ARTIFACTORY: Expose Artifactory in OpenShift using Routes

ARTIFACTORY: Expose Artifactory in OpenShift using Routes
Products
Frog_Artifactory
Content Type
Installation_Setup
AuthorFullName__c
Vasily Shkavera
articleNumber
000006528
FirstPublishedDate
2025-07-17T09:41:42Z
lastModifiedDate
2025-07-17
Introduction 

This guide details how to expose a JFrog Artifactory instance, installed via the official Helm chart, using OpenShift Routes. The methods described preserve the default Artifactory Nginx service, which is a recommended practice and required for features like the Docker subdomain access method.
The traffic flow for these configurations is: 
Client → OpenShift Route → Artifactory Nginx Service → Artifactory Service

Prerequisites
  • An active OpenShift cluster with the built-in HA Proxy controller.
  • Artifactory or JFrog Platform deployed in your cluster using the official JFrog Helm chart.
  • The Artifactory Nginx service is enabled (this is the default Helm chart setting).
Option 1: Edge TLS Termination
In this configuration, the OpenShift Route terminates the TLS (HTTPS) connection. It decrypts the incoming traffic and forwards it as unencrypted HTTP traffic to the Artifactory Nginx service. This is a common and straightforward method for managing TLS certificates at the router level.

Configuration
Create a YAML file (e.g., artifactory-edge-route.yaml). For this to work, the Route must target the HTTP port of the Nginx service, which is 8080 by default.
  • spec.tls.termination: Set to edge.
  • spec.port.targetPort: Set to 8080 (Nginx HTTP port).
  • spec.tls.insecureEdgeTerminationPolicy: Set to Redirect to automatically redirect HTTP requests to HTTPS.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: artifactory-edge-route
  namespace: artifactory # <--- Ensure this is your Artifactory namespace
spec:
  host: artifactory-secure.apps-crc.testing # <--- Your desired public hostname
  to:
    kind: Service
    name: artifactory-artifactory-nginx # <--- The Nginx service from the Helm chart
    weight: 100
  port:
    # For Edge termination, the route sends plain HTTP to the Nginx service.
    # The targetPort must be the Nginx HTTP port.
    targetPort: 8080
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
    # You must provide your own valid certificate and key.
    certificate: |
      -----BEGIN CERTIFICATE-----
      PASTE_YOUR_PUBLIC_CERTIFICATE_HERE
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      PASTE_YOUR_PRIVATE_KEY_HERE
      -----END PRIVATE KEY-----
 

Option 2: Passthrough TLS Termination

With passthrough termination, the OpenShift Route does not handle TLS. It passes the encrypted traffic directly to the Artifactory Nginx service, which is responsible for TLS termination. This provides end-to-end encryption within the cluster.

Configuration
Create a YAML file (e.g., artifactory-passthrough-route.yaml). The Route must target the HTTPS port of the Nginx service, which is 8443 by default.
 
  • spec.tls.termination: Set to passthrough.
  • spec.port.targetPort: Set to 8443 (Nginx HTTPS port).
 
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: artifactory-passthrough-route
  namespace: artifactory # <--- Ensure this is your Artifactory namespace
spec:
  host: artifactory-secure.apps-crc.testing # <--- Your desired public hostname
  to:
    kind: Service
    name: artifactory-artifactory-nginx # <--- The Nginx service from the Helm chart
    weight: 100
  port:
    # For Passthrough, the route sends encrypted traffic directly to Nginx's HTTPS port.
    targetPort: 8443
  tls:
    termination: passthrough
 

Hardening the Nginx Service for Passthrough (Recommended)
For a secure passthrough setup, you should configure the Nginx service to use your own TLS certificates and disable the plain HTTP endpoint. Otherwise, Nginx will generate self-signed certificates and the HTTP listener will remain open.
 
  1. Provide Your Own TLS Certificate:
    First, create a Kubernetes TLS secret containing your certificate and private key.
 
oc create secret tls my-artifactory-tls --cert=/path/to/your/tls.crt --key=/path/to/your/tls.key -n artifactory
 

Then, update your values.yaml to tell the Nginx service to use this secret.
 
# values.yaml
nginx:
  tlsSecretName: my-artifactory-tls # Use the secret created above
 

2. Disable the Nginx HTTP Port:
To ensure all traffic is encrypted end-to-end, disable the HTTP listener in the Nginx container by setting the following in your values.yaml:
 
# values.yaml
nginx:
  http:
    enabled: false
 

Important Note for Docker Clients:
When using a passthrough route, the route acts similarly to an NLB. Because of this, you need to make sure Nginx returns the HTTPS schema in its header by setting the following in your values.yaml:
 
# values.yaml
nginx:
  service:
    ssloffload: true
    ## @param service.ssloffloadForceHttps Only enabled when service.ssloffload is set to True.
    ## Force all requests from NGINX to the upstream server are over HTTPS, even when SSL offloading is enabled.
    ## This is useful in environments where internal traffic must remain secure with https only.
    ssloffloadForceHttps: true
 
 
 
Option 3: Non-TLS Route (HTTP)

This configuration exposes Artifactory over standard HTTP without any encryption. It is suitable for development environments, testing, or fully-secured internal networks where TLS is handled by other network layers or is not required.

Configuration
Create a YAML file (e.g., artifactory-http-route.yaml). This Route listens for HTTP traffic and forwards it to the Nginx service's HTTP port (8080).
 
  • spec.port.targetPort: Set to 8080 (Nginx HTTP port).
  • No tls: block is defined.
 
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: artifactory-http-route
  namespace: artifactory # <--- Ensure this is your Artifactory namespace
spec:
  host: artifactory-http.apps-crc.testing # <--- Your desired public hostname for HTTP
  to:
    kind: Service
    name: artifactory-artifactory-nginx # <--- The Nginx service from the Helm chart
    weight: 100
  port:
    targetPort: 8080
 

Applying the Route

To create the route in your OpenShift cluster, apply the corresponding YAML file using the oc CLI as show below. Choose the option that fits your needs.
 
oc apply -f artifactory-edge-route.yaml
 

Check if your Route was created successfully and is pointing to the correct service:
 
oc get route artifactory-edge-route -n artifactory
 

Example Expected Output:
 
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD artifactory-edge-route artifactory-secure.apps-crc.testing artifactory 8082 Edge None
 

After applying the manifest, Artifactory will be accessible at the hostname you defined in the respective route.