嗯,对我来说,我遵循了关于在 docker 容器中设置 Jenkins 的官方文档:https://www.jenkins.io/doc/book/installing/docker/#setup-wizard,当我想将使用 Jenkins 构建的图像推送到我的私人注册表(Harbor 注册表)时,我遇到了这个问题自签名证书。
我的环境如下:
我的虚拟机上安装了 docker 引擎(RHEL8)
我已经定义了一个包含 2 个服务的 docker-compose 文件:
- docker-dind:为了在 Jenkins 节点内执行 Docker 命令,这个命令将基于如下所示的 Dockerfile 构建:
docker-dind Dockerfile 示例:
FROM docker:dind
# Providing Harbor's and our CA's (our private registry) certs to Docker that is linked to Jenkins (docker:dind)
RUN mkdir -p /etc/docker/certs.d/my.private.registry
COPY certs/ /etc/docker/certs.d/my.private.registry
PS: your certs/ folder should contain:
├── my.private.registry.cert <-- yor Registry cert signed by your CA
├── my.private.registry.key <-- your Registry key signed by your CA
└── myRootCA.crt <-- Certificate authority that signed the registry certificate
- jenkins-blueocean:Jenkins docker 容器,这个容器也基于文档中提到的 Dockerfile,我做了一些更改,以便 Jenkins 实例信任我的自签名 CA 颁发的所有证书(在您的 Dockerfile 中,添加以下行):
jenkins-blueocean Dockerfile 示例
# Copying our self-signed CA's certs so Jenkins-OS, Jenkins-JVM, and Jenkins-git will use it in the chain of trust
COPY certs/myRootCA.crt /usr/local/share/ca-certificates
# importing your CA-cert to Java keystore
RUN keytool -import -noprompt -trustcacerts -alias myRootCA -file /usr/local/share/ca-certificates/urRootCA.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
# update your system cert-store
RUN update-ca-certificates
# config jenkins git to use your system store as a trusted one
RUN git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
现在,运行:
docker-compose up -d --build
它应该可以解决问题。
有关在 docker 容器中运行 Jenkins 的更多详细信息,请查看此
https://www.jenkins.io/doc/book/installing/docker/#setup-wizard
有关集成您的私有注册表以便 docker 使用它的更多详细信息,请查看此(Harbor Registry)
https://goharbor.io/docs/2.1.0/install-config/configure-https/