Added support for Unix Domain Sockets in Pomerium Reverse Proxy

[biru-codeastromer]

Fixes #6893

Changes Made:

• Updated documentation to include instructions for configuring Pomerium with Unix domain sockets.
• Modified config.yaml and docker-compose.yaml in the documentation of unix domain sockets part to demonstrate the new configuration.

Testing Done:

1. Initial Setup:

• Created and set up docker-compose.yaml with Jenkins and Pomerium configurations.
• Completed the Jenkins Setup Wizard by accessing http://localhost:8080.

2. Pomerium Configuration:

• Created config.yaml with placeholders for sensitive information.
• Generated a signing key using OpenSSL and added it to the config.yaml.

3. Integration and Running Services:

• Updated docker-compose.yaml to include Pomerium, linked with Jenkins using Unix domain sockets.
• Restarted services and verified access to Jenkins at https://jenkins.localhost.pomerium.io.

4. JWT Authentication:

• Installed JWT Auth and skip-certificate-check plugins in Jenkins.
• Configured JWT authentication in Manage Jenkins > Configure Global Security.

5. Verification:

• Verified JWT authentication by checking the user identity in the Jenkins dashboard.
• Inspected JWT claims at https://verify.localhost.pomerium.io.

6. Authorization Testing:

• Configured Jenkins authorization settings and verified permissions for different users.

7. Functionality Testing:

• Triggered builds in Jenkins to ensure proper communication via Unix domain sockets.

Please review and provide feedback.

Additional note -

Removed the version field from docker-compose.yaml as it is no longer required with newer versions of Docker Compose and caused errors during local testing.

[zbynek]

@biru-codeastromer Are you sure the communication goes through unix sockets and not the 8080 TCP port? I'd expect unix:///run/jenkins/jenkins.socket to come up in the config instead of http://jenkins:8080, but I have no experience with Pomerium.

@cmo-pomerium could you please review this?

[biru-codeastromer]

Thank you for your observation, @zbynek Sir!

I initially configured the route to use unix:///run/jenkins/jenkins.socket, as expected for Unix domain sockets. However, Pomerium returned the following error:

pomerium-1 -* error decoding 'routes[1]': unix:///run/jenkins/jenkins.socket: unix:///run/jenkins/jenkins.socket url does not contain a valid hostname

Due to this, I reverted to using http://jenkins:8080 as a fallback, which worked successfully for the integration. I suspect this might be a limitation or unsupported behavior in Pomerium when using Unix sockets.

If this fallback behavior is acceptable, I will document it explicitly in the PR. However, I would appreciate further input, especially from @cmo-pomerium, to confirm whether this is an expected limitation or if there's a recommended workaround to enable Unix domain socket communication.

Also Sir @kmartens27 may you please review and guide how to improve this .Thanks!
Looking forward to your feedback!

[biru-codeastromer]

We would need 100% certainty that the process is correct before adding it to the documentation. Until we get that confirmation then the PR will not be merged. In that spirit @biru-codeastromer I would hold off from proceeding further.

Hi Sir, any updates on the validation of the PR from your side , or anything I can help more here in this PR to conclude more validation . Thanks !

[kmartens27]

Hi @biru-codeastromer, as there has been no further validation in the steps/process, we are at the same place as before. We can give some more time to see if @cmo-pomerium (or anyone with more knowledge of Pomerium reverse proxy configuration) may be able to lend their expertise, but without confirmation that what you've suggested is 100% accurate, the pull request will not be merged.

[biru-codeastromer]

Hi @biru-codeastromer, as there has been no further validation in the steps/process, we are at the same place as before. We can give some more time to see if @cmo-pomerium (or anyone with more knowledge of Pomerium reverse proxy configuration) may be able to lend their expertise, but without confirmation that what you've suggested is 100% accurate, the pull request will not be merged.

Sure Sir, waiting for the feedback. Thanks for your reply !