Install the JFrog Registry Operator in EKS

JFrog Installation & Setup Documentation

Content Type
Installation & Setup
ft:sourceType
Paligo

Ensure that you configure the EKS cluster with the IAM role and attach the AWS policy before you install the operator.

  1. Run the following command to export the names of namespace and service account for use in the procedure.

    export NAMESPACE=<namespace where the passwordless access is to be configured>
    export SERVICE_ACCOUNT_NAME=<service account where the passwordless access is to be configured>
  2. Set ANNOTATIONS with the ARN details of the IAM role.

    export ANNOTATIONS="eks.amazonaws.com/role-arn: arn:aws:iam::<account_number>:role/<role_name>"
  3. Add the JFrog Helm Charts repository.

    helm repo add jfrog https://charts.jfrog.io

    If you already added the JFrog Helm Charts repository, run the following command to update the repository.

    help repo update
  4. Run the following command to install the JFrog Registry operator.

    helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set "serviceAccount.annotations=${ANNOTATIONS}" --create-namespace -n ${NAMESPACE}

    The operator runs with a cluster context.

  5. Run the following command to check the status of the operator.

    kubectl get po -n ${NAMESPACE}
  6. Update the secretrotator.yaml file to include the JFrog Platform URL (artifactoryUrl) and the namespace namespaceSelector.matchLabels.kubernetes.io/metadata.name).

    You can also update the time taken to refresh the token (refreshTime) and apply any secret metadata (secretMetadata).

    apiVersion: apps.jfrog.com/v1alpha1
    kind: SecretRotator
    metadata:
      labels:
        app.kubernetes.io/name: secretrotators.apps.jfrog.com
        app.kubernetes.io/instance: secretrotator
        app.kubernetes.io/created-by: artifactory-secrets-rotator
      name: secretrotator
    spec:
      namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: <NAMESPACE>
      secretName: token-secret
      artifactoryUrl: "<ARTIFACTORY_URL>"
      refreshTime: 30m
      secretMetadata:
        annotations:
          annotationKey: annotationValue
        labels:
          labelName: labelValue

    By default, rotation of registry tokens is done every 75% of token expiration time, which is set to the max AWS role session timeout. If you provide a value for refreshTime , ensure that it is not longer than the max aws role session expiration.

    namespaceSelector is used by the operator to select the namespaces into which the registry tokens are created. You can update the namespaceSelector value to switch to a different namespace.

    secretName contains the created Docker registry secret and the value is rotated by the operator.

    If the Docker registry is on an Edge server, the user with the AWS role tag must exist on the Edge server and must have the tagging either manually or through access federation.

  7. Run the following command to update the operator with the JFrog Platform URL.

    kubectl apply -f secretrotator.yaml -n ${NAMESPACE}