From 139f8052dd912373b2bd353cb605cad73e61d9d5 Mon Sep 17 00:00:00 2001 From: Jason D Date: Thu, 11 Jun 2020 11:18:33 -0700 Subject: [PATCH 1/9] feat: copy service account support from #696 --- stable/artifactory/README.md | 63 ++++++++++++++++++- .../artifactory-gcp-credentials-secret.yaml | 16 +++++ .../templates/artifactory-statefulset.yaml | 19 ++++++ stable/artifactory/values.yaml | 6 ++ 4 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index 6ed1abcea..e7b1f7c57 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -160,7 +160,8 @@ helm upgrade --install artifactory jfrog/artifactory --namespace artifactory -f #### Google Storage To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider) -- Pass Google Storage parameters to `helm install` and `helm upgrade` + +Pass Google Storage parameters to `helm install` and `helm upgrade` ```bash ... --set artifactory.persistence.type=google-storage \ @@ -169,6 +170,66 @@ To use a Google Storage bucket as the cluster's filestore. See [Google Storage B ... ``` +In order to use a GCP service account, Artifactory needs a gcp.credentials.json file in the same directory asa binaraystore.xml file. +This can be generated by running: +```bash +gcloud iam service-accounts keys create --iam-account +``` +Which will produce the following, which can be saved to a file or copied into your `values.yaml`. +```bash +{ + "type": "service_account", + "project_id": "", + "private_key_id": "?????", + "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + "client_email": "???@j.iam.gserviceaccount.com", + "client_id": "???????", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." +} +``` + +One option is to create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` in a custom `values.yaml` +```bash +# Create the Kubernetes secret from the file you created earlier. +# IMPORTANT: The file must be called "gcp.credentials.json" because this is used later as the secret key! +kubectl create secret generic artifactory-gcp-creds --from-file=./gcp.credentials.json +``` +Set this secret in your custom `values.yaml` +```bash +artifactory: + persistence: + googleStorage + gcpServiceAccount: + enabled: true + customSecretName: artifactory-gcp-creds +``` + +Another option is to put your generated config directly in your custom `values.yaml` and the a secret will be created from it +``` +artifactory: + persistence: + googleStorage + gcpServiceAccount: + enabled: true + config: | + { + "type": "service_account", + "project_id": "", + "private_key_id": "?????", + "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", + "client_email": "???@j.iam.gserviceaccount.com", + "client_id": "???????", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." + } +``` + + #### AWS S3 **NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level. In order to grant permissions to Artifactory using an IAM role, you will have to attach the said IAM role to the machine(s) on which Artifactory is running. diff --git a/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml new file mode 100644 index 000000000..5ac068827 --- /dev/null +++ b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} +{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ template "artifactory-ha.fullname" . }}-gcpcreds + labels: + app: {{ template "artifactory-ha.name" . }} + chart: {{ template "artifactory-ha.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +stringData: + gcp.credentials.json: |- +{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }} +{{- end }} +{{- end }} diff --git a/stable/artifactory/templates/artifactory-statefulset.yaml b/stable/artifactory/templates/artifactory-statefulset.yaml index 5cda8f790..830c2e965 100644 --- a/stable/artifactory/templates/artifactory-statefulset.yaml +++ b/stable/artifactory/templates/artifactory-statefulset.yaml @@ -255,6 +255,11 @@ spec: mountPath: "/artifactory_bootstrap/binarystore.xml" subPath: binarystore.xml {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} {{- end }} @@ -382,6 +387,11 @@ spec: - name: installer-info mountPath: "/artifactory_bootstrap/info/installer-info.json" subPath: installer-info.json + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} {{- end }} @@ -538,6 +548,15 @@ spec: secretName: {{ template "artifactory.fullname" . }}-license {{- end }} {{- end }} + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + - name: gcpcreds-json + secret: + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + secretName: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + {{- else }} + secretName: {{ template "artifactory-ha.fullname" . }}-gcpcreds + {{- end }} + {{- end }} {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} - name: access-bootstrap-creds secret: diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index 00e4776ea..b53de219e 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -707,6 +707,12 @@ artifactory: ## For artifactory.persistence.type google-storage googleStorage: + ## When using GCP buckets as your binary store (Available with enterprise license only) + gcpServiceAccount: + enabled: false + ## Use either an existing secret prepared in advance or put the config in the values + customSecretName: + config: endpoint: storage.googleapis.com httpsOnly: false # Set a unique bucket name From 1583261462aa93e71865aa69f2bbca356a3655f2 Mon Sep 17 00:00:00 2001 From: Jason D Date: Thu, 11 Jun 2020 11:25:41 -0700 Subject: [PATCH 2/9] chore: update chart.yaml and changelog --- stable/artifactory/CHANGELOG.md | 3 +++ stable/artifactory/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md index 9b4798057..bff976f48 100644 --- a/stable/artifactory/CHANGELOG.md +++ b/stable/artifactory/CHANGELOG.md @@ -1,6 +1,9 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. +## [9.6.0] - Jun 11, 2020 +* Support GCP credentials.json authentication + ## [9.5.1] - Jun 8, 2020 * Readme update - configuring Artifactory with oracledb diff --git a/stable/artifactory/Chart.yaml b/stable/artifactory/Chart.yaml index 2c520d396..3fa185b35 100644 --- a/stable/artifactory/Chart.yaml +++ b/stable/artifactory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: artifactory home: https://www.jfrog.com/artifactory/ -version: 9.5.1 +version: 9.6.0 appVersion: 7.5.5 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. From abfea90692a45005507c9ddcf4cb847c86c562f7 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Fri, 12 Jun 2020 13:14:05 -0700 Subject: [PATCH 3/9] Update Chart.yaml --- stable/artifactory/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/artifactory/Chart.yaml b/stable/artifactory/Chart.yaml index 3fa185b35..951c32efa 100644 --- a/stable/artifactory/Chart.yaml +++ b/stable/artifactory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: artifactory home: https://www.jfrog.com/artifactory/ -version: 9.6.0 +version: 9.5.2 appVersion: 7.5.5 description: Universal Repository Manager supporting all major packaging formats, build tools and CI servers. From 5d61c24c3d92781b1215e2d98356a2e0271ad850 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Fri, 12 Jun 2020 13:14:49 -0700 Subject: [PATCH 4/9] Update README.md --- stable/artifactory/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index e7b1f7c57..36acbbc23 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -170,7 +170,7 @@ Pass Google Storage parameters to `helm install` and `helm upgrade` ... ``` -In order to use a GCP service account, Artifactory needs a gcp.credentials.json file in the same directory asa binaraystore.xml file. +In order to use a GCP service account, Artifactory needs a gcp.credentials.json file in the same directory as a binaraystore.xml file. This can be generated by running: ```bash gcloud iam service-accounts keys create --iam-account From 8422ba932882d1e17738dd666da94c4936951692 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Fri, 12 Jun 2020 13:16:21 -0700 Subject: [PATCH 5/9] Update values.yaml --- stable/artifactory/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index b53de219e..3f9fed5a6 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -710,7 +710,7 @@ artifactory: ## When using GCP buckets as your binary store (Available with enterprise license only) gcpServiceAccount: enabled: false - ## Use either an existing secret prepared in advance or put the config in the values + ## Use either an existing secret prepared in advance or put the config in the values customSecretName: config: endpoint: storage.googleapis.com From 58faf053cd2af981832d5062139bb27618081cf7 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Wed, 12 Aug 2020 21:10:37 -0700 Subject: [PATCH 6/9] docs: fix typos and examples --- stable/artifactory/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index e7b1f7c57..c71603eb6 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -201,17 +201,19 @@ Set this secret in your custom `values.yaml` ```bash artifactory: persistence: - googleStorage + type: google-storage + googleStorage: gcpServiceAccount: enabled: true customSecretName: artifactory-gcp-creds ``` -Another option is to put your generated config directly in your custom `values.yaml` and the a secret will be created from it +Another option is to put your generated config directly in your custom `values.yaml` and the secret will be created from it ``` artifactory: persistence: - googleStorage + type: google-storage + googleStorage: gcpServiceAccount: enabled: true config: | From 40fbe40c6e10b54fe088de21e33360686532588b Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Wed, 12 Aug 2020 21:28:14 -0700 Subject: [PATCH 7/9] add optional value to change gcp credential secret key --- stable/artifactory/README.md | 1 + .../templates/artifactory-gcp-credentials-secret.yaml | 2 +- stable/artifactory/templates/artifactory-statefulset.yaml | 8 ++++---- stable/artifactory/values.yaml | 1 + 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index e9f1bf39f..842edb861 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -195,6 +195,7 @@ One option is to create your own [Secret](https://kubernetes.io/docs/concepts/co ```bash # Create the Kubernetes secret from the file you created earlier. # IMPORTANT: The file must be called "gcp.credentials.json" because this is used later as the secret key! +# (The secret key can be overridden by artifactory.persistence.googleStorage.customSecretKey) kubectl create secret generic artifactory-gcp-creds --from-file=./gcp.credentials.json ``` Set this secret in your custom `values.yaml` diff --git a/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml index 5ac068827..df8098b67 100644 --- a/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml +++ b/stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml @@ -10,7 +10,7 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} stringData: - gcp.credentials.json: |- + {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}: |- {{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }} {{- end }} {{- end }} diff --git a/stable/artifactory/templates/artifactory-statefulset.yaml b/stable/artifactory/templates/artifactory-statefulset.yaml index 830c2e965..474422263 100644 --- a/stable/artifactory/templates/artifactory-statefulset.yaml +++ b/stable/artifactory/templates/artifactory-statefulset.yaml @@ -257,8 +257,8 @@ spec: {{- end }} {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - name: gcpcreds-json - mountPath: "/artifactory_bootstrap/gcp.credentials.json" - subPath: gcp.credentials.json + mountPath: "/artifactory_bootstrap/{{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}" + subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} @@ -389,8 +389,8 @@ spec: subPath: installer-info.json {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - name: gcpcreds-json - mountPath: "/artifactory_bootstrap/gcp.credentials.json" - subPath: gcp.credentials.json + mountPath: "/artifactory_bootstrap/{{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}" + subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} {{- end }} {{- if .Values.artifactory.customVolumeMounts }} {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }} diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index 3f9fed5a6..18cf2de2c 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -712,6 +712,7 @@ artifactory: enabled: false ## Use either an existing secret prepared in advance or put the config in the values customSecretName: + customSecretKey: gcp.credentials.json config: endpoint: storage.googleapis.com httpsOnly: false From 71b4c1c78baad33b59201aa2e4687ca6df0b4320 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Wed, 12 Aug 2020 21:42:47 -0700 Subject: [PATCH 8/9] docs: add rows to values table --- stable/artifactory/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index 842edb861..8c27eaa3e 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -1029,6 +1029,9 @@ The following table lists the configurable parameters of the artifactory chart a | `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory` | | `artifactory.persistence.googleStorage.identity` | Google Storage service account id | | | `artifactory.persistence.googleStorage.credential` | Google Storage service account key | | +| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName` | Google Storage service account secret name | | +| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey` | Google Storage service account secret key | `gcp.credential.json` +| `artifactory.persistence.googleStorage.gcpServiceAccount.config` | Google Storage service account key json | | | `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory/filestore` | | `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` | | `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-aws` | From c9c79dec84408672ed444014fca11f4885765427 Mon Sep 17 00:00:00 2001 From: jdamour98 Date: Thu, 13 Aug 2020 00:49:25 -0700 Subject: [PATCH 9/9] fix: use set filename --- stable/artifactory/templates/artifactory-statefulset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/artifactory/templates/artifactory-statefulset.yaml b/stable/artifactory/templates/artifactory-statefulset.yaml index 474422263..e29ec93d3 100644 --- a/stable/artifactory/templates/artifactory-statefulset.yaml +++ b/stable/artifactory/templates/artifactory-statefulset.yaml @@ -257,7 +257,7 @@ spec: {{- end }} {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - name: gcpcreds-json - mountPath: "/artifactory_bootstrap/{{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}" + mountPath: "/artifactory_bootstrap/gcp.credentials.json" subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} {{- end }} {{- if .Values.artifactory.customVolumeMounts }} @@ -389,7 +389,7 @@ spec: subPath: installer-info.json {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - name: gcpcreds-json - mountPath: "/artifactory_bootstrap/{{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}" + mountPath: "/artifactory_bootstrap/gcp.credentials.json}" subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }} {{- end }} {{- if .Values.artifactory.customVolumeMounts }}