Security-related Issues
Secure Artifactory Helm deployments: customize database password, manage Kubernetes secrets, and configure network policies.
This section covers security topics for Helm chart installations: secrets management, network policy, and Ingress configuration.
Customizing the Database Password
Override the database password from values.yaml by passing it as a parameter in the install command.
helm upgrade --install artifactory --namespace artifactory --set postgresql.postgresqlPassword=12_hX34qwerQ2 jfrog/artifactoryCustomize other parameters the same way by passing them in the helm install command.
Creating an Ingress Object
To create an ingress object with a hostname, add these lines to the artifactory-ingress-values.yaml file and use it with your Helm install or upgrade.
ingress:
enabled: true
hosts:
- artifactory.company.com
artifactory:
service:
type: NodePort
nginx:
enabled: falsehelm upgrade --install artifactory -f artifactory-ingress-values.yaml --namespace artifactory jfrog/artifactoryIf your cluster supports automatic TLS certificate provisioning (for example, via cert-manager), create the ingress object as follows.
-
Create or retrieve a key and certificate pair for the addresses to protect.
-
Create a TLS secret in the namespace.
kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key -
Include the secret's name, along with the desired hostnames, in the Artifactory Ingress TLS section of your custom
values.yamlfile.ingress: ## If true, Artifactory Ingress will be created ## enabled: true ## Artifactory Ingress hostnames ## Must be provided if Ingress is enabled ## hosts: - artifactory.domain.com annotations: kubernetes.io/tls-acme: "true" ## Artifactory Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: - secretName: artifactory-tls hosts: - artifactory.domain.com
Using Ingress Annotations
The following Ingress annotation enables Artifactory to work as a Docker Registry using the Repository Path method. For more information, see Docker Repositories.
ingress:
enabled: true
defaultBackend:
enabled: false
hosts:
- myhost.example.com
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
ingress.kubernetes.io/proxy-read-timeout: "600"
ingress.kubernetes.io/proxy-send-timeout: "600"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;
nginx.ingress.kubernetes.io/proxy-body-size: "0"
tls:
- hosts:
- "myhost.example.com"If Artifactory is your SSO provider (for example, with Xray), use the following annotations and update the domain to match your environment.
..
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_pass_header Server;
proxy_set_header X-JFrog-Override-Base-Url https://<artifactory-domain>;Adding Additional Ingress Rules
To add additional ingress rules to the Artifactory ingress — for example, routing the /xray path to Xray — add the following to the artifactory-values.yaml file and run the upgrade.
ingress:
enabled: true
defaultBackend:
enabled: false
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite "(?i)/xray(/|$) (.*)" /$2 break;
additionalRules: |
- host: <MY_HOSTNAME>
http:
paths:
- path: /
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /xray
backend:
serviceName: <XRAY_SERVER_SERVICE_NAME>
servicePort: <XRAY_SERVER_SERVICE_PORT>
- path: /artifactory
backend:
serviceName: {{ template "artifactory.nginx.fullname" . }}
servicePort: {{ .Values.nginx.externalPortHttp }}helm upgrade --install xray jfrog/artifactory -f artifactory-values.yamlFrequently Asked Questions
Q: How do I override the default database password in an Artifactory Helm installation?
A: Pass the password as a Helm parameter using --set postgresql.postgresqlPassword=<your-password> in the helm upgrade --install command. You can customize other parameters the same way by passing them inline.
Q: How do I create an Ingress object for Artifactory with a custom hostname?
A: Add ingress.enabled: true and the desired hostname under ingress.hosts in a values file, set artifactory.service.type: NodePort, and set nginx.enabled: false. Then pass this values file to helm upgrade --install using -f <your-file>.yaml.
Q: What is required to add TLS to the Artifactory Ingress object?
A: Create a TLS Secret in the same namespace using kubectl create secret tls artifactory-tls --cert=path/to/tls.cert --key=path/to/tls.key, then reference that secret name under ingress.tls[].secretName in your values file along with the matching hostnames.
Q: What Ingress annotation is needed to use Artifactory as a Docker Registry via the Repository Path method?
A: Set nginx.ingress.kubernetes.io/configuration-snippet with rewrite rules that route /v2/token and /v2/<repo>/<path> requests to Artifactory's Docker API paths. The ingress.kubernetes.io/proxy-body-size: "0" annotation is also required to allow large image layer uploads without a body size limit. For details, see Docker Repositories.
Q: How can I route both /xray and /artifactory paths through the same Artifactory Ingress?
/xray and /artifactory paths through the same Artifactory Ingress?A: Use ingress.additionalRules in your values.yaml to define extra host rules that route /xray to the Xray service and /artifactory to the Nginx service. Pair this with a nginx.ingress.kubernetes.io/configuration-snippet rewrite rule to strip the /xray prefix before forwarding to Xray.
Updated 4 days ago