Security-related Issues
Secure Artifactory Helm deployments: customize database password, manage Kubernetes secrets, and configure network policies.
This section covers security topics for Helm chart installations: secrets management, network policy, and Ingress configuration.
Customizing the Database Password
Override the database password from values.yaml by passing it as a parameter in the install command.
helm upgrade --install artifactory --namespace artifactory --set postgresql.postgresqlPassword=12_hX34qwerQ2 jfrog/artifactoryCustomize other parameters the same way by passing them in the helm install command.
Creating an Ingress Object
To create an ingress object with a hostname, add these lines to the artifactory-ingress-values.yaml file and use it with your Helm install or upgrade.
ingress:
enabled: true
hosts:
- artifactory.company.com
artifactory:
service:
type: NodePort
nginx:
enabled: falsehelm upgrade --install artifactory -f artifactory-ingress-values.yaml --namespace artifactory jfrog/artifactoryIf your cluster supports automatic TLS certificate provisioning (for example, via cert-manager), create the ingress object as follows.
-
Create or retrieve a key and certificate pair for the addresses to protect.
-
Create a TLS secret in the namespace.
kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key -
Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom
values.yamlfile.ingress: ## If true, Artifactory Ingress will be created ## enabled: true ## Artifactory Ingress hostnames ## Must be provided if Ingress is enabled ## hosts: - artifactory.domain.com annotations: kubernetes.io/tls-acme: "true" ## Artifactory Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: - secretName: artifactory-tls hosts: - artifactory.domain.com
Using Ingress Annotations
The following Ingress annotation enables Artifactory to work as a Docker Registry using the Repository Path method. For more information, see Docker Repositories.
ingress:
enabled: true
defaultBackend:
enabled: false
hosts:
- myhost.example.com
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
ingress.kubernetes.io/proxy-read-timeout: "600"
ingress.kubernetes.io/proxy-send-timeout: "600"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;
nginx.ingress.kubernetes.io/proxy-body-size: "0"
tls:
- hosts:
- "myhost.example.com"If Artifactory is your SSO provider (for example, with Xray), use the following annotations and update the domain to match your environment.
..
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_pass_header Server;
proxy_set_header X-JFrog-Override-Base-Url https://<artifactory-domain>;Adding Additional Ingress Rules
To add additional ingress rules to the Artifactory ingress — for example, routing the /xray path to Xray — add the following to the artifactory-values.yaml file and run the upgrade.
ingress:
enabled: true
defaultBackend:
enabled: false
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite "(?i)/xray(/|$) (.*)" /$2 break;
additionalRules: |
- host: <MY_HOSTNAME>
http:
paths:
- path: /
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /xray
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /artifactory
backend:
serviceName: {{ template "artifactory.nginx.fullname" . }}
servicePort: {{ .Values.nginx.externalPortHttp }}helm upgrade --install xray jfrog/artifactory -f artifactory-values.yamlUpdated 24 days ago