Run Jenkins with Docker
In this guide, you'll secure an instance of Jenkins behind Pomerium Zero using single sign-on (SSO).
What is Jenkins?
Jenkins is an automation server you can use to build, test, and deploy applications.
Why use Pomerium with Jenkins?
You can set up role-based permissions in Jenkins to control a user’s privileges with Jenkins’ built-in authorization matrix. However, this method requires username/password authentication, which relies on Jenkins’ user database to store credentials.
JWT authentication is a more secure method of identity verification that authenticates and authorizes users against an identity provider, eliminating the need to store or share credentials to access your Jenkins application.
Jenkins doesn’t support JWT authentication out of the box. It requires a JWT authentication plugin to communicate with Pomerium. With the plugin installed, you can configure Pomerium to forward a user's JWT to Jenkins to achieve SSO.
Once you’ve configured JWT authentication, you can assign permissions within Jenkins for a specific user, any authenticated user, anonymous users, or a user group.
Before you start
To complete this guide, you need:
- A Pomerium Zero account
- Linux OS (this guide uses a Compute Engine VM running Debian 12)
- Jenkins (LTS release)
- Java (OpenJDK 17)
This guide runs Pomerium Zero and Jenkins in a Linux VM running Debian 12. If you're using Docker or Kubernetes, the steps will vary.
Set up Pomerium Zero
Build a policy for Jenkins
In the Zero Console, build a policy that grants access to a request only if the user's email address contains the specified domain:
- Select Policies, New Policy
- Name your policy (for example, "Allow matching email domain")
- Add an Allow block with an And operator
- Keep the Domain criterion and Is operator
- Enter the domain portion of the email address you'll use to access Jenkins (for example,
mycorp.com
) - Save your policy
Build a route to Jenkins
In the Zero Console:
- Select Routes, + New Route
- Name your route (for example, Jenkins)
- In the From field, select https:// and enter
jenkins.<CLUSTER_SUBDOMAIN>.pomerium.app
as the URL - In the To field, enter
http://localhost:8080
- In the Policies field, select the policy you just saved
- Select the Headers tab and enable Pass Identity Headers
- Save your route
These steps assume you're using your cluster's Starter Domain to build a route to secure Jenkins. If you added a Custom Domain to your cluster, you can use that domain instead.
After you've saved your route and policy, apply your changes.