The following section addresses security-related issues in the Helm Charts installation, such as managing subscriptions and secrets, network policy, and more.
Customizing the Database Password
You can override the specified database password (set in values.yaml), by passing it as a parameter in the install command line.
helm upgrade --install artifactory --namespace artifactory --set postgresql.postgresqlPassword=12_hX34qwerQ2 jfrog/artifactory
You can customize other parameters in the same way, by passing them in the helm install command line.
Creating an Ingress Object
To get Helm to create an ingress object with a hostname, add these lines to the artifactory-ingress-values.yaml file and use it with your helm install or upgrade.
ingress:
enabled: true
hosts:
- artifactory.company.com
artifactory:
service:
type: NodePort
nginx:
enabled: false
helm upgrade --install artifactory -f artifactory-ingress-values.yaml --namespace artifactory jfrog/artifactoryIf your cluster allows for automatic creation/retrieval of TLS certificates (for example, by using a cert-manager; for more information, see cert-manager), create the ingress object as follows.
To configure TLS manually, first create/retrieve a key and certificate pair for the address(es) you wish to protect.
Next, create a TLS secret in the namespace.
kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key
Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom
values.yamlfile.ingress: ## If true, Artifactory Ingress will be created ## enabled: true ## Artifactory Ingress hostnames ## Must be provided if Ingress is enabled ## hosts: - artifactory.domain.com annotations: kubernetes.io/tls-acme: "true" ## Artifactory Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: - secretName: artifactory-tls hosts: - artifactory.domain.com
Using Ingress Annotations
The following is an example of an Ingress annotation that enables Artifactory to work as a Docker Registry using the Repository Path method. For more information, see Artifactory as Docker Registry.
ingress:
enabled: true
defaultBackend:
enabled: false
hosts:
- myhost.example.com
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
ingress.kubernetes.io/proxy-read-timeout: "600"
ingress.kubernetes.io/proxy-send-timeout: "600"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;
nginx.ingress.kubernetes.io/proxy-body-size: "0"
tls:
- hosts:
- "myhost.example.com"If you are using Artifactory as an SSO provider (e.g., with Xray), you will need to use the following annotations, and change to your domain.
..
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_pass_header Server;
proxy_set_header X-JFrog-Override-Base-Url https://<artifactory-domain>;Adding Additional Ingress Rules
You also have the option of adding additional Ingress rules to the Artifactory Ingress. An example for this use case would be to route the /xray path to Xray. To do that, simply add the following to the artifactory-values.yaml file and run the upgrade.
ingress:
enabled: true
defaultBackend:
enabled: false
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite "(?i)/xray(/|$)(.*)" /$2 break;
additionalRules: |
- host: <MY_HOSTNAME>
http:
paths:
- path: /
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /xray
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /artifactory
backend:
serviceName: {{ template "artifactory.nginx.fullname" . }}
servicePort: {{ .Values.nginx.externalPortHttp }}
helm upgrade --install xray jfrog/artifactory -f artifactory-values.yaml