HA Installation on OpenShift Using artifactory-ha Chart

Add https://charts.jfrog.ioto your Helm client.
```
helm repo add jfrog https://charts.jfrog.io
```
Update the repository.
```
helm repo update
```
Create a unique Master Key (Artifactory requires a unique master key) pass it to the template during installation.
```
# Create a key
export MASTER_KEY=$(openssl rand -hex 32)echo ${MASTER_KEY}
```
Custom Master Key in Production Installations
For production grade installations, we strongly recommend that you use a custom master key. If you initially use the default master key it will be very hard to change the master key at a later stage. Therefore, generate a unique key and pass it to the template at install/upgrade time.
Alternatively, you can manually create a secret containing the master key and pass it to the template during installation.
```
# Create a key
export MASTER_KEY=$(openssl rand -hex 32)
echo ${MASTER_KEY}
 
# Create a secret containing the key. The key in the secret must be named master-key
kubectl create secret generic my-masterkey-secret -n artifactory --from-literal=master-key=${MASTER_KEY}
```
In either case, make sure to pass the same master key on all future calls to Helm install and Helm upgrade. This means always passing --set artifactory.masterKey=${MASTER_KEY} (for the custom master key) or --set artifactory.masterKeySecretName=my-masterkey-secret (for the manual secret) and verifying that the contents of the secret remain unchanged.
Next, create a unique join key.
```
# Create a key
export JOIN_KEY=$(openssl rand -hex 32)
echo ${JOIN_KEY}
```
By default the chart has one set in the values.yaml (artifactory.joinKey). However, this key is for demonstration purposes only and should not be used in a production environment. Generate a unique key and pass it to the template during installation.
Alternatively, you can manually create a secret containing the join key and pass it to the template during installation.
```
# Create a key
export JOIN_KEY=$(openssl rand -hex 32)
echo ${JOIN_KEY}
 
# Create a secret containing the key. The key in the secret must be named join-key
kubectl create secret generic my-joinkey-secret -n artifactory --from-literal=join-key=${JOIN_KEY}
```
In either case, make sure to pass the same join key on all future calls to Helm install and Helm upgrade. This means always passing --set artifactory.joinKey=${JOIN_KEY} (for the custom join key) or --set artifactory.joinKeySecretName=my-joinkey-secret (for the manual secret) and verifying that the contents of the secret remain unchanged.
You need to set the securityContext of Artifactory and containerSecurityContext as false in the values.yaml file to proceed with the installation.
```
containerSecurityContext:
  enabled: false
artifactory:
  setSecurityContext: false
```
To make PostgreSQL work on OpenShift, disable the securityContext in the pod and container level in the values.yaml file.
```
securityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
```
Install the chart with the release name artifactory-ha and with the master key and join key, and pass the values.yaml file.
```
helm upgrade --install artifactory-ha --set artifactory.replicaCount=3 --set artifactory.masterKey=${MASTER_KEY} --set artifactory.joinKey=${JOIN_KEY} --namespace artifactory --create-namespace jfrog/artifactory-ha -f values.yaml
```
The parameter replicaCount decides the number of pods with Artifactory. You can set the replica count to a value for than or equal to 2. We recommend that you provide the value as 3.
Change Internal PostgreSQL Password
If you are using an internal PostgreSQL, it is recommended to change the PostgreSQL password. For more information, see Auto-generated Passwords (Internal PostgreSQL).
The following example shows a sample values.yaml file.
```
containerSecurityContext:
  enabled: false
artifactory:
  setSecurityContext: false
postgresql:
  securityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
```
Connect to Artifactory.
It may take a few minutes for Artifactory's public IP to become available. Follow the instructions that are output by the install command above to get the Artifactory IP to access it. Below you will find a sample instruction of what to look for to pick the URL to reach Artifactory (in the following example, art77 is the release name and art is the namespace).
```
1. Get the Artifactory IP and URL

NOTE: You are installing Artifactory in Openshift Environment.

2. Open Artifactory in your browser
   Default credential for Artifactory:
   user:     admin
   password: password

3. Add HA licenses to activate Artifactory HA through the Artifactory UI
```
Install the Artifactory HA license using one of three methods: REST API, Artifactory UI, or a Kubernetes Secret. For more information, click the link below.
Adding Licenses
To activate Artifactory HA, you must install an appropriate license as part of the installation. There are three ways to manage the license: via Artifactory UI, REST API, or a Kubernetes Secret.
Specifying multiple licenses
Whether in the Artifactory UI, using the REST API or in the artifactory.cluster.license file, make sure that the licenses are separated by a newline.
The easiest and recommended way is by using Artifactory UI. Using the Kubernetes Secret or REST API is for advanced users and is better suited for automation.
Warning
You should use only one of these methods. Switching between them while a cluster is running might disable your Artifactory HA cluster.
You can add licenses via REST API. Note that the REST API uses "\n" for the newlines in the licenses (this is currently recommended method).
Once the primary cluster is running, open Artifactory UI and insert the license(s) in the UI.
Enter all of the licenses at once, with each license separated by a newline. If you add the licenses one at a time, you may get redirected to a node without a license and the UI will not load for that node.
Important
This method is relevant for initial deployment only. Once Artifactory is deployed, you should not keep passing these parameters, since the license is already persisted into Artifactory's storage (and they will be ignored). Updating the license should be done via Artifactory UI or REST API.
You can deploy the Artifactory license(s) as a Kubernetes Secret. You will need to prepare a text file with the license(s) written in it. If adding multiple licenses, they are added in the same file. Remember to addtwo new lines between eachlicense block.
Create the Kubernetes secret (assuming the local license file is 'art.lic').
kubectl create secret generic artifactory-cluster-license --from-file=./art.lic
Create a license-values.yaml.
artifactory: license: secret: artifactory-cluster-license dataKey: art.lic
Install with the license-values.yaml.
Run the following command for JFrog Platform.
helm upgrade --install jfrog-platform --namespace jfrog-platform --create-namespace jfrog/jfrog-platform -f license-values.yaml
Run the following command for Artifactory.
helm upgrade --install artifactory-ha --set artifactory.license.secret=artifactory-cluster-license,artifactory.license.dataKey=artifactory.lic --namespace artifactory jfrog/artifactory-ha
Create the Kubernetes Secret as Part of the Helm Release
Create a license-values.yaml.
artifactory: license: licenseKey: |- <LICENSE_KEY1> <LICENSE_KEY2> <LICENSE_KEY3>
Install with the license-values.yaml.
helm upgrade --install jfrog-platform --namespace jfrog-platform --create-namespace jfrog/jfrog-platform -f license-values.yaml
Note
This method is relevant for initial deployment only. Once Artifactory is deployed, you should not keep passing these parameters, since the license is already persisted into Artifactory's storage (and they will be ignored). Updating the license should be done via Artifactory UI or REST API.
If you want to keep managing the Artifactory license using the same method, you can use the copyOnEveryStartup example shown in the values.yaml file.
To access the logs, find the name of the pod using the following command.
```
kubectl --namespace <your namespace> get pods
```

To get the container logs, run the following command.

kubectl --namespace <your namespace> logs -f <name of the pod>

Optional Steps
1. Customize the product configuration including database, Java Opts, and filestore.
  Filestore Options
  Helm filestore (storage) installations require certain modifications; for more information, see Advanced Storage Options.
  Note
  Unlike other installations, Helm Chart configurations are made to the values.yamland are then applied to the system.yaml.
  Follow these steps to apply the configuration changes.
  1. Make the changes to values.yaml.
  2. Run the command.
2. To configure Artifactory for Helm, you will need to override the default system.yaml configuration. For more information, see Overriding the Default System YAML File.
3. By default, Helm deploys Artifactory with PostgreSQL (running in a separate pod). It is possible to deploy Artifactory without PostgreSQL (or any other external database), which will default to the embedded Derby database.

Artifactory Product Configuration

After installing and before running Artifactory, you may set the following configurations.

System YAML Configuration File
Where to find system.yaml?
You can configure all your system settings using the system.yaml file located in the $JFROG_HOME /artifactory/var/etc folder. For more information, see Artifactory YAML Configuration.
If you don't have a System YAML file in your folder, copy the template available in the folder and name it system.yaml.
For the Helm charts, the system.yaml file is managed in the chart’s values.yaml.
Database
Artifactory comes with an embedded Derby Database out-of-the-box. If you're planning to use it in production, it is highly recommended to first Configure the Database, and then start Artifactory.
Customize Java Opts (optional)Remember to modify your JVM Parameters as needed by setting JAVA_OPTIONS in Shared Configurations. The property to pass extra Java opts is artifactory.extraJavaOpts. It is highly recommended to set your Java memory parameters as follows:
Tip
The larger your repository or number of concurrent users, the larger you need to make the -Xms and -Xmx values accordingly. If you can reserve at least 512MB for Artifactory, the recommended minimal values are:
-server -Xms512m -Xmx2g -Xss256k -XX:+UseG1GC
For more recommendations about your hardware configuration (especially the -Xmx parameter), see System Requirements
Additional Settings
These include: customizing ports, joinKey (join.key), masterKey (master.key).
Configuring the Filestore
By default, Artifactory is configured to use the local file system as its filestore. Artifactory supports a variety of additional filestore configurations to meet a variety of needs for binary storage providers, storage size and redundancy.

Enable TLS 1.0 and 1.1 for Connectivity with Older Databases

Artifactory version 7.25.2 onwards includes OpenJDK version 11.0.11 and later. TLS 1.0 and TLS 1.1 are disabled by default from OpenJDK 11.0.11 onwards. If your database version does not support TLS 1.2, the Artifactory startup fails.

If you are unable to upgrade your database to a version that supports TLS 1.2 or later, perform the following steps to run Artifactory.

Download the java.security file that has TLS 1.0 and 1.1 enabled.
Create the directory, ${JFROG_HOME}/artifactory/var/bootstrap/artifactory/java.
Copy the java.security file into ${JFROG_HOME}/artifactory/var/bootstrap/artifactory/java.
Provide the appropriate permissions to the directory.
Note
Artifactory startup takes a backup of the existing java.security file and bootstraps custom java.security into the ${JFROG_HOME}/artifactory/app/third-party/java/conf/security folder.

Configure Java Security File for Helm Installations

Create the following local directory.
```
mkdir -p java/configmap
```
Download the java.security file that has TLS 1.0 and 1.1 enabled.
Copy the java.security file to java/configmap.
Run the following command to create a custom config map. For more information, see Using Config Maps.
```
kubectl create configmap java-security-config --from-file=java/configmap/java.security
```

Pass the following custom config map to your Helm install. For more information, see Using Config Maps.

artifactory:
  preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/java && cp -Lrf /tmp/java/* /opt/jfrog/artifactory/var/bootstrap/artifactory/java/"
  customVolumes: |
   - name: java-security-config
     configMap:
       name: java-security-config
  customVolumeMounts: |
    - name: java-security-config
      mountPath: /tmp/java/java.security
      subPath: java.security

Custom Master Key in Production Installations

Change Internal PostgreSQL Password

Specifying multiple licenses

Warning

Important

Create the Kubernetes Secret as Part of the Helm Release

Note

Filestore Options

Note

Artifactory Product Configuration

Where to find system.yaml?

Tip

Enable TLS 1.0 and 1.1 for Connectivity with Older Databases

Note

Configure Java Security File for Helm Installations