The following describes how to set up a Pipelines HA cluster with two or more nodes. For more information, see the System Architecture.
Prerequisites
All nodes within the same Pipelines HA installation must run the same Pipelines version.
Licensing
Pipelines HA is supported with an Enterprise Plus License. Each node in the cluster must be activated with a different license.
Database
Pipelines HA requires an external PostgreSQL database. Make sure you have completed setting up your external database before proceeding to install the first node. The database connection details are used for each node installation.
There are several ways to setup PostgreSQL for redundancy. Including: HA, Load Balancing and Replication. For more information, see the PostgreSQL documentation..
RabbitMQ
RabbitMQ is installed as part of the Pipelines installation for every node. In HA architecture, it uses queue mirroring between the different RabbitMQ nodes.
Network
All the Pipelines HA components (cluster nodes, database server and RabbitMQ) must be within the same fast LAN.
All the HA nodes must communicate with each other through dedicated TCP ports.
Network communications between the cluster nodes must be enabled for each of the cluster nodes.
Install HA Using the Pipelines Command Line Installer
Install the First Node
Extract the installer from the downloaded
.rpm
,.deb
, or.tar.gz
file, as shown for the single node installation.Perform the install procedure in the first node using the Pipelines command line installer.
$ sudo pipelines install \ --base-url <jfrog-url> \ --artifactory-joinkey <join-key> \ --db-connection-string postgres://<user>:<pass>@<ip>:<port>/<db> \ --installer-ip <new-instance-ip> \ --api-url http://<new-instance-ip>:8082/pipelines/api \
Note: You will need to fetch your jfrogURL (custom base URL) and join key to link your Pipelines installation to the Platform.
Warning
You must have a JFrog Platform Custom Base URL to be set for Pipelines to work. If the custom URL is not set for the JFrog Platform, you can provide a custom URL with the Pipelines installation with the --base-url-ui <JFrog Platform Custom URL> option. You can also set the custom URL option through the JFrog Platform UI. For more information, see General Settings. If a custom URL is already set and you provide a URL with the Pipelines installation, the custom URL you provide with the Pipelines installation overrides the existing JFrog Platform Custom Base URL.
You may perform a health check on the node to confirm it is operating properly.
Install Additional Nodes
Repeat the following procedure for each additional node.
In the new node instance, extract the installer from the downloaded
.rpm
,.deb
, or.tar.gz
file, as performed for the first node.Copy from the first node instance the file $JFROG_HOME /pipelines/var/etc/system.yaml to the same location in the new instance.
Perform the install procedure in the new node using the Pipelines command line installer.
You may perform a health check on the node to confirm it is operating properly.
Configure the Load Balancer
Once all additional nodes have been installed with an identical version of Pipelines, the load balancer must be configured to distribute requests made through a common base URI.
For example, if you want Pipelines to be accessible as mypipelines.jfrog.io over HTTPS, then the port mapping should be configured as follows:
URI | LB(nginx/ELB) | Backend Instance(s) |
---|---|---|
[Port: 30001][TCP][SSL termination] | [PORT: 30001] | |
[Port: 8082][HTTP][SSL termination] | [PORT: 8082] | |
[PORT: 30200][TCP][SSL termination] | [PORT: 30200] | |
[PORT: 30201][TCP][SSL termination] | [PORT: 30201] |
Update Nodes
On each node (including the first), run the Pipelines command line installer again to update your installation for the load balanced URI:
$ sudo pipelines install \ --api-url https://mypipelines-api.jfrog.io/pipelines/api \
Pipelines should now be available in your JFrog Platform at https://myartifactory.jfrog.io
.
Helm HA Installation
Prerequisites
Before deploying Pipelines using Helm Chart, you will need to have the following in place:
An installed Artifactory
A pre-created repository
jfrogpipelines
in Artifactory of typeGeneric
with amaven-2-default
layout, and a deployed Nginx-ingress controller
For more information, see Helm Charts for Advanced Users.
Important
Currently, it is not possible to connect a JFrog product (e.g., Pipelines) that is within a Kubernetes cluster with another JFrog product (e.g., Artifactory) that is outside of the cluster, as this is considered a separate network. Therefore, JFrog products cannot be joined together if one of them is in a cluster.
High Availability
For an HA Pipelines installation, set the replicaCount in the values.yaml
file to >1 (the recommended is 3). It is highly recommended to also configure RabbitMQ and Redis subcharts to run in high availability modes. Start Pipelines with 3 replicas per service and 3 replicas for RabbitMQ.
Add the JFrog Helm repository to your Helm client.
helm repo add jfrog https://charts.jfrog.io
Update the repository.
helm repo update
Next, create a unique master key; Pipelines requires a unique master key to be used by all micro-services in the same cluster. By default the chart has one set, the
pipelines.masterKey
, in thevalues.yaml
file (unlike other installations, Helm Chart configurations are made to thevalues.yaml
and are then applied to thesystem.yaml
).Note
For production grade installations it is strongly recommended to use a custom master key. If you initially use the default master key it will be very hard to change the master key at a later stage This key is for demo purpose and should not be used in a production environment.
Generate a unique key and pass it to the template during installation/upgrade.
# Create a key export MASTER_KEY=$(openssl rand -hex 32) echo ${MASTER_KEY} # Pass the created master key to Helm helm upgrade --install --set pipelines.masterKey=${MASTER_KEY} --namespace pipelines jfrog/pipelines
Alternatively, you can create a secret containing the master key manually and pass it to the template during installation/upgrade.
# Create a key export MASTER_KEY=$(openssl rand -hex 32) echo ${MASTER_KEY} # Create a secret containing the key. The key in the secret must be named master-key kubectl create secret generic my-secret --from-literal=master-key=${MASTER_KEY} # Pass the created secret to Helm helm upgrade --install pipelines --set pipelines.masterKeySecretName=my-secret --namespace pipelines jfrog/pipelines
Note
In either case, make sure to pass the same master key on all future calls to
helm install
andhelm upgrade
. In the first case, this means always passing--set pipelines.masterKey=${MASTER_KEY}
. In the second, this means always passing--set pipelines.masterKeySecretName=my-secret
and ensuring the contents of the secret remain unchanged.To connect Pipelines to your Artifactory installation, you will need to use a Join Key. To provide a Join Key, jfrogUrl, and jfrogUrlUI to your Pipelines installation, retrieve the connection details of your Artifactory installation from the UI in the following way (for more information see Viewing the Join Key.
pipelines: ## Artifactory URL - Mandatory ## If Artifactory and Pipelines are in same namespace, jfrogUrl is Artifactory service name, otherwise its external URL of Artifactory jfrogUrl: "" ## Artifactory UI URL - Optional ## This must be the external URL of Artifactory, for example: https://artifactory.example.com ## If you provide a value here, it overrides the JFrog Platform Custom URL. A custom URL is necessary for Pipelines to function. ##If JFrog Platform Custom URL does not exist,You must provide a value with the installation or configure the custom URL through UI after installation. jfrogUrlUI: "" ## Join Key to connect to Artifactory ## Join Key to connect to Artifactory ## IMPORTANT: You should NOT use the example joinKey for a production deployment! joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE ## Pipelines requires a unique master key ## You can generate one with the command: "openssl rand -hex 32" ## IMPORTANT: You should NOT use the example masterKey for a production deployment! masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
You can choose to set the Redis password in the
values.yaml
file and pass it with the installation by settingredis.usePassword
set as true.The following snippet shows the configuration.
redis: password: "password" usePassword: true
Get the Pipelines
helm chart
to get the required configuration files.helm fetch jfrog/pipelines --untar
Configure the installation by editing the local copies of the
values-ingress.yaml
andvalues-ingress-passwords.yaml
with the required configuration values.Edit the URLs in the
values-ingress.yaml
file (Artifactory URL, Ingress hosts, Ingress tls secrets).Set the passwords
uiUserPassword
,postgresqlPassword
andauth.password
in the local copies.Set the
masterKey
andjoinKey
in thevalues-ingress-passwords.yaml
.Note
Unlike other installations, Helm Chart configurations are made to the
values.yaml
and are then applied to thesystem.yaml
.Follow these steps to apply the configuration changes.
Make the changes to
values.yaml.
Run the command.
helm upgrade --
install
pipelines --namespace pipelines -f values.yaml
Install Pipelines.
kubectl create ns pipelines helm upgrade --install pipelines --namespace pipelines jfrog/pipelines -f pipelines/values-ingress.yaml -f pipelines/values-ingress-passwords.yaml
Access Pipelines from your browser at:
http://<jfrogUrl>/ui/
, then go to the Pipelines tab in the Application module in the UI.Check the status of your deployed helm releases.
helm status pipelines
Note
For advanced installation options, see Helm Charts Installers for Advanced Users.