Complete the Kubernetes Puzzle for IBM Cloud Private

Sometimes two things fit together so naturally, you sense they were built for each other. You might come to feel that way about IBM Cloud Private and JFrog Artifactory because, in important ways, it’s true.

IBM Cloud Private (ICP) and Artifactory are both built to facilitate containerization, the growing technology that makes it easy to develop and deploy cloud-native, scalable microservices. Artifactory empowers your cloud Devops pipeline for automation  and ties it directly to Kubernetes, the container orchestrator at the heart of ICP’s architecture.

Snapping these pieces together is pretty easy. We’ll explain why you should, and provide some help to get you going.

Contain Yourself

ICP is built on K8s, but is a private cloud that runs on your own on-premises infrastructure with permissioned access, shielded behind your firewall. This provides a protected environment appropriate for sensitive data or compliance with a regulatory framework.

And when paired with the public IBM Cloud, IBM Cloud Private can be part of a powerful hybrid cloud system.

As a binaries repository manager, Artifactory stores your containers for orchestration to ICP K8s pods, serving as your Kubernetes Docker registry.

Artifactory can also add additional protection, securing your binaries by limiting access to credentialed users and, with Xray vulnerability scanning, helps prevent code that’s vulnerable to attacks from being deployed.

Kubernetes Registry

In Artifactory, you can designate a repository to serve as a Docker registry for containers to be delivered to Kubernetes. But Artifactory does much more to robustly link K8s to your full DevOps pipeline.

As modern software development brings together building blocks of code sourced from many places, it’s vital to be able to trust in each. But components from package repositories like npm and Maven, other collaborators, or your own team can change often and unpredictably.

Artifactory provides a central home for all the binaries in your software supply chain, and stores metadata about each as they are built through your continuous integration and delivery (CI/CD) system. This helps ensure the artifacts moving through the many stages of your development pipeline are expected, compliant, and secure.

More than a conventional Docker registry, Artifactory is your comprehensive Kubernetes registry where you can fully trace content, dependencies, and relationships with other container images, along with the Helm charts that specify their K8s deployment. This empowers you with insight into and control of your entire container chain.

Artifactory your Kubernetes Registry

As your trusted source of binaries, Artifactory enables the frictionless DevOps that frees your organization to release new software fast, frequently, and safely.

 

Zero Downtime

With Artifactory Enterprise, you can configure your binary repositories for High Availability to provide five nines reliability and the assurance that your builds will always complete. This how-to demonstrates installing Artifactory HA, the version appropriate for enterprise-level work.

In the HA configuration, a redundant set of Artifactory servers runs in multiple pods within the ICP cluster. In this way, at least one instance of Artifactory will be available to serve requests even if one or more pods are blocked, crashed, or taken offline for service. This high reliability helps ensure zero downtime in even the most demanding of workloads.

Artifactory for High Availability

Your installation will assign NGIX as its ingress controller, to optimally distribute requests to the Artifactory server nodes.

Installing Artifactory in IBM Cloud Private

Getting Artifactory set up and running on IBM Cloud Private is easily done through JFrog’s Helm chart. But there are some important things you need to do first.

Before You Start

Prepare for this installation of Artifactory to IBM Cloud Private by making sure you have these things ready:

Steps to Follow

Once you have an IBM Cloud Private installation and the appropriate cluster environment configured, you can install Artifactory.

Step 1: Create an Image Policy

IBM Cloud Private includes a Container Image Security Enforcement feature that helps assure that container images deployed to an ICP cluster are permitted.

To successfully install Artifactory, you must create an image policy resource that identifies Artifactory as a permitted image.

  1. Create the file image_policy.yaml with the following content:
    image_policy.yaml
    apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
    kind: ClusterImagePolicy
    metadata:
     name: artifactory
    spec:
     repositories:
     - name: docker.bintray.io/jfrog/*
       policy:
         va:
           enabled: false

     

  2. Run kubectl to create the image policy resource.
    $ kubectl create -f image_policy.yaml

Step 2: Install Artifactory HA

A High Availability configuration of Artifactory can be installed into the ICP cluster from the JFrog Helm chart repository.

Because ICP is self-hosted, the ingress controller must be configured to expose the Artifactory service for external reference.

    1. Install and initialize Helm client:
      # Initialize Helm client
      helm init --client-only
    2. Add the JFrog Helm chart repository:
      # Add JFrog Helm chart repository
      helm repo add jfrog https://charts.jfrog.io
    3. Create a secret for your Artifactory credentials:
      # Create Secret with SSL Certificate
      kubectl create secret tls artifactory-ha-tls --cert=path/to/tls.cert --key=path/to/tls.key
    4. Create an ingress-values.yaml file to use ingress to expose the Artifactory-ha service. The file should have the following content:
      ingress-values.yaml
      ingress:
       enabled: true
       defaultBackend:
         enabled: true
       hosts:
         - artifactory.jfrog.team
       annotations:
         
         ingress.kubernetes.io/proxy-body-size: "0"
         ingress.kubernetes.io/proxy-read-timeout: "600"
         ingress.kubernetes.io/proxy-send-timeout: "600"
         kubernetes.io/ingress.class: nginx
         nginx.ingress.kubernetes.io/configuration-snippet: |
           rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
           rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;
         nginx.ingress.kubernetes.io/proxy-body-size: "0"
       tls:
         - secretName: artifactory-ha-tls
           hosts:
             - artifactory.jfrog.team
      
      # Nginx
      nginx:
       enabled: false
      
    5. Install Artifactory Enterprise using the Helm chart
      # Install artifactory using helm chart
      helm install --name artifactory-ha -f ingress-values.yaml jfrog/artifactory-ha --tls
    6. When installation is complete, you can confirm and get further setup instruction by issuing the following command:
      # Command to check status of helm artifactory-ha deployment
      helm status artifactory-ha

      The status command will respond with instructions telling you how to:

Give it a Try

WIth Artifactory successfully installed and activated in your IBM Cloud Private cluster, you can get started setting up your repositories and build integration with your chosen CI server. You’ll gain the assurance of delivering reliable, deterministic builds.

We’ve explored a few of the important ways Artifactory works naturally with IBM Cloud Private to fulfill the demands of enterprise-level Kubernetes. But there are many reasons for cloud DevOps to use Artifactory.

Give the installation procedures for ICP a try using a set of Artifactory trial licenses, and discover the many ways Artifactory can help you forge a trusted continuous delivery pipeline from code to cluster.