Install Artifactory on OpenShift using Helm

Installing Artifactory on OpenShift using Helm Charts offers a consistent and efficient way to deploy and manage Artifactory. This approach leverages Helm's declarative capabilities while addressing the specific security and deployment considerations of an OpenShift environment.

Artifactory installation on OpenShift uses the Artifactory Helm chart for installation. The installation follows a similar approach to the Helm installation with certain changes specific to OpenShift.

Here you'll find step-by-step instructions for installing JFrog Artifactory using Helm Charts, covering both single-node and high-availability (HA) configurations.

Prerequisites

Confirm your OS is a JFrog-supported OS.
Ensure that your environment meets the minimum resource requirements, as Artifactory's setup depends on active clients and usage.
Configure your network to meet JFrog's network requirements.
A functional OpenShift cluster is required.
Helm v3.x must be installed and configured to connect to your OpenShift cluster.
For additional prerequisites like Java requirements, supported browsers, and so on, see:
- General System Requirements
- Artifactory System Requirements

Install Steps

The following steps cover the installation process for both single-node and HA.

Note

In our documentation, we use oc commands for command examples related to OpenShift installation, but kubectl commands will also work.

Add JFrog Helm Charts Repository
1. Add Repository:
```
helm repo add jfrog https://charts.jfrog.io
```
2. Update Repository:
```
helm repo update
```
Create Unique Master and Join Keys
Artifactory requires unique master and join keys. While default keys exist in the chart's values.yaml (especially for artifactory.joinKey), these are for demonstration purposes only and should not be used in a production environment.
For production-grade installations, always generate unique keys and pass them during installation. Changing the master key later is very difficult.
1. Create Keys (Environment Variables):
```
export MASTER_KEY=$(openssl rand -hex 32)
echo ${MASTER_KEY}
export JOIN_KEY=$(openssl rand -hex 32)
echo ${JOIN_KEY}
```
2. Alternatively: Create Kubernetes Secrets (Recommended for Production):
  You can manually create Kubernetes secrets containing these keys, which offers a more secure way to manage sensitive data. The key names within the secrets must be master-key and join-key respectively.
```
# For Master Key
export MASTER_KEY=$(openssl rand -hex 32)
echo ${MASTER_KEY}
oc create secret generic my-masterkey-secret -n artifactory --from-literal=master-key=${MASTER_KEY}

# For Join Key
export JOIN_KEY=$(openssl rand -hex 32)
echo ${JOIN_KEY}
oc create secret generic my-joinkey-secret -n artifactory --from-literal=join-key=${JOIN_KEY}
```
  In either case, ensure that you pass the same keys/secret names on all future Helm install and Helm upgrade calls. This means always passing --set artifactory.masterKey=${MASTER_KEY} (for the custom master key) or --set artifactory.masterKeySecretName=my-masterkey-secret (for the manual secret), and similarly for the join key.
Configure securityContext in values.yaml for OpenShift
OpenShift has stricter security policies. To allow Artifactory and its dependencies to run, you need to disable securityContext settings in your values.yaml file.
Add or modify the following in your values.yaml file:
```
containerSecurityContext:
  enabled: false
artifactory:
  podSecurityContext:
    enabled: false
```
If RTFS is enabled, its security context should also be disabled:
```
rtfs:  
  podSecurityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
```
To make PostgreSQL work on OpenShift (if using the internal PostgreSQL deployed by the Helm chart), disable its securityContext at both the pod and container levels:
```
postgresql:
  primary:
    podSecurityContext:
      enabled: false
    securityContext:
      enabled: false
    containerSecurityContext:
      enabled: false
```
For Artifactory versions 7.77.3 and later that support Nginx, update the following values in your values.yaml file to use Nginx with disabled security contexts:
```
nginx:
  podSecurityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
```
When using a customized values.yaml file, remember to attach a -f flag to each upgrade command in the file.
Install Artifactory Helm Chart
Install the Artifactory chart based on your desired deployment type (single-node or HA). This step creates the necessary Kubernetes resources including Artifactory pods, services, and persistent volumes.
Note
When using a customized values.yaml file, remember to attach a -f flag to each upgrade command in the file.
1. Option A: Single-Node Installation
  Install the artifactory chart with your generated master and join keys.
```
helm upgrade --install artifactory \
  --set artifactory.masterKey=${MASTER_KEY} \
  --set artifactory.joinKey=${JOIN_KEY} \
  --namespace artifactory --create-namespace \
  jfrog/artifactory
```
2. Option B: High Availability (HA) Installation (Recommended for New Deployments)
  For new HA installations, use the artifactory chart and set artifactory.replicaCount to 3 (recommended) or higher. The minimum should be 2.
```
helm upgrade --install artifactory \
  --set artifactory.replicaCount=3 \
  --set artifactory.masterKey=${MASTER_KEY} \
  --set artifactory.joinKey=${JOIN_KEY} \
  --namespace artifactory --create-namespace \
  jfrog/artifactory
```
Change Internal PostgreSQL Password (Optional)
If the Helm chart deployed an internal PostgreSQL database (default behavior), it is recommended to change its auto-generated password for security. For more information, see Auto-generated Passwords (Internal PostgreSQL).
By default, Helm deploys Artifactory with PostgreSQL (running in a separate pod). For more information about creating and configuring databases, see Set up Database.
Set up Supported Filestores
The filestore is where Artifactory physically stores the binaries.
- Single-Node: A local filesystem is the default, but externalizing it (for example, to a dedicated volume) is recommended for easier management and potential migration.
- High Availability (HA): A shared filestore is mandatory. This can be NFS, S3, Azure Blob Storage, Google Cloud Storage, or another supported object storage solution. All Artifactory nodes in the cluster must have unified and reliable network access to this single shared filestore.
Helm filestore (storage) installations require certain modifications. For more information, see Advanced Storage Options.
Customize Artifactory Configuration
For all Artifactory deployments using Helm charts, whether single-node or High Availability (HA), the primary method for configuring Artifactory is through the Helm chart's values.yaml file. Unlike native installations, you do not directly edit the system.yaml file on individual nodes. For more information on system.yaml and its parameters, see System YAML configuration.
To configure Artifactory for Helm, you will need to override the default system.yaml configuration through this values.yaml file. For details on how to override these defaults specifically with Helm, see Overriding the Default System YAML File.

Connect to Artifactory

It may take a few minutes for Artifactory's public IP (LoadBalancer IP) to become available. Follow these instructions to get the Artifactory URL to access it:

## Watch the status of the service until LoadBalancer IP is available:
oc get svc --namespace <your namespace> -w <release-name>-artifactory-nginx # Or <release-name>-nginx for artifactory chart

# Once available, get the IP and URL:
export SERVICE_IP=$(oc get svc --namespace <your namespace> <release-name>-artifactory-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP/

For example (assuming release name art77 and namespace art):

Congratulations. You have just deployed JFrog Artifactory.
1. Get the Artifactory URL by running these commands:
   NOTE: It may take a few minutes for the LoadBalancer IP to be available.
         You can watch the status of the service by running 'kubectl get svc --namespace art -w art77-artifactory-nginx'
   export SERVICE_IP=$(kubectl get svc --namespace art art77-artifactory-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   echo http://$SERVICE_IP/
2. Open Artifactory in your browser
   Default credential for Artifactory:
   user: admin
   password: password

Install HA License (HA Only)
For HA setups, you must install the Artifactory HA license. This can be done using one of three methods: REST API, Artifactory UI, or a Kubernetes Secret. For more information, see Adding Licenses.
Monitor Artifactory
To access the logs and monitor Artifactory pods:
- Find the name of the pod:
```
oc --namespace <your namespace> get pods
```
- Get the container logs:
```
oc --namespace <your namespace> logs -f <name of the pod>
```
Access Artifactory UI
After starting Artifactory, open your browser and go to http://<SERVER_HOSTNAME>:8082/, replacing <SERVER_HOSTNAME> with your server's actual IP address or hostname.
For HA setup, you will typically access Artifactory through a load balancer that distributes traffic across your HA nodes. Configure your load balancer to direct traffic to http://< ARTIFACTORY_NODE_IP>:8082/ on each node.
Initial Setup
Upon first access, you'll be guided through an onboarding wizard:
- Change Default Admin Password: The default credentials are admin/password. Change this immediately.
- Configure Base URL: Configure the Base URL.
- Apply Licenses: If you have an Artifactory Pro or Enterprise license, apply it.