JFrog Recommends Enabling TLS at Nginx Level
If you want to terminate TLS at the load balancer level, and send HTTP requests to Artifactory, you do not need to enable TLS within the JFrog Platform. Instead, use Nginx to offload HTTPS requests to Artifactory using HTTP, and you can configure Nginx to use your own custom certificate and key. For more information, see Nginx with TLS.
In HTTPS, communication is encrypted using Transport Layer Security (TLS). By default, TLS between JFrog Platform nodes is disabled. When TLS is enabled, JFrog Access acts as the Certificate Authority (CA), signing the TLS certificates and enabling TLS communication between Artifactory, and other JFrog products. For more information, see TLS on JFrog Platform.
When deploying the JFrog Platform using Helm in a Kubernetes cluster, it is recommended that all products connect to Artifactory via its Kubernetes service. To ensure proper TLS validation, the TLS certificate issued by JFrog Access and used by the JFrog Router must include the Service URL in the Subject Alternative Name (SAN) field.
Kubernetes services for JFrog products follow a specific naming convention based on the Helm release name and product name. For example, if the Helm release is jfrog-platform, the generated service names will be as follows:
Artifactory:
jfrog-platform-artifactoryXray:
jfrog-platform-xrayGeneral:
jfrog-platform-product
This naming convention is important because the full name of the Artifactory service must be added as a newly registered SAN in the Access generated certificate.