diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md index 7955708c3..79ea8b7c0 100644 --- a/stable/artifactory/CHANGELOG.md +++ b/stable/artifactory/CHANGELOG.md @@ -1,6 +1,9 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. +## [10.1.1] - Aug 13, 2020 +* Support GCP credentials.json authentication + ## [10.1.0] - Aug 13, 2020 * Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7) diff --git a/stable/artifactory/Chart.yaml b/stable/artifactory/Chart.yaml index a26c82e79..edfcbdcfb 100644 --- a/stable/artifactory/Chart.yaml +++ b/stable/artifactory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: artifactory home: https://www.jfrog.com/artifactory/ -version: 10.1.0 +version: 10.1.1 appVersion: 7.7.3 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index 5decbc4c2..ed8368969 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -164,7 +164,8 @@ helm upgrade --install artifactory center/jfrog/artifactory --namespace artifact #### Google Storage To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) -- Pass Google Storage parameters to `helm install` and `helm upgrade` + +Pass Google Storage parameters to `helm install` and `helm upgrade` ```bash ... --set artifactory.persistence.type=google-storage \ @@ -173,6 +174,69 @@ To use a Google Storage bucket as the cluster's filestore. See [Google Storage B ... ``` +In order to use a GCP service account, Artifactory needs a gcp.credentials.json file in the same directory as a binaraystore.xml file. +This can be generated by running: +```bash +gcloud iam service-accounts keys create --iam-account +``` +Which will produce the following, which can be saved to a file or copied into your `values.yaml`. +```bash +{ + "type": "service_account", + "project_id": "", + "private_key_id": "?????", + "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + "client_email": "???@j.iam.gserviceaccount.com", + "client_id": "???????", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." +} +``` + +One option is to create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` in a custom `values.yaml` +```bash +# Create the Kubernetes secret from the file you created earlier. +# IMPORTANT: The file must be called "gcp.credentials.json" because this is used later as the secret key! +# (The secret key can be overridden by artifactory.persistence.googleStorage.customSecretKey) +kubectl create secret generic artifactory-gcp-creds --from-file=./gcp.credentials.json +``` +Set this secret in your custom `values.yaml` +```bash +artifactory: + persistence: + type: google-storage + googleStorage: + gcpServiceAccount: + enabled: true + customSecretName: artifactory-gcp-creds +``` + +Another option is to put your generated config directly in your custom `values.yaml` and the secret will be created from it +``` +artifactory: + persistence: + type: google-storage + googleStorage: + gcpServiceAccount: + enabled: true + config: | + { + "type": "service_account", + "project_id": "", + "private_key_id": "?????", + "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + "client_email": "???@j.iam.gserviceaccount.com", + "client_id": "???????", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." + } +``` + + #### AWS S3 **NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. In order to grant permissions to Artifactory using an IAM role, you will have to attach the said IAM role to the machine(s) on which Artifactory is running. @@ -1239,6 +1303,9 @@ The following table lists the configurable parameters of the artifactory chart a | `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory` | | `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | | `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | +| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName` | Google Storage service account secret name | | +| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey` | Google Storage service account secret key | `gcp.credential.json` +| `artifactory.persistence.googleStorage.gcpServiceAccount.config` | Google Storage service account key json | | | `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory/filestore` | | `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | | `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-aws` | diff --git a/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml new file mode 100644 index 000000000..df8098b67 --- /dev/null +++ b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} +{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-gcpcreds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}: |- +{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }} +{{- end }} +{{- end }} diff --git a/stable/artifactory/templates/artifactory-statefulset.yaml b/stable/artifactory/templates/artifactory-statefulset.yaml index 3680caf0e..8c074ea0b 100644 --- a/stable/artifactory/templates/artifactory-statefulset.yaml +++ b/stable/artifactory/templates/artifactory-statefulset.yaml @@ -304,6 +304,11 @@ spec: mountPath: "/artifactory_bootstrap/binarystore.xml" subPath: binarystore.xml {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} + {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} {{- end }} @@ -442,6 +447,11 @@ spec: - name: installer-info mountPath: "/artifactory_bootstrap/info/installer-info.json" subPath: installer-info.json + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + mountPath: "/artifactory_bootstrap/gcp.credentials.json}" + subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} + {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} {{- end }} @@ -602,6 +612,15 @@ spec: secretName: {{ template "artifactory.fullname" . }}-license {{- end }} {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + secret: + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + secretName: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-gcpcreds + {{- end }} + {{- end }} {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} - name: access-bootstrap-creds secret: diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index 3381017e1..402608b6e 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -746,6 +746,13 @@ artifactory: ## For artifactory.persistence.type google-storage googleStorage: + ## When using GCP buckets as your binary store (Available with enterprise license only) + gcpServiceAccount: + enabled: false + ## Use either an existing secret prepared in advance or put the config in the values + customSecretName: + customSecretKey: gcp.credentials.json + config: endpoint: storage.googleapis.com httpsOnly: false # Set a unique bucket name