Ensure that you configure the EKS cluster with the IAM role and attach the AWS policy before you install the operator.
Run the following command to export the names of namespace and service account for use in the procedure.
export NAMESPACE=<namespace where the passwordless access is to be configured> export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>
Set
ANNOTATIONS
with the ARN details of the IAM role.export ANNOTATIONS="eks.amazonaws.com/role-arn: arn:aws:iam::<account_number>:role/<role_name>"
Add the JFrog Helm Charts repository.
helm repo add jfrog https://charts.jfrog.io
If you already added the JFrog Helm Charts repository, run the following command to update the repository.
help repo update
Run the following command to install the JFrog Registry operator.
helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set "serviceAccount.annotations=${ANNOTATIONS}" --create-namespace -n ${NAMESPACE}
The operator runs with a cluster context.
Run the following command to check the status of the operator.
kubectl get po -n ${NAMESPACE}
Update the
secretrotator.yaml
file to include the JFrog Platform URL (artifactoryUrl
) and the namespacenamespaceSelector.matchLabels.kubernetes.io/metadata.name
).You can also update the time taken to refresh the token (
refreshTime
) and apply any secret metadata (secretMetadata
).apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator metadata: labels: app.kubernetes.io/name: secretrotators.apps.jfrog.com app.kubernetes.io/instance: secretrotator app.kubernetes.io/created-by: artifactory-secrets-rotator name: secretrotator spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: <NAMESPACE> secretName: token-secret artifactoryUrl: "<ARTIFACTORY_URL>" refreshTime: 30m secretMetadata: annotations: annotationKey: annotationValue labels: labelName: labelValue
By default, rotation of registry tokens is done every 75% of token expiration time, which is set to the max AWS role session timeout. If you provide a value for
refreshTime
, ensure that it is not longer than themax aws role session expiration
.namespaceSelector
is used by the operator to select the namespaces into which the registry tokens are created. You can update thenamespaceSelector
value to switch to a different namespace.secretName
contains the created Docker registry secret and the value is rotated by the operator.If the Docker registry is on an Edge server, the user with the AWS role tag must exist on the Edge server and must have the tagging either manually or through access federation.
Run the following command to update the operator with the JFrog Platform URL.
kubectl apply -f secretrotator.yaml -n ${NAMESPACE}