Try JFrog
Guides
Contact SupportTry JFrog
  1. Platform Advanced
  2. Helm Charts for Advanced Use Cases
  3. All Products - Customization

Establish TLS in Artifactory and JFrog Platform

Enable TLS encryption between JFrog Platform nodes: configure Access CA, certificates, Kubernetes service SANs, and Nginx.

❗️

JFrog Recommends Enabling TLS at Nginx Level

If you want to terminate TLS at the load balancer level, and send HTTP requests to Artifactory, you do not need to enable TLS within the JFrog Platform. Instead, use Nginx to offload HTTPS requests to Artifactory using HTTP, and you can configure Nginx to use your own custom certificate and key. For more information, see Nginx with TLS.

HTTPS encrypts communication using Transport Layer Security (TLS). By default, TLS between JFrog Platform nodes is disabled. When TLS is enabled, JFrog Access acts as the Certificate Authority (CA), signing TLS certificates and enabling encrypted communication between JFrog Artifactory and other JFrog products. For more information, see TLS on JFrog Platform.

When deploying the JFrog Platform using Helm in a Kubernetes (K8s) cluster, all products should connect to JFrog Artifactory via its Kubernetes service. To ensure proper TLS validation, the TLS certificate issued by JFrog Access and used by the JFrog Router must include the Service URL in the Subject Alternative Name (SAN) field.

Kubernetes services for JFrog products follow a specific naming convention based on the Helm release name and product name. For example, if the Helm release is jfrog-platform, the generated service names will be as follows:

  • Artifactory: jfrog-platform-artifactory
  • Xray: jfrog-platform-xray
  • General: jfrog-platform-product

You must add the full Artifactory service name as a SAN in the Access-generated certificate.

Enable TLS in Artifactory

  1. In Artifactory's values.yaml file, set security.tls to true under the accessConfig section.

    access:
  accessConfig:
    security:
      tls: true

  2. Add the Artifactory service name as a SAN to the Access certificate. Use Helm templating to automate this and avoid hardcoding the release name. For example:

    access:
  accessConfig:
    security:
      tls: true
      tls-subject-alternative-names:
        - '{{ template "artifactory.fullname" . }}'

    This template is defined in the _helpers.tpl file and resolves to the Artifactory Service name, eliminating the need for hardcoded values.

    With this configuration, Router and Access accept only HTTPS connections from external sources, including other JFrog products connecting via the service name. In this example, the release name is jfrog-platform:

    https://jfrog-platform-artifactory:8082
❗️

Important

The Access certificate requires the hostname IP, specified by the property shared.node.ip in the Artifactory system.yaml. This IP is automatically added to the Access certificate during startup when Access acts as the Certificate Authority (CA). While you can use a custom certificate as described in the Access TLS documentation, this is impractical in Kubernetes due to the dynamic nature of pod IPs. Instead, we recommend using a custom certificate with Nginx for TLS termination.

Enable TLS for other Products in JFrog Platform

All JFrog products use Router, so enabling TLS follows the same pattern. The steps below use Xray as an example.

  1. Add the following configuration in Xray’s values.yaml to allow Router to bypass initial TLS verification and pull the certificate.

    router:
  serviceRegistry:
    insecure: true

  2. After configuration, a certificate is generated under /opt/jfrog/xray/var/data/router/keys, and Router accepts only HTTPS requests.

  3. Set router.tlsEnabled=true so that Kubernetes probes communicate with Router over HTTPS.

    router:
  serviceRegistry:
    insecure: true
  tlsEnabled: true

  4. Set jfrogUrl to the Artifactory service name using HTTPS. The following example uses the service name jfrog-platform-artifactory.

    xray:
  jfrogUrl: https://jfrog-platform-artifactory:8082
router:
  serviceRegistry:
    insecure: true
  tlsEnabled: true

    When using the JFrog Platform chart (the recommended approach for multiple JFrog products), use Helm templating to avoid hardcoding jfrogUrl, as shown in the full example below.

Nginx with TLS

The following sections explain how to disable HTTP and terminate TLS with a custom certificate.

Disable HTTP

By default, Nginx handles both HTTP and HTTPS requests, so HTTPS works without additional configuration. To disable HTTP when Router accepts only HTTPS requests, add the following to Artifactory’s values.yaml:

nginx:
  http:
    enabled: false

If you terminate TLS only at the load balancer and send plaintext to Artifactory, keep this option enabled — Nginx terminates SSL and passes requests to Artifactory over HTTP.

Terminate TLS with Custom Certificate

By default, certificates are generated on startup (artifactory.gen-certs in _helpers.tpl) and used to terminate TLS at the Nginx level. Your load balancer may need to trust Nginx for this to work correctly.

In this case, you can provide a custom certificate for Nginx to use instead of the generated certificates.

  1. Create a TLS secret using kubectl in the same namespace as Artifactory.

    kubectl create secret tls nginx-tls-secret --cert=your-cert --key=your-key -n your-namespace

  2. Add it to your values.yaml.

    nginx:
  tlsSecretName: nginx-tls-secret

    This makes Nginx use your own certificate and private key.

Example of Full JFrog Platform Chart

The following example configures full TLS communication for JFrog Artifactory, Xray, and Distribution using the JFrog Platform chart. The jfrogUrl parameter is shared across all products. Helm templating ensures the URL starts with HTTPS, corresponds to the Artifactory service name, and ends with port 8082:

global:
 jfrogUrl: '{{ printf "https://%s-artifactory:8082" .Release.Name }}'

artifactory:
  access:
   accessConfig:
     security:
       tls: true
       tls-subject-alternative-names:
         - '{{ template "artifactory.fullname" . }}'
  nginx:
    http:
      enabled: false
    tlsSecretName: nginx-tls-secret // Optional: You may skip this if you're okay with certificates generated by the Chart.

xray:
 enabled: true
 router:
   serviceRegistry:
     insecure: true
   tlsEnabled: true

distribution:
 enabled: true
 router:
   serviceRegistry:
     insecure: true
   tlsEnabled: true

Add Custom Certificates to JFrog Platform

When JFrog Artifactory or other products need to access a remote private resource, such as an LDAP server, add custom certificates for the JFrog Platform to trust those resources.

  1. Create a secret that contains your certificate chain.

    kubectl create secret generic your-certificate-secret --from-file=your-cert.pem -n your-namespace

  2. Specify the certificate secret in values.yaml. This works the same across all charts.

    global:
  customCertificates:
    enabled: true
    certificateSecretName: your-certificate-secret

    During redeployment, the chart modifies an initContainer for each enabled product to copy certificates into the trusted directory, allowing the application to load and trust them internally.

📘

Note

When using global.customCertificates within the JFrog Platform chart, all enabled products will load the certificates.

Updated 13 days ago