Install the JFrog Registry Operator in EKS

JFrog Installation & Setup Documentation

Content Type
Installation & Setup

Ensure that you configure the EKS cluster with the IAM role and attach the AWS policy before you install the operator.

  1. Run the following command to export the names of namespace and service account for use in the procedure.

    export NAMESPACE=<namespace where the passwordless access is to be configured>
    export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>
  2. Set ANNOTATIONS with the ARN details of the IAM role.

    export ANNOTATIONS=" arn:aws:iam::<account_number>:role/<role_name>"
  3. Add the JFrog Helm Charts repository.

    helm repo add jfrog

    If you already added the JFrog Helm Charts repository, run the following command to update the repository.

    help repo update
  4. Run the following command to install the JFrog Registry operator.

    helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "${SERVICE_ACCOUNT_NAME}" --set "serviceAccount.annotations=${ANNOTATIONS}" --create-namespace -n ${NAMESPACE}

    The operator runs with a cluster context.

  5. Run the following command to check the status of the operator.

    kubectl get po -n ${NAMESPACE}
  6. Update the secretrotator.yaml file to include the JFrog Platform URL (artifactoryUrl) and the namespace

    You can also update the time taken to refresh the token (refreshTime) and apply any secret metadata (secretMetadata).

    kind: SecretRotator
      labels: secretrotator artifactory-secrets-rotator
      name: secretrotator
      secretName: token-secret
      artifactoryUrl: "<ARTIFACTORY_URL>"
      refreshTime: 30m
          annotationKey: annotationValue
          labelName: labelValue

    By default, rotation of registry tokens is done every 75% of token expiration time, which is set to the max AWS role session timeout. If you provide a value for refreshTime , ensure that it is not longer than the max aws role session expiration.

    namespaceSelector is used by the operator to select the namespaces into which the registry tokens are created. You can update the namespaceSelector value to switch to a different namespace.

    secretName contains the created Docker registry secret and the value is rotated by the operator.

    If the Docker registry is on an Edge server, the user with the AWS role tag must exist on the Edge server and must have the tagging either manually or through access federation.

  7. Run the following command to update the operator with the JFrog Platform URL.

    kubectl apply -f secretrotator.yaml -n ${NAMESPACE}