Install JFrog Advanced Security on your Self-Hosted Environment without Helm

Advanced Security runs its workloads on a Kubernetes cluster. For users a who don’t already have one, the installation includes streamlined solution that uses...

✅
Tip
You are in Step 2, of the JFrog Advanced Security installation. For previous and next steps, refer to Installing JFrog Advanced Security.

Advanced Security runs its workloads on a Kubernetes cluster. For users who don’t already have one, the installation includes a streamlined solution that uses the lightweight K3s distribution to create a Kubernetes cluster using virtual machines automatically.

📘
Note
Starting from Xray version 3.105 and above, no additional self-signed certificate configuration is required for JAS. It will automatically inherit the settings from Xray if necessary.

Copy the ca certificate in pem base64 format to the $XRAY_HOME/var/etc/security/trusted folder.

Update the Xray system.yaml file with the following information. For more information, see Xray System YAML.

executionService: 
  platformCertificatePath: "/path/to/certificate.pem"

You need to do certain configurations to make sure that JAS works without any issues in an air-gapped environment. After these configurations, you can proceed with the installation.

Port Configuration

Ensure that you open the following ports before you proceed.

Between Xray and k3s master VM - 6443,10250
Between k3s VMs - Refer the k3s documentation
Between k3s VMs and Artifactory - 8082

Artifactory Configuration

Ensure that JFConnect is running in air-gapped mode and that entitlements have been successfully loaded. For more information, see Configure JFrog Platform in an Air-gapped Environment.

Xray Configuration

You need to do the Xray configuration in the Xray node or just the first node if you use an HA setup.

Install Docker in the air-gapped Xray node so that you can run the Ansible playbook to set up the k3s infrastructure.

Run the following commands from a machine that has Internet access.

docker pull releases-docker.jfrog.io/ansible/ansible:2.15.0
docker save releases-docker.jfrog.io/ansible/ansible:2.15.0 | gzip > ansible.tar

Copy ansible.tarvfile to the Xray machine.
Run the following command in the Xray machine.
```
docker load < ansible.tar
```
Make the following changes to the Xray System YAML and restart the Xray service.
```
server:
    dbSync:
        version3:
            enabled: true
```

k3s Node Configuration

Configure k3s node VMs. We recommend that you use three VMs - 1 as master and 2 as workers.

Create the VMs for k3s.

Download the following k3s resources from a machine that has Internet access.

k3s binaries (k3s version - 1.29.7+k3s1)

wget https://releases.jfrog.io/artifactory/run/k3s/1.29.7/k3s

k3s airgapped images

wget https://releases.jfrog.io/artifactory/run/k3s/1.29.7/k3s-airgap-images-amd64.tar.gz

Copy k3s binary to /usr/local/bin in the k3s VM and make it executable.
```
sudo cp k3s /usr/local/bin
sudo  chmod +x /usr/local/bin/k3s
```

Copy k3s images to /var/lib/rancher/k3s/agent/images/ in the k3s VM.

sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo cp k3s-airgap-images-amd64.tar.gz /var/lib/rancher/k3s/agent/images/

Ensure that you complete the prerequisites and complete the configuration for an air-gapped environment.

Download and extract the Xray installer if required.
Run configureJas.sh from the extracted Xray installer directory and provide the necessary inputs as directed.
- RPM - You can find the file in the following location, jfrog-xray-<version>-rpm/configureJas.sh .
- Deb - You can find the file in the following location, jfrog-xray-<version>-deb/configureJas.sh.
- Linux Archive - You can find the file in the following location, jfrog-xray-<version>-linux/xray/app/bin/configureJas.sh

📘
User Account for Linux Archive Installation
Use the same user account to install Xray when you run configureJas.sh.
Xray user used to run the script must have sudo permission to install Ansible from the official upstream package manager. If the user cannot have sudo permission, install Ansible before running this script.

Docker Compose - You can find the file in the following location, jfrog-xray-<version>-compose/configureJas.sh

Enter the information required by the script.
When the installation is successful, you can find the kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.

The installation also updates the Xray System YAML file with the entries for JAS.

📘
Note
If you install the k3s cluster on the same machine as Xray (for testing and not for production), and use the Docker Compose installation, update the IP in kube_config.yaml to match the IP of the machine. This ensures that Xray can access the k3s cluster from within the container.

Restart the Xray service to enabled JAS.

HA Installation

Copy kube_config.yaml from the first node to the additional nodes under the same path.

You can find kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.
Run configureJas.sh .
Choose the option to use the existing kube_config.yaml file.
Restart the Xray service after the installation is complete.

Load Exposure and Contextual Analysis Images

You must load exposure and contextual analysis images to all k3s VMs.

📘
Note
When you download an image, ensure that it is of the same architecture as the k3s machine.

Download images on a machine that has Internet connection.

docker pull --platform=linux/amd64 releases-docker.jfrog.io/jfrog/xray-jas-exposures:<XRAY_VERSION>
docker pull --platform=linux/amd64 releases-docker.jfrog.io/jfrog/xray-jas-contextual-analysis:<XRAY_VERSION>

Save the images as tar files.

docker save releases-docker.jfrog.io/jfrog/xray-jas-exposures:<XRAY_VERSION> > jas_exposure.tar
docker save releases-docker.jfrog.io/jfrog/xray-jas-contextual-analysis:<XRAY_VERSION> > jas_contextual_analysis.tar

Copy the tar files to all k3s nodes and load with the following commands.

k3s ctr images import jas_exposure.tar
k3s ctr images import jas_contextual_analysis.tar

Prerequisites to Install JAS without Helm

Complete the following prerequisites before you proceed with installation.

Create Virtual Machines

Create virtual machines for running JAS before you start the installation process. You must also ensure passwordless access to the VMs. For example, you should be able to access the VMs using ssh username@ip. For more information on system requirements, see System Requirements.

The following operating systems are certified:

RHEL 8
RHEL 9
Ubuntu 20
Ubuntu 22

The user in the k3s VM should have password-less sudo access along with password-less ssh access. The user in the k3s VM should be able to run sudo commands without requiring to enter password.

Configure Passwordless SSH Access to VM

The user in the procedure is the account username from which you run the script.

Add your private key to access the VM under /user/.ssh/yourPrivateKey.
Assign read and write access to the file.
```
chmod 600 /user/.ssh/yourPrivateKey
```
Edit the file, /user/.ssh/config, and add the following line.
```
IdentityFile /user/.ssh/yourPrivateKey
```

Installation of Ansible

The installer uses Ansible to set up JAS. You can install Ansible or use Ansible with Docker. We recommend that you use Docker.

Install with Docker (Recommended)

Install Docker manually in the Xray machine.

Installation of k3s cluster on the same machine as Xray is not supported for Docker installation. You can install it with Ansible.
Copy the private content (that has access to all k3s VMs) to k3s-ansible/keys/k3s_vms_private_key in the installation directory before running configureJas.sh.

Install with Ansible

The installer downloads and installs Ansible when you run the installation process. If the installer fails to install ansible from the package manager of the OS or if the ansible version is lower than 2.9.x, try installing ansible manually, and ensure that the Ansible version is 2.9.x or later.

If you have limitations setting up Ansible on the same machine, you can follow the manual method to create a K3s cluster from any other machine. For more information, see Run Ansible Playbook Manually.

Configure Artifactory

Ensure that the Artifactory version is 7.90.x or later.
Set up a valid license to use JAS in Artifactory.
Ensure the Base URL is set up for Artifactory.
Verify internet access: Ensure that the JFrog Platform has a connection to the internet to Communicate with JFrog Backoffice and fetch entitlements. For required domains, see Allowlisted URLs.
Air-gapped Environments (if applicable): If internet access is not available, configure the JFrog Platform to operate in an air-gapped environment. For instructions, see Configure JFrog Platform in an Air-gapped Environment.

Install Xray

Before you install JAS, you must install Xray. The following sections provide detailed information on how you can install Xray based on your system.

📘
Xray Version Requirements for non-Helm Installations
To install JAS with RPM, Debian or Linux Archive, you must use Xray version 3.104 or later.
To install JAS with Docker Compose, you must use Xray version 3.104 or later.

JAS Interactive Script Installation

Download and extract the Xray installer if required.
Run configureJas.sh from the extracted Xray installer directory and provide the necessary inputs as directed.
- RPM - You can find the file in the following location, jfrog-xray-<version>-rpm/configureJas.sh .
- Deb - You can find the file in the following location, jfrog-xray-<version>-deb/configureJas.sh.
- Linux Archive - You can find the file in the following location, jfrog-xray-<version>-linux/xray/app/bin/configureJas.sh

📘
User Account for Linux Archive Installation
Use the same user account to install Xray when you run configureJas.sh.
Xray user used to run the script must have sudo permission to install Ansible from the official upstream package manager. If the user cannot have sudo permission, install Ansible before running this script.

Docker Compose - You can find the file in the following location, jfrog-xray-<version>-compose/configureJas.sh

Enter the information required by the script.
When the installation is successful, you can find the kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.

The installation also updates the Xray System YAML file with the entries for JAS.

📘
Note
If you install the k3s cluster on the same machine as Xray (for testing and not for production), and use the Docker Compose installation, update the IP in kube_config.yaml to match the IP of the machine. This ensures that Xray can access the k3s cluster from within the container.

Restart the Xray service to enabled JAS.

HA Installation

Copy kube_config.yaml from the first node to the additional nodes under the same path.

You can find kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.
Run configureJas.sh .
Choose the option to use the existing kube_config.yaml file.
Restart the Xray service after the installation is complete.

JAS Manual Installation

Download and extract the Xray installer if required.

You can find the Ansible playbook in the following folders.
- Linux Archive - jfrog-xray-<version>-linux/xray/app/bin/k3s-ansible
- RPM - jfrog-xray-<version>-rpm/k3s-ansible
- Deb - jfrog-xray-<version>-deb/k3s-ansible
Run the Ansible playbook manually.
1. Add your configuration under the ~/k3s-ansible/inventory/k3scluster/hosts.ini.
  
  For example:
```
[master]
10.90.184.25
[node]
10.90.122.151
10.90.180.51
[k3s_cluster:children]
master
node
[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
```
2. Add your VM username under ~/k3s-ansible/inventory/k3scluster/group_vars/all.yml.
```
ansible_user: vmUsername
```
3. Run the playbook.
```
ansible-playbook -v site.yml -i inventory/k3scluster/hosts.ini
```
4. When the run is complete, you can find the kube_config.yaml file in the same directory, which has the details to connect with the cluster.
Copy the kube_config.yaml and place it under <xray installation directory>/var/etc in LInux Archive installation or /opt/jfrog/xray/var/etc var/etc/kube_config.yaml in Deb/RPM installation of the Xray instance.

Add the following configuration in the Xray System YAML.

executionService:
  jobAesKey: <Your execution key > // openssl rand -hex 16
  kubeconfig:
    path: /opt/jfrog/xray/var/etc/kube_config.yaml
    namespace: default
    context: default
    enabled: true

Restart the Xray service to enabled JAS.

Updated 2 days ago