- Kubernetes 1.12+
This chart will do the following:
- Deploy PostgreSQL (optionally with an external PostgreSQL instance)
- Deploy RabbitMQ (optionally as an HA cluster)
- Deploy Redis (optionally as an HA cluster)
- Deploy Vault (optionally as an HA cluster)
- Deploy JFrog Pipelines
- A running Kubernetes cluster
- Dynamic storage provisioning enabled
- Default StorageClass set to allow services using the default StorageClass for persistent storage
- A running Artifactory 7.7.x with Enterprise+ License
- Kubectl installed and setup to use the cluster
- Helm v2 or v3 installed
Before installing JFrog helm charts, you need to add the ChartCenter helm repository to your helm client
helm repo add center https://repo.chartcenter.io
helm repo updateIn order to connect Pipelines to your Artifactory installation, you have to use a Join Key, hence it is MANDATORY to provide a Join Key, jfrogUrl and jfrogUrlUI to your Pipelines installation. Here's how you do that:
Retrieve the connection details of your Artifactory installation, from the UI - https://www.jfrog.com/confluence/display/JFROG/General+Security+Settings#GeneralSecuritySettings-ViewingtheJoinKey.
pipelines:
## Artifactory URL - Mandatory
## If Artifactory and Pipelines are in same namespace, jfrogUrl is Artifactory service name, otherwise its external URL of Artifactory
jfrogUrl: ""
## Artifactory UI URL - Mandatory
## This must be the external URL of Artifactory, for example: https://artifactory.example.com
jfrogUrlUI: ""
## Join Key to connect to Artifactory
## IMPORTANT: You should NOT use the example joinKey for a production deployment!
joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
## Pipelines requires a unique master key
## You can generate one with the command: "openssl rand -hex 32"
## IMPORTANT: You should NOT use the example masterKey for a production deployment!
masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBefore deploying Pipelines you need to have the following
- A running Kubernetes cluster
- An Artifactory or Artifactory HA with Enterprise+ License
- Precreated repository
jfrogpipelinesin Artifactiry typeGenericwith layoutmaven-2-default
- Precreated repository
- Deployed Nginx-ingress controller
- [Optional] Deployed Cert-manager for automatic management of TLS certificates with Lets Encrypt
- [Optional] TLS secret needed for https access
Fetch the JFrog Pipelines helm chart to get the needed configuration files
helm fetch center/jfrog/pipelines --untarEdit local copies of values-ingress.yaml, values-ingress-passwords.yaml and values-ingress-external-secret.yaml with the needed configuration values
- URLs in
values-ingress.yaml- Artifactory URL
- Ingress hosts
- Ingress tls secrets
- Passwords
uiUserPassword,postgresqlPasswordandauth.passwordmust be set, and same formasterKeyandjoinKeyinvalues-ingress-passwords.yaml
Install JFrog Pipelines
kubectl create ns pipelines
helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f pipelines/values-ingress.yaml -f pipelines/values-ingress-passwords.yamlWhile upgrading from Pipelines chart version 1.x to 2.x and above, due to breaking changes in rabbitmq subchart (6.x to 7.x chart version when rabbitmq.enabled=true) and postgresql subchart(8.x to 9.x chart version when postgresql.enabled=true) please run below manual commands (downtime is required)
Note: Also, Make sure all existing pipelines build runs are completed (rabbitmq queues are empty) when you start an upgrade
Important: This is a breaking change from 6.x to 7.x (chart versions) of Rabbitmq chart - Please refer here
RabbitMQ password configuration in the Values.yaml has changed from rabbit.rabbit.password to rabbit.auth.password
kubectl --namespace <namespace> delete statefulsets <release_name>-pipelines-services
kubectl --namespace <namespace> delete statefulsets <release_name>-pipelines-vault
kubectl --namespace <namespace> delete statefulsets <release_name>-postgresql
kubectl --namespace <namespace> delete statefulsets <release_name>-rabbitmq
kubectl --namespace <namespace> delete pvc data-<release_name>-rabbitmq-0
helm upgrade --install pipelines --namespace <namespace> center/jfrog/pipelinesNote: Best practice is to use external secrets instead of storing passwords in values.yaml files.
Don't forget to update URLs in values-ingress-external-secret.yaml file.
Fill in all required passwords, masterKey and joinKey in values-ingress-passwords.yaml and then create and install the external secret.
Note: Helm release name for secrets generation and helm install must be set the same, in this case it is pipelines.
With Helm v2:
## Generate pipelines-system-yaml secret
helm template --name-template pipelines pipelines/ -x templates/pipelines-system-yaml.yaml \
-f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -
## Generate pipelines-database secret
helm template --name-template pipelines pipelines/ -x templates/database-secret.yaml \
-f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -
## Generate pipelines-rabbitmq-secret secret
helm template --name-template pipelines pipelines/ -x templates/rabbitmq-secret.yaml \
-f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -With Helm v3:
## Generate pipelines-system-yaml secret
helm template --name-template pipelines pipelines/ -s templates/pipelines-system-yaml.yaml \
-f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -
## Generate pipelines-database secret
helm template --name-template pipelines pipelines/ -s templates/database-secret.yaml \
-f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -
## Generate pipelines-rabbitmq-secret secret
helm template --name-template pipelines pipelines/ -s templates/rabbitmq-secret.yaml \
-f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f -Install JFrog Pipelines:
helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-ingress-external-secret.yamlIf you want to use external Rabbitmq, set rabbitmq.enabled=false and create values-external-rabbitmq.yaml with below yaml configuration
rabbitmq:
enabled: false
internal_ip: "{{ .Release.Name }}-rabbitmq"
msg_hostname: "{{ .Release.Name }}-rabbitmq"
port: 5672
manager_port: 15672
ms_username: admin
ms_password: password
cp_username: admin
cp_password: password
build_username: admin
build_password: password
root_vhost_exchange_name: rootvhost
erlang_cookie: secretcookie
build_vhost_name: pipelines
root_vhost_name: pipelinesRoot
protocol: amqphelm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-external-rabbitmq.yamlTo use vault securely you must set the disablemlock setting in the values.yaml to false as per the Hashicorp Vault recommendations here:
https://www.vaultproject.io/docs/configuration#disable_mlock
For non-prod environments it is acceptable to leave this value set to true.
Note however this does enable a potential security issue where encrypted credentials could potentially be swapped onto an unencrypted disk.
For this reason we recommend you always set this value to false to ensure mlock is enabled.
Non-Prod environments:
vault:
disablemlock: true
Production environments:
vault:
disablemlock: false
See the status of deployed helm release:
With Helm v2:
helm status pipelinesWith Helm v3:
helm status pipelines --namespace pipelines- By default, the pipelines images will use the value
appVersionin the Chart.yml. This can be over-ridden by addingversionto the pipelines section of the values.yml
To start using Pipelines you need to setup a Build Plane:
-
For Static VMs Node-pool setup, please read Managing Node Pools.
-
For Dynamic VMs Node-pool setup, please read Managing Dynamic Node Pools.
-
For Kubernetes Node-pool setup, please read Managing Dynamic Node Pools.