Issue

• Would it be possible to setup HTTPS and install SSL certificate upon cluster-init ?

Environment

• CloudBees Jenkins Enterprise - AWS

Resolution

It is not the regular approach that it is make cluster-init and domain-name-change operations but it is possible to add the SSL settings to the [tiger] section of the cluster-init.config file to make the SSL configuration at cluster-init point.

Setting https on cluster-init needs also set use_public_route53_zone = yes and you provide a zone name for route53_zone_name, so that you use Route53 to configure the CJE DNS records (assuming delegation is already configured for the provided zone), otherwise, there is no way the CJE DNS records can point to the ELB before it is even created.

Changing Domain Name and Enabling SSL

[tiger]

# Domain name options
#
# All the Jenkins master (and CJOC) servers are exposed under paths for the same domain
# `pse.example.com`, e.g. `pse.example.com/master-1/`
#
# The underlying infrastructure services (mesos, marathon) are
# exposed as subdomains (e.g. `mesos.pse.example.com`)
# and must be registered using specific CNAMEs.
#
### One level of subdomains
#
# If your organization (example.com) supports only one level of
# subdomain, e.g.  you can create 'foo.acme.com' but not
# 'foo.bar.acme.com', then you can use the following configuration.
#
# The default behaviour is to create subdomains : `domain_separator =
# .` but you can set it to another character if you want.
#
# Example:
#
#  domain_name = pse.example.com
#  domain_separator = -
#
# Elements of cluster will be named
# - mesos-pse.example.com
# - marathon-pse.example.com
# - pse.example.com/cjoc/
# - pse.example.com/mymaster/
#
## Domain name separator
# domain_separator = .
## Domain name
# domain_name = cje.example.com


## Protocol option
#
# protocol: http or https
#
# There are two options to enable https:
# 1) SSL termination at ELB: SSL certificates will need to be configured in EC2 and provided via ssl_certificate_id
# 2) SSL termination on the router: set router_ssl = yes and provide key and certificate files
#
# protocol = http


## Main ELB SSL certificate id
#
# A SSL certificate can be used for SSL, generated for the main domain name,
# plus 'mesos' and 'marathon', using the domain_separator defined above
#
# For example if domain_separator = . (default)
#   cje.example.com, mesos.cje.example.com and marathon.cje.example.com
#
# or if domain_separator = -
#   cje.example.com, mesos-cje.example.com and marathon-cje.example.com
#
# The certificate is defined using arn syntax
# AWS IAM: arn:aws:iam::123456789012:certificate/some-certificate-name
# AWS ACM: arn:aws:acm:us-east-1:123456789012:certificate/12345678-aaaa-bbbb-cccc-012345678901
#
# To configure the certificate set the following options:
#
# ssl_certificate_id =
#
# If creating one certificate with 3 names is not possible, individual certificates can be used,
# setting the following options.
# Please have into account that this configuration would create 4 additional ELBs
#
## Mesos ELB SSL certificate id. If unset, ssl_certificate_id will be used
# ssl_certificate_id_mesos =
#
## Marathon ELB SSL certificate id. If unset, ssl_certificate_id will be used
# ssl_certificate_id_marathon =

## Route53 Private Hosted Zone
#
# A private hosted zone is used to allow loopbacks through the cluster without going through public network interfaces.
# By default, the cluster will create a private hosted zone matching the given domain name, however if there is
# already a private hosted zone for the cluster vpc, its name should be provided below.
#
# Example with domain_name = cje.example.com
# By default private hosted zone created by CJE would be using the name 'cje.example.com'.
# If there is already a private hosted zone for 'example.com' in the cluster VPC
# then 'example.com' should be provided below.
#
# route53_private_zone_name =

## Route53 Public Hosted Zone
#
# If Route53 is used to manage the domain, CJE can create the records automatically.
# A public hosted zone for the domain provided must already exist and properly configured
#
# use_public_route53_zone = no

## Route53 Public Hosted Zone name
#
# By default CJE will look up a hosted zone for the domain name provided for CJE.
# If an hosted zone already exists for a wider domain, it can be provided here.
#
# For example, if CJE uses the domain cje.example.com, and there is a public hosted zone
# for example.com, then use 'route53_zone_name = example.com'. Otherwise CJE will look up
# a hosted zone for cje.example.com and won't find it.
#
# route53_zone_name =


# Router SSL
#
## To enable SSL on the CJE router set router_ssl = yes
# If router is enabled (router_ssl = yes), provide the NGinx key and certificate files
# nginx.key and nginx.cert respectively in the project directory
#
# router_ssl = no

# Self-signed certificate
#
# If the SSL certificate is self-signed or uses a custom certificate authority, it needs to be trusted by the
# workstation running the installation as well as copied to the machines part of the cluster.
#
# Such certificate(s) can be dropped in certificates/ directory in the project directory.
# They will be picked up automatically and installed on all VMs/containers involved in the cluster.
#