README.me

tldr; use docker-machine to set up TLS for you. copy the client stuff to your jenkins container and then use it there.

First, provision a machine using docker-machine. It doesn't matter what driver you use, the end result is the same.

For a digitalocean box:

    $ docker-machine create -d digitalocean \
        --digitalocean-region sfo1 \
        --digitalocean-size 2gb \
        --digitalocean-access-token=abcdefgh1234567890345678 \
        tls

Or if you have a manually provisioned metal box or VM that you have ssh access to, you can do the following. Make sure the ssh user has passwordless sudo for this step to complete successfully.

    $ docker-machine create -d generic\
        --generic-ssh-user ubuntu \
        --generic-ssh-port 22 \
        --generic-ssh-key ~/.ssh/id_rsa \
        --generic-ip-address 1.2.3.4 \
        tls
        
So now, I can see what environment variables need to be set to talk to the docker daemon if I do this:

    $ docker-machine env tls

I can actually set them by doing this:

    $ eval $(docker-machine env tls)
    
and test it out:

    $ docker ps
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Great, I now am talking to a remote docker daemon from my workstation. How do I add this to jenkins? The lazy way of course:

First, copy everything from my DOCKER_CERT_PATH to a volume on the host. You could just use scp to the remote host and use a host volume too. make sure the stuff ends up owned by `1000:1000` since that's what the jenkins user and group are in the jenkins image.

    $ docker pull alpine
    $ docker volume create --name 'jenkins_cert_path'
    $ tar -C $DOCKER_CERT_PATH -c . | docker run -i --name tmpcp -v jenkins_cert_path:/jcp alpine tar -C /jcp -xv
    $ docker run --rm -u root -v jenkins_cert_path:/jcp alpine chown -R 1000:1000 /jcp/
    $ docker run --rm -v jenkins_cert_path:/jcp alpine ls -lah /jcp

Now, when I fire up my jenkins image, I can specify my 'jenkins_cert_path' volume and set my environment variables appropriately:

    $ docker run --name jenkins -v jenkins_cert_path:/jcp -d -p ... my_jenkins_image

So now, in a job, I can do the following:

    export DOCKER_TLS_VERIFY=1
    export DOCKER_HOST="tcp://1.2.3.4:2376"
    export DOCKER_CERT_PATH="/jcp"
    docker ps # should work, assuming you installed docker into the jenkins container/image.

You could test this by doing `docker exec -it jenkins bash`, export those variables, and try using the docker cli.

-------

Option 2!

Here's my docker-compose.yml for my jenkins service. I simply have the contents of my `$DOCKER_CERT_PATH` written out to something like `/var/jenkins_home/docker-creds`, and then set the path accordingly in my jobs.

docker-compose.yml

jenkins:
  image: jenkins:latest
  ports:
    - "8083"
    - "50000:50000"
  volumes:
    - /var/jenkins_home:/var/jenkins_home
    - /etc/ssl/private/jenkins.example.com.key:/var/lib/jenkins/pk
    - /etc/ssl/private/jenkins.example.com.crt:/var/lib/jenkins/cert
  environment:
    JENKINS_OPTS: '--httpPort=-1 --httpsPort=8083 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk --debug=9'
    JAVA_OPTS: '-Dorg.apache.commons.jelly.tags.fmt.timeZone=America/Denver'
    VIRTUAL_HOST: 'jenkins.example.com'
    VIRTUAL_PORT: 8083
    VIRTUAL_PROTO: https
  restart: unless-stopped