Skip to content

Commit

Permalink
[All] Support for custom certificates using secrets (jfrog#1351)
Browse files Browse the repository at this point in the history
Support for custom certificates using secrets
  • Loading branch information
chukka authored Feb 8, 2021
1 parent e064042 commit 69cbcea
Show file tree
Hide file tree
Showing 38 changed files with 835 additions and 199 deletions.
21 changes: 18 additions & 3 deletions stable/artifactory-ha/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,28 @@
# JFrog Artifactory-ha Chart Changelog
All changes to this chart will be documented in this file

## [4.7.6] - Jan 11, 2020
## [4.8.0] - Feb 08, 2021
* Updated Artifactory version to 7.12.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.8)
* Support for custom certificates using secrets
* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io`
* Update alpine tag version to `3.13.1`

## [4.7.9] - Feb 3, 2021
* Fix copyOnEveryStartup for HA cluster license

## [4.7.8] - Jan 25, 2021
* Add support for hostAliases

## [4.7.7] - Jan 11, 2021
* Fix failures when using creds file for configurating google storage

## [4.7.6] - Jan 11, 2021
* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6)

## [4.7.5] - Jan 07, 2020
## [4.7.5] - Jan 07, 2021
* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false)

## [4.7.4] - Jan 04, 2020
## [4.7.4] - Jan 04, 2021
* Fixed gid support for statefulset

## [4.7.3] - Dec 31, 2020
Expand Down
4 changes: 2 additions & 2 deletions stable/artifactory-ha/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v1
name: artifactory-ha
home: https://www.jfrog.com/artifactory/
version: 4.7.6
appVersion: 7.12.6
version: 4.8.0
appVersion: 7.12.8
description: Universal Repository Manager supporting all major packaging formats,
build tools and CI servers.
keywords:
Expand Down
10 changes: 10 additions & 0 deletions stable/artifactory-ha/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -290,3 +290,13 @@ Return the proper artifactory app version
{{- $tag := $image._1 -}}
{{- printf "%s" $tag -}}
{{- end -}}

{{/*
Custom certificate copy command
*/}}
{{- define "artifactory-ha.copyCustomCerts" -}}
echo "Copy custom certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted;
find /tmp/certs -type f -not -name "*.key" -exec cp -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted \;;
find {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ -type f -name "tls.crt" -exec mv -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ca.crt \;;
{{- end -}}
31 changes: 31 additions & 0 deletions stable/artifactory-ha/templates/artifactory-node-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,22 @@ spec:
- name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }}
mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
{{- end }}
{{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
- name: copy-custom-certificates
image: "{{ .Values.initContainerImage }}"
resources:
{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
- >
{{ include "artifactory-ha.copyCustomCerts" . | indent 10 }}
volumeMounts:
- name: volume
mountPath: {{ .Values.artifactory.persistence.mountPath }}
- name: ca-certs
mountPath: "/tmp/certs"
{{- end }}
{{- if .Values.waitForDatabase }}
{{- if or .Values.postgresql.enabled }}
- name: "wait-for-db"
Expand Down Expand Up @@ -321,6 +337,10 @@ spec:
subPath: gcp.credentials.json
{{- end }}
{{- end }}
{{- if .Values.hostAliases }}
hostAliases:
{{ toYaml .Values.hostAliases | indent 6 }}
{{- end }}
containers:
- name: {{ .Values.artifactory.name }}
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
Expand All @@ -332,6 +352,12 @@ spec:
- '-c'
- >
set -e;
{{- range .Values.artifactory.copyOnEveryStartup }}
{{- $targetPath := printf "%s/%s" $.Values.artifactory.persistence.mountPath .target }}
{{- $baseDirectory := regexFind ".*/" $targetPath }}
mkdir -p {{ $baseDirectory }};
cp -Lrf {{ .source }} {{ $.Values.artifactory.persistence.mountPath }}/{{ .target }};
{{- end }}
{{- if .Values.artifactory.preStartCommand }}
echo "Running custom preStartCommand command";
{{ tpl .Values.artifactory.preStartCommand . }};
Expand Down Expand Up @@ -603,6 +629,11 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
{{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
- name: ca-certs
secret:
secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.artifactory.customCertificates.certificateSecretName }}
{{- end }}
{{- if .Values.artifactory.binarystore.enabled }}
- name: binarystore-xml
secret:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,22 @@ spec:
- name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }}
mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
{{- end }}
{{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
- name: copy-custom-certificates
image: "{{ .Values.initContainerImage }}"
resources:
{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
- >
{{ include "artifactory-ha.copyCustomCerts" . | indent 10 }}
volumeMounts:
- name: volume
mountPath: {{ .Values.artifactory.persistence.mountPath }}
- name: ca-certs
mountPath: "/tmp/certs"
{{- end }}
{{- if .Values.waitForDatabase }}
{{- if or .Values.postgresql.enabled }}
- name: "wait-for-db"
Expand Down Expand Up @@ -399,6 +415,10 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.hostAliases }}
hostAliases:
{{ toYaml .Values.hostAliases | indent 6 }}
{{- end }}
containers:
- name: {{ .Values.artifactory.name }}
image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }}
Expand Down Expand Up @@ -701,6 +721,11 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
{{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
- name: ca-certs
secret:
secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.artifactory.customCertificates.certificateSecretName }}
{{- end }}
{{- if .Values.artifactory.binarystore.enabled }}
- name: binarystore-xml
secret:
Expand Down
51 changes: 41 additions & 10 deletions stable/artifactory-ha/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# Access the values with {{ .Values.key.subkey }}

global:
# imageRegistry: docker.bintray.io
# imageRegistry: releases-docker.jfrog.io
# imagePullSecrets:
# - myRegistryKeySecretName
## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag
Expand All @@ -26,7 +26,12 @@ global:

# customSidecarContainers: |

initContainerImage: docker.bintray.io/alpine:3.12.1
## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory
customCertificates:
enabled: false
# certificateSecretName:

initContainerImage: releases-docker.jfrog.io/alpine:3.13.1

installer:
type:
Expand Down Expand Up @@ -137,7 +142,7 @@ waitForDatabase: true
postgresql:
enabled: true
image:
registry: docker.bintray.io
registry: releases-docker.jfrog.io
repository: bitnami/postgresql
tag: 12.5.0-debian-10-r25
postgresqlUsername: artifactory
Expand Down Expand Up @@ -193,7 +198,7 @@ database:

logger:
image:
registry: docker.bintray.io
registry: releases-docker.jfrog.io
repository: busybox
tag: 1.31.1

Expand All @@ -202,7 +207,7 @@ artifactory:
name: artifactory-ha
# Note that by default we use appVersion to get image tag/version
image:
registry: docker.bintray.io
registry: releases-docker.jfrog.io
repository: jfrog/artifactory-pro
# tag:
pullPolicy: IfNotPresent
Expand All @@ -226,6 +231,11 @@ artifactory:
maxThreads: 200
extraConfig: 'acceptCount="100"'

# certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory
customCertificates:
enabled: false
# certificateSecretName:

# Support for open metrics is only available for Artifactory 7.7.x (appVersions) and above.
# To enable set `.Values.artifactory.openMetrics.enabled` to `true`
# Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics
Expand All @@ -247,7 +257,7 @@ artifactory:
# # Relative to ARTIFACTORY_HOME/
# target: etc/artifactory/
# # Absolute path
# - source: /artifactory_bootstrap/artifactory.lic
# - source: /artifactory_bootstrap/artifactory.cluster.license
# # Relative to ARTIFACTORY_HOME/
# target: etc/artifactory/

Expand Down Expand Up @@ -443,7 +453,7 @@ artifactory:
## licenseKey is the license key in plain text. Use either this or the license.secret setting
licenseKey:
## If artifactory.license.secret is passed, it will be mounted as
## ARTIFACTORY_HOME/etc/artifactory.lic and loaded at run time.
## ARTIFACTORY_HOME/etc/artifactory.cluster.license and loaded at run time.
secret:
## The dataKey should be the name of the secret data key created.
dataKey:
Expand Down Expand Up @@ -746,7 +756,11 @@ artifactory:
<minSpareUploaderExecutor>2</minSpareUploaderExecutor>
<sub-provider id="eventual-cluster" type="eventual-cluster">
<provider id="retry" type="retry">
{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
<provider id="google-storage-v2" type="google-storage-v2"/>
{{- else }}
<provider id="google-storage" type="google-storage"/>
{{- end }}
</provider>
</sub-provider>
<dynamic-provider id="remote" type="remote"/>
Expand Down Expand Up @@ -776,13 +790,18 @@ artifactory:
<tempDir>/tmp</tempDir>
</provider>
{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
<provider id="google-storage-v2" type="google-storage-v2">
<useInstanceCredentials>false</useInstanceCredentials>
{{- else }}
<provider id="google-storage" type="google-storage">
<identity>{{ .Values.artifactory.persistence.googleStorage.identity }}</identity>
<credential>{{ .Values.artifactory.persistence.googleStorage.credential }}</credential>
{{- end }}
<providerId>google-cloud-storage</providerId>
<endpoint>{{ .Values.artifactory.persistence.googleStorage.endpoint }}</endpoint>
<httpsOnly>{{ .Values.artifactory.persistence.googleStorage.httpsOnly }}</httpsOnly>
<bucketName>{{ .Values.artifactory.persistence.googleStorage.bucketName }}</bucketName>
<identity>{{ .Values.artifactory.persistence.googleStorage.identity }}</identity>
<credential>{{ .Values.artifactory.persistence.googleStorage.credential }}</credential>
<path>{{ .Values.artifactory.persistence.googleStorage.path }}</path>
<bucketExists>{{ .Values.artifactory.persistence.googleStorage.bucketExists }}</bucketExists>
</provider>
Expand Down Expand Up @@ -1332,7 +1351,7 @@ nginx:
gid: 107
# Note that by default we use appVersion to get image tag/version
image:
registry: docker.bintray.io
registry: releases-docker.jfrog.io
repository: jfrog/nginx-artifactory-pro
# tag:
pullPolicy: IfNotPresent
Expand Down Expand Up @@ -1651,3 +1670,15 @@ filebeat:
## Use --- as a separator between multiple resources
## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml
additionalResources: |
# Adding entries to a Pod's /etc/hosts file
# For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases
hostAliases: []
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
# - ip: "10.1.2.3"
# hostnames:
# - "foo.remote"
# - "bar.remote"
18 changes: 15 additions & 3 deletions stable/artifactory/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,25 @@
# JFrog Artifactory Chart Changelog
All changes to this chart will be documented in this file.

## [11.7.6] - Jan 11, 2020
## [11.8.0] - Feb 08, 2021
* Updated Artifactory version to 7.12.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.8)
* Support for custom certificates using secrets
* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io`
* Update alpine tag version to `3.13.1`

## [11.7.8] - Jan 25, 2021
* Add support for hostAliases

## [11.7.7] - Jan 11, 2021
* Fix failures when using creds file for configurating google storage

## [11.7.6] - Jan 11, 2021
* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6)

## [11.7.5] - Jan 07, 2020
## [11.7.5] - Jan 07, 2021
* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false)

## [11.7.4] - Jan 04, 2020
## [11.7.4] - Jan 04, 2021
* Fixed gid support for statefulset

## [11.7.3] - Dec 31, 2020
Expand Down
4 changes: 2 additions & 2 deletions stable/artifactory/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v1
name: artifactory
home: https://www.jfrog.com/artifactory/
version: 11.7.6
appVersion: 7.12.6
version: 11.8.0
appVersion: 7.12.8
description: Universal Repository Manager supporting all major packaging formats,
build tools and CI servers.
keywords:
Expand Down
10 changes: 10 additions & 0 deletions stable/artifactory/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -248,3 +248,13 @@ Return the proper artifactory app version
{{- $tag := $image._1 -}}
{{- printf "%s" $tag -}}
{{- end -}}

{{/*
Custom certificate copy command
*/}}
{{- define "artifactory.copyCustomCerts" -}}
echo "Copy custom certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted;
find /tmp/certs -type f -not -name "*.key" -exec cp -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted \;;
find {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ -type f -name "tls.crt" -exec mv -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ca.crt \;;
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
kind: Secret
apiVersion: v1
metadata:
name: {{ template "artifactory.fullname" . }}-gcpcreds
labels:
app: {{ template "artifactory.name" . }}
chart: {{ template "artifactory.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
stringData:
gcp.credentials.json: |-
{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }}
{{- end }}
{{- end }}
Loading

0 comments on commit 69cbcea

Please sign in to comment.