Security-related Issues

JFrog Installation & Setup Documentation
Content Type
Installation & Setup
ft:sourceType
Paligo

The following section addresses security-related issues in the Helm Charts installation, such as managing subscriptions and secrets, network policy, and more.

Customizing the Database Password

You can override the specified database password (set in values.yaml), by passing it as a parameter in the install command line.

helm upgrade --install artifactory --namespace artifactory --set postgresql.postgresqlPassword=12_hX34qwerQ2 jfrog/artifactory

You can customize other parameters in the same way, by passing them in the helm install command line.

Creating an Ingress Object

To get Helm to create an ingress object with a hostname, add these lines to the artifactory-ingress-values.yaml file and use it with your helm install or upgrade.

ingress:
  enabled: true
  hosts:
    - artifactory.company.com
artifactory:
  service:
    type: NodePort
nginx:
  enabled: false

helm upgrade --install artifactory -f artifactory-ingress-values.yaml --namespace artifactory jfrog/artifactory

If your cluster allows for automatic creation/retrieval of TLS certificates (for example, by using a cert-manager; for more information, see cert-manager), create the ingress object as follows.

  1. To configure TLS manually, first create/retrieve a key and certificate pair for the address(es) you wish to protect.

  2. Next, create a TLS secret in the namespace.

    kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key

  3. Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom values.yaml file.

    ingress:
    ## If true, Artifactory Ingress will be created
    ##
    enabled: true

    ## Artifactory Ingress hostnames
    ## Must be provided if Ingress is enabled
    ##
    hosts:
      - artifactory.domain.com
    annotations:
      kubernetes.io/tls-acme: "true"
    ## Artifactory Ingress TLS configuration
    ## Secrets must be manually created in the namespace
    ##
    tls:
      - secretName: artifactory-tls
        hosts:
          - artifactory.domain.com
Using Ingress Annotations

The following is an example of an Ingress annotation that enables Artifactory to work as a Docker Registry using the Repository Path method. For more information, see Artifactory as Docker Registry.Getting Started with Artifactory as a Docker Registry

ingress:
  enabled: true
  defaultBackend:
    enabled: false
  hosts:
    - myhost.example.com
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "true"
    ingress.kubernetes.io/proxy-body-size: "0"
    ingress.kubernetes.io/proxy-read-timeout: "600"
    ingress.kubernetes.io/proxy-send-timeout: "600"
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
      rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
  tls:
    - hosts:
      - "myhost.example.com"

If you are using Artifactory as an SSO provider (e.g., with Xray), you will need to use the following annotations, and change to your domain.

..
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_pass_header   Server;
        proxy_set_header    X-JFrog-Override-Base-Url https://<artifactory-domain>;
Adding Additional Ingress Rules

You also have the option of adding additional Ingress rules to the Artifactory Ingress. An example for this use case would be to route the /xray path to Xray. To do that, simply add the following to the artifactory-values.yaml file and run the upgrade.

ingress:
  enabled: true
  defaultBackend:
    enabled: false
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite "(?i)/xray(/|$)(.*)" /$2 break;

  additionalRules: |
    - host: <MY_HOSTNAME>
      http:
        paths:
          - path: /
            backend:
              serviceName: <XRAY_SERVER_SERVICE_NAME>
              servicePort: <XRAY_SERVER_SERVICE_PORT>
          - path: /xray
            backend:
              serviceName: <XRAY_SERVER_SERVICE_NAME>
              servicePort: <XRAY_SERVER_SERVICE_PORT>
          - path: /artifactory
            backend:
              serviceName: {{ template "artifactory.nginx.fullname" . }}
              servicePort: {{ .Values.nginx.externalPortHttp }}

helm upgrade --install xray jfrog/artifactory -f artifactory-values.yaml
Using a Dedicated Ingress Object for the Replicator Service

You also have the option of adding an additional Ingress object to the Replicator service. An example for this use case could be routing the /replicator/ path to Artifactory. To do that, simply add the following to the artifactory-values.yaml file.

artifactory:
  replicator:
    enabled: true
    ingress:
      name: <MY_INGRESS_NAME>
      hosts:
        - myhost.example.com
      annotations:
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/proxy-buffering: "off"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          chunked_transfer_encoding on;
      tls:
        - hosts:
          - "myhost.example.com"
          secretName: <CUSTOM_SECRET>