[artifactory] feat: copy service account support from #696

stable/artifactory/CHANGELOG.md

@@ -1,6 +1,9 @@
 # JFrog Artifactory Chart Changelog
 All changes to this chart will be documented in this file.
 
+## [10.1.1] - Aug 13, 2020
+* Support GCP credentials.json authentication
+
 ## [10.1.0] - Aug 13, 2020
 * Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7)
 

stable/artifactory/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: artifactory
 home: https://www.jfrog.com/artifactory/
-version: 10.1.0
+version: 10.1.1
 appVersion: 7.7.3
 description: Universal Repository Manager supporting all major packaging formats,
   build tools and CI servers.

stable/artifactory/README.md

@@ -164,7 +164,8 @@ helm upgrade --install artifactory center/jfrog/artifactory --namespace artifact
 
 #### Google Storage
 To use a Google Storage bucket as the cluster's filestore. See [Google Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-GoogleStorageBinaryProvider)
-- Pass Google Storage parameters to `helm install` and `helm upgrade`
+
+Pass Google Storage parameters to `helm install` and `helm upgrade`
 ```bash
 ...
 --set artifactory.persistence.type=google-storage \
@@ -173,6 +174,69 @@ To use a Google Storage bucket as the cluster's filestore. See [Google Storage B
 ...
 ```
 
+In order to use a GCP service account, Artifactory needs a gcp.credentials.json file in the same directory as a binaraystore.xml file.
+This can be generated by running:
+```bash
+gcloud iam service-accounts keys create <file_name> --iam-account <service_account_name>
+```
+Which will produce the following, which can be saved to a file or copied into your `values.yaml`.
+```bash
+{
+   "type": "service_account",
+   "project_id": "<project_id>",
+   "private_key_id": "?????",
+   "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n",
+   "client_email": "???@j<project_id>.iam.gserviceaccount.com",
+   "client_id": "???????",
+   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+   "token_uri": "https://oauth2.googleapis.com/token",
+   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+   "client_x509_cert_url": "https://www.googleapis.com/robot/v1....."
+}
+```
+
+One option is to create your own [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) and pass it to your `helm install` in a custom `values.yaml`
+```bash
+# Create the Kubernetes secret from the file you created earlier.
+# IMPORTANT: The file must be called "gcp.credentials.json" because this is used later as the secret key!
+# (The secret key can be overridden by artifactory.persistence.googleStorage.customSecretKey)
+kubectl create secret generic artifactory-gcp-creds --from-file=./gcp.credentials.json
+```
+Set this secret in your custom `values.yaml`
+```bash
+artifactory:
+  persistence:
+    type: google-storage
+    googleStorage:
+      gcpServiceAccount:
+        enabled: true
+        customSecretName: artifactory-gcp-creds
+```
+
+Another option is to put your generated config directly in your custom `values.yaml` and the secret will be created from it
+```
+artifactory:
+  persistence:
+    type: google-storage
+    googleStorage:
+      gcpServiceAccount:
+        enabled: true
+        config: |
+          {
+             "type": "service_account",
+             "project_id": "<project_id>",
+             "private_key_id": "?????",
+             "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n",
+             "client_email": "???@j<project_id>.iam.gserviceaccount.com",
+             "client_id": "???????",
+             "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+             "token_uri": "https://oauth2.googleapis.com/token",
+             "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+             "client_x509_cert_url": "https://www.googleapis.com/robot/v1....."
+          }
+```
+
+
 #### AWS S3
 **NOTE** Keep in mind that when using the `aws-s3` persistence type, you will not be able to provide an IAM on the pod level.
 In order to grant permissions to Artifactory using an IAM role, you will have to attach the said IAM role to the machine(s) on which Artifactory is running.
@@ -1239,6 +1303,9 @@ The following table lists the configurable parameters of the artifactory chart a
 | `artifactory.persistence.googleStorage.bucketName`  | Google Storage bucket name          | `artifactory`             |
 | `artifactory.persistence.googleStorage.identity`    | Google Storage service account id   |                              |
 | `artifactory.persistence.googleStorage.credential`  | Google Storage service account key  |                              |
+| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName`  | Google Storage service account secret name  |                              |
+| `artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey`   | Google Storage service account secret key   |   `gcp.credential.json`      
+| `artifactory.persistence.googleStorage.gcpServiceAccount.config`   | Google Storage service account key json   |                         |
 | `artifactory.persistence.googleStorage.path`        | Google Storage path in bucket       | `artifactory/filestore`   |
 | `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false`             |
 | `artifactory.persistence.awsS3.bucketName`          | AWS S3 bucket name                     | `artifactory-aws`             |

stable/artifactory/templates/artifactory-gcp-credentials-secret.yaml

@@ -0,0 +1,16 @@
+{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "artifactory-ha.fullname" . }}-gcpcreds
+  labels:
+    app: {{ template "artifactory-ha.name" . }}
+    chart: {{ template "artifactory-ha.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+stringData:
+  {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}: |-
+{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }}
+{{- end }}
+{{- end }}

stable/artifactory/templates/artifactory-statefulset.yaml

@@ -304,6 +304,11 @@ spec:
           mountPath: "/artifactory_bootstrap/binarystore.xml"
           subPath: binarystore.xml
       {{- end }}
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+        - name: gcpcreds-json
+          mountPath: "/artifactory_bootstrap/gcp.credentials.json"
+          subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}
+      {{- end }}
       {{- if .Values.artifactory.customVolumeMounts }}
 {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
       {{- end }}
@@ -442,6 +447,11 @@ spec:
         - name: installer-info
           mountPath: "/artifactory_bootstrap/info/installer-info.json"
           subPath: installer-info.json
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+        - name: gcpcreds-json
+          mountPath: "/artifactory_bootstrap/gcp.credentials.json}"
+          subPath: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretKey }}
+      {{- end }}
       {{- if .Values.artifactory.customVolumeMounts }}
 {{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
       {{- end }}
@@ -602,6 +612,15 @@ spec:
           secretName: {{ template "artifactory.fullname" . }}-license
           {{- end }}
       {{- end }}
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+      - name: gcpcreds-json
+        secret:
+          {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+          secretName: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+          {{- else }}
+          secretName: {{ template "artifactory-ha.fullname" . }}-gcpcreds
+          {{- end }}
+      {{- end }}
       {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }}
       - name: access-bootstrap-creds
         secret:

stable/artifactory/values.yaml

@@ -746,6 +746,13 @@ artifactory:
 
     ## For artifactory.persistence.type google-storage
     googleStorage:
+      ## When using GCP buckets as your binary store (Available with enterprise license only)
+      gcpServiceAccount:
+        enabled: false
+        ## Use either an existing secret prepared in advance or put the config in the values
+        customSecretName:
+        customSecretKey: gcp.credentials.json
+        config:
       endpoint: storage.googleapis.com
       httpsOnly: false
       # Set a unique bucket name