Try JFrog
Guides
Contact SupportTry JFrog
  1. Platform Advanced
  2. Helm Charts for Advanced Use Cases
  3. Artifactory Advanced Options

Configure Nginx Service and Load Balancer for Helm

Configure the Kubernetes service type, load balancer IP, source ranges, external traffic policy, and cloud-provider annotations for Artifactory Helm deployments.

The JFrog Artifactory Helm chart exposes Artifactory through an Nginx pod. The nginx.service.* values control how Kubernetes exposes that Nginx pod to clients — the service type, IP assignment, access restrictions, and cloud-provider behavior. Configure these values in your values.yaml before or during installation.

Service Type

The nginx.service.type value determines how Kubernetes exposes the Nginx pod. The default is LoadBalancer.

Service TypeWhen to Use
LoadBalancerCloud environments (AWS, GKE, AKS). The cloud provider provisions an external load balancer automatically.
NodePortOn-premises or bare-metal clusters without a cloud load balancer controller. Traffic enters on a fixed port on every node. Requires an external LB or DNS to distribute traffic.
ClusterIPWhen you bring your own Ingress controller and do not want a public service. The Nginx service is only reachable from within the cluster.

To change the service type, set it in your values.yaml:

nginx:
  service:
    type: NodePort

Or pass it inline:

helm upgrade --install artifactory jfrog/artifactory \
  --set nginx.service.type=NodePort

nginx.service Parameters

The following parameters are all nested under nginx.service in values.yaml.

ParameterTypeDefaultDescription
typestringLoadBalancerKubernetes service type. Valid values: LoadBalancer, NodePort, ClusterIP.
loadBalancerIPstring""Pin a specific static IP to the LoadBalancer service. The IP must be reserved in your cloud provider before install. Ignored when type is not LoadBalancer.
loadBalancerSourceRangeslist[]Restrict which source CIDRs can reach the load balancer. Example: ['10.0.0.0/8', '192.168.0.0/16']. Enforced as cloud provider firewall rules at the LB — effective regardless of externalTrafficPolicy. An empty list allows all sources.
externalTrafficPolicystringClusterOnly applies when type is LoadBalancer. Cluster (default): traffic is distributed evenly across all nodes; original client IPs are not preserved in the pod. Local: routes only to nodes running an Artifactory pod and preserves the original client source IP.
annotationsmap{}Cloud-provider annotations for the service. Used to control internal vs external LB, SSL certificates, DNS labels, and more. See Cloud-Provider Annotations below.
ssloffloadboolfalseSet to true to offload TLS termination at the load balancer layer. The chart routes the HTTPS service port (443) to Nginx's HTTP internal port (8080) so the LB handles TLS and forwards plain HTTP. Also set nginx.https.enabled: false to disable HTTPS inside the Nginx configuration. See Nginx SSL Termination at the Load Balancer.
ssloffloadForceHttpsboolfalseOnly applies when ssloffload is true. Forces all requests from Nginx to the upstream Artifactory over HTTPS. Use when internal traffic must remain encrypted.
nodePortint(auto-assigned)Fixed node port when type is NodePort. If not set, Kubernetes assigns a port in the default range (30000–32767).
ipFamilyPolicystring""Dual-stack policy. Valid values: SingleStack, PreferDualStack, RequireDualStack. Leave empty for single-stack IPv4 (default).
ipFamilieslist[]IP families for the service. Examples: ["IPv4"], ["IPv6"], ["IPv4", "IPv6"]. Leave empty to use cluster defaults.
customPortslist[]Additional ports to expose on the Nginx service. Each entry follows Kubernetes service port syntax (port, targetPort, protocol, name).

nginx.http and nginx.https Parameters

These values control the HTTP and HTTPS listeners inside the Nginx pod. The internal ports were renamed from 80/443 to 8080/8443 to support OpenShift's non-root port restrictions.

ParameterTypeDefaultDescription
nginx.http.enabledbooltrueEnable the HTTP listener. Set to false to require HTTPS-only access.
nginx.http.externalPortint80External port exposed by the Kubernetes service for HTTP traffic.
nginx.http.internalPortint8080Port inside the Nginx container that receives HTTP traffic. Do not change unless your Nginx image uses a different port.
nginx.https.enabledbooltrueEnable the HTTPS listener. Set to false when offloading TLS at the load balancer layer (nginx.service.ssloffload: true).
nginx.https.externalPortint443External port exposed by the Kubernetes service for HTTPS traffic.
nginx.https.internalPortint8443Port inside the Nginx container that receives HTTPS traffic.

Cloud-Provider Annotations

Use nginx.service.annotations to pass cloud-provider-specific instructions to the load balancer controller. Annotations are key-value strings added to the Kubernetes Service object.

nginx:
  service:
    annotations:
      # Provision an internal ALB (accessible only within VPC)
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
      # Use NLB instead of the default Classic LB
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      # Terminate TLS at the LB using an ACM certificate
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:123456789:certificate/xxxx"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
nginx:
  service:
    annotations:
      # Provision an internal load balancer (accessible only within VPC)
      cloud.google.com/load-balancer-type: "Internal"
      # Pin a static IP reserved in your GCP project
      networking.gke.io/load-balancer-ip: "10.128.0.50"
nginx:
  service:
    annotations:
      # Provision an internal load balancer (accessible only within VNet)
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
      # Assign a DNS label to the public LB IP
      service.beta.kubernetes.io/azure-dns-label-name: "my-artifactory"
      # Pin a specific static IP from your subnet
      service.beta.kubernetes.io/azure-load-balancer-ipv4: "10.240.0.10"
nginx:
  service:
    annotations:
      # Assign an IP from a named MetalLB address pool
      metallb.universe.tf/address-pool: "production-public-ips"

Static IP Assignment

To use a fixed IP address instead of letting the cloud provider assign one dynamically:

  1. Reserve a static IP in your cloud provider console.
  2. Add it to nginx.service.loadBalancerIP in your values.yaml:
nginx:
  service:
    loadBalancerIP: "34.120.50.10"
⚠️

Static IP and Helm Upgrades

If you run helm upgrade without specifying loadBalancerIP, the field defaults to empty and your cloud provider may reassign a different IP. Always include the IP in your values.yaml or pass it with --set on every upgrade.

Restrict Access by Source IP

To limit which IP ranges can reach the load balancer, set loadBalancerSourceRanges. This is enforced at the cloud provider level, not by Kubernetes or Nginx.

nginx:
  service:
    loadBalancerSourceRanges:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"

An empty list (the default) allows all sources.

📘

Source Ranges vs. Client IP Preservation

loadBalancerSourceRanges creates firewall rules at the cloud load balancer level — it works regardless of externalTrafficPolicy. If you also need the original client IP visible inside the Artifactory pod (for logging or access control), set externalTrafficPolicy: Local. These are independent settings: source ranges restrict who can reach the LB; traffic policy controls whether the pod sees the real client IP or the node's IP.

Discover All Available Parameters

To see the full default values.yaml for the Artifactory Helm chart — including every parameter with its inline description — run:

helm show values jfrog/artifactory

To filter the output to Nginx-related parameters:

helm show values jfrog/artifactory | grep -A 30 "^nginx:"

This is the authoritative source for current defaults. Parameters in the Helm chart may be updated between chart versions.

Related Pages

Updated about 2 hours ago