Establish TLS and Add Certificates in Helm Installation

JFrog Installation & Setup Documentation
Content Type
Installation & Setup
ft:sourceType
Paligo
Establish TLS and Adding Certificates for Artifactory

In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS). By default, TLS between JFrog Platform nodes is disabled. When TLS is enabled, JFrog Access acts as the Certificate Authority (CA) that signs the TLS certificates used by all the different JFrog Platform nodes.

To establish TLS between JFrog Platform nodes: Enable TLS by changing the tls entry (under the security section) in the access.config.yaml file. For additional information, see Managing TLS Certificates.Manage TLS Certificates

  1. To enable TLS in charts, set tls to true under access in the values.yaml. By default it is set to false.

    access:
  accessConfig:
    security:
      tls: true

  2. To add custom TLS certificates, create a TLS secret from the certificate files.

    kubectl create secret tls <tls-secret-name> --cert=ca.crt --key=ca.private.key

  3. For reset access certificates , you can set resetAccessCAKeys to true under access section in the values.yaml and perform an helm upgrade.

    Note

    Once the Helm upgrade is completed, set resetAccessCAKeys to false for subsequent upgrades (to avoid resetting the access certificates on every Helm upgrade).

    access:
  accessConfig:
    security:
      tls: true
  customCertificatesSecretName: <tls-secret-name>
  resetAccessCAKeys: true
Establish TLS and Add Certificates for Xray and Distribution Helm Installations

Create trust between the nodes by copying the ca.crt from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to the nodes you would like to set trust with under $JFROG_HOME/var/etc/security/keys/trusted. For more details, For more information, see Managing TLS Certificates.Manage TLS Certificates

To add this certificate to Xray:

  1. Create a configmaps.yaml file with the following content.

    Xray

    common:
  configMaps: |
    ca.crt: |
      -----BEGIN CERTIFICATE-----
        <certificate content>
      -----END CERTIFICATE-----

  customVolumeMounts: |
    - name: xray-configmaps
      mountPath: /tmp/ca.crt
      subPath: ca.crt

server:
  preStartCommand: "mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.xray.persistence.mountPath }}/etc/security/keys/trusted/ca.crt"
router:
  tlsEnabled: true

    Mission Control

    common:
  configMaps: |
    ca.crt: |
      -----BEGIN CERTIFICATE-----
        <certificate content>
      -----END CERTIFICATE-----
  customVolumeMounts: |
    - name: mission-control-configmaps
      mountPath: /tmp/ca.crt
      subPath: ca.crt
missionControl:
  preStartCommand: "mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ca.crt"
router:
  tlsEnabled: true

    Distribution

    common:
  configMaps: |
    ca.crt: |
      -----BEGIN CERTIFICATE-----
        <certificate content>
      -----END CERTIFICATE-----

  customVolumeMounts: |
    - name: distribution-configmaps
      mountPath: /tmp/ca.crt
      subPath: ca.crt

distribution:
  preStartCommand: "mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security/keys/trusted && cp -fv /tmp/ca.crt {{ .Values.distribution.persistence.mountPath }}/etc/security/keys/trusted/ca.crt"
router:
  tlsEnabled: true

  2. Run the Helm install/upgrade.

    Xray

    helm upgrade --install xray -f configmaps.yaml --namespace xray jfrog/xray

    Mission Control

    helm upgrade --install mission-control -f configmaps.yaml --namespace mission-control jfrog/mission-control

    Distribution

    helm upgrade --install distribution -f configmaps.yaml --namespace distribution jfrog/distribution

  3. Create a configMap with the files you specified above.

    This will, in turn:

    • Create a volume pointing to the configMap with the name xray-configmaps.

    • Mount this configMap onto /tmp using a customVolumeMounts.

  4. Using thepreStartCommand, copy the ca.crt file to the Xray trusted keys folder /etc/security/keys/trusted/ca.crt. router.tlsEnabled is set to true to add HTTPS scheme in liveness and readiness probes.

Establish TLS and Add Certificates for Pipelines Helm Installation

You can create trust between the nodes by copying the ca.crt file from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to of the nodes you would like to set trust with under $JFROG_HOME/pipelines/var/etc/security/keys/trusted. For more information, see Managing TLS Certificates.Manage TLS Certificates

You can have more than one certificates to be present in the trusted directory. For example, you can configure Pipelines API URL behind a load balancer that is setup with custom certificates. You need to add those certificates in the trusted folder as build nodes will be talking to Pipelines API over the load balancer end point.

Add NODE_EXTRA_CA_CERTS environment variable when you use custom certificates. Pipelines looks through all the certificates available in the trusted folder and concatenates those into a single file called pipeline_custom_certs.crt, which is then passed as the NODE_EXTRA_CA_CERTS environment variable.

You can add TLS certificates through a Kubernetes secret. You need to create the secret outside of this chart and provide using the tag, "Values.pipelines.customCertificates.certificateSecretName".

The following example shows how you can create the secret.

kubectl create secret generic ca-cert --from-file=ca.crt=ca.crt

You can pass the secret to the Helm installation by updating the values.yaml file.

pipelines:
  customCertificates:
    enabled: true
    certificateSecretName: ca-cert