration.

### Verification

After restarting the services, verify that Jenkins is accessible through the Unix domain socket by navigating to your Jenkins URL (e.g., `https://jenkins.example.com`).
Comment on lines +394 to +396
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Verification
After restarting the services, verify that Jenkins is accessible through the Unix domain socket by navigating to your Jenkins URL (e.g., `https://jenkins.example.com`).
==== Verification
After restarting the services, verify that Jenkins is accessible through the Unix domain socket by navigating to your Jenkins URL.

Same suggestion for the header as above, I would format these into a list of steps instead of multiple headers, especially with the last two not having enough content to justify such formatting.

In terms of the last part, avoid using e.g. when possible and if possible, the URL should be something used within the examples like https://jenkins.localhost.pomerium.io or http://jenkins:8080 based on the context.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure Sir!

Loading