Establish TLS and Adding Certificates for Artifactory
In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS). By default, TLS between JFrog Platform nodes is disabled. When TLS is enabled, JFrog Access acts as the Certificate Authority (CA) that signs the TLS certificates used by all the different JFrog Platform nodes.
To establish TLS between JFrog Platform nodes: Enable TLS by changing the tls
entry (under the security section) in the access.config.yaml
file. For additional information, see Managing TLS Certificates.
To enable TLS in charts, set
tls
to true underaccess
in thevalues.yaml
. By default it is set to false.access: accessConfig: security: tls: true
To add custom TLS certificates, create a TLS secret from the certificate files.
kubectl create secret tls <tls-secret-name> --cert=ca.crt --key=ca.private.key
For reset access certificates , you can set
resetAccessCAKeys
to true under access section in thevalues.yaml
and perform an helm upgrade.Note
Once the Helm upgrade is completed, set
resetAccessCAKeys
to false for subsequent upgrades (to avoid resetting the access certificates on every Helm upgrade).access: accessConfig: security: tls: true customCertificatesSecretName: <tls-secret-name> resetAccessCAKeys: true
Establish TLS and Add Certificates for Xray and Distribution Helm Installations
Create trust between the nodes by copying the ca.crt
from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys
to the nodes you would like to set trust with under $JFROG_HOME/var/etc/security/keys/trusted
. For more details, For more information, see Managing TLS Certificates.
To add this certificate to Xray:
Create a
configmaps.yaml
file with the following content.Xray
common: configMaps: | ca.crt: | -----BEGIN CERTIFICATE----- <certificate content> -----END CERTIFICATE----- customVolumeMounts: | - name: xray-configmaps mountPath: /tmp/ca.crt subPath: ca.crt server: preStartCommand: "mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.xray.persistence.mountPath }}/etc/security/keys/trusted/ca.crt" router: tlsEnabled: true
Mission Control
common: configMaps: | ca.crt: | -----BEGIN CERTIFICATE----- <certificate content> -----END CERTIFICATE----- customVolumeMounts: | - name: mission-control-configmaps mountPath: /tmp/ca.crt subPath: ca.crt missionControl: preStartCommand: "mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ca.crt" router: tlsEnabled: true
Distribution
common: configMaps: | ca.crt: | -----BEGIN CERTIFICATE----- <certificate content> -----END CERTIFICATE----- customVolumeMounts: | - name: distribution-configmaps mountPath: /tmp/ca.crt subPath: ca.crt distribution: preStartCommand: "mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.distribution.persistence.mountPath }}/etc/security/keys/trusted/ca.crt" router: tlsEnabled: true
Run the Helm install/upgrade.
Xray
helm upgrade --install xray -f configmaps.yaml --namespace xray jfrog/xray
Mission Control
helm upgrade --install mission-control -f configmaps.yaml --namespace mission-control jfrog/mission-control
Distribution
helm upgrade --install distribution -f configmaps.yaml --namespace distribution jfrog/distribution
Create a configMap with the files you specified above.
This will, in turn:
Create a volume pointing to the configMap with the name
xray-configmaps
.Mount this configMap onto
/tmp
using acustomVolumeMounts.
Using the
preStartCommand
, copy theca.crt
file to the Xray trusted keys folder/etc/security/keys/trusted/ca.crt.
router.tlsEnabled
is set to true to add HTTPS scheme in liveness and readiness probes.
Establish TLS and Add Certificates for Pipelines Helm Installation
You can create trust between the nodes by copying the ca.crt
file from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys
to of the nodes you would like to set trust with under $JFROG_HOME/pipelines/var/etc/security/keys/trusted
. For more information, see Managing TLS Certificates.
You can have more than one certificates to be present in the trusted directory. For example, you can configure Pipelines API URL behind a load balancer that is setup with custom certificates. You need to add those certificates in the trusted folder as build nodes will be talking to Pipelines API over the load balancer end point.
Add NODE_EXTRA_CA_CERTS
environment variable when you use custom certificates. Pipelines looks through all the certificates available in the trusted folder and concatenates those into a single file called pipeline_custom_certs.crt,
which is then passed as the NODE_EXTRA_CA_CERTS
environment variable.
You can add TLS certificates through a Kubernetes secret. You need to create the secret outside of this chart and provide using the tag, "Values.pipelines.customCertificates.certificateSecretName
".
The following example shows how you can create the secret.
kubectl create secret generic ca-cert --from-file=ca.crt=ca.crt
You can pass the secret to the Helm installation by updating the values.yaml file.
pipelines: customCertificates: enabled: true certificateSecretName: ca-cert