From cc91e4f74594a08dd246fbf5b21d629e02f65332 Mon Sep 17 00:00:00 2001 From: ypan Date: Mon, 27 Jan 2025 00:46:11 -0800 Subject: [PATCH] [examples] Platform chart with 3-Node Artifactory with Distribution and direct-S3 Persistence (#1949) * added examples to deploy 3-Node Artifactory Cluster with Distribution and direct-S3 Persistence - Added code block for all commands - Updated S3 example to use IAM role - Modified OpenShift notes - Explained the use of sizing files --- .../HA-with-distribution-S3/binarystore.xml | 21 +++ .../HA-with-distribution-S3/readme.md | 128 ++++++++++++++++++ .../values-artifactory.yaml | 84 ++++++++++++ .../values-distribution.yaml | 16 +++ .../HA-with-distribution-S3/values-main.yaml | 41 ++++++ .../values-openshift.yaml | 24 ++++ 6 files changed, 314 insertions(+) create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/binarystore.xml create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/readme.md create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/values-artifactory.yaml create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/values-distribution.yaml create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/values-main.yaml create mode 100644 examples/jfrog-platform/HA-with-distribution-S3/values-openshift.yaml diff --git a/examples/jfrog-platform/HA-with-distribution-S3/binarystore.xml b/examples/jfrog-platform/HA-with-distribution-S3/binarystore.xml new file mode 100644 index 000000000..e880457ce --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/binarystore.xml @@ -0,0 +1,21 @@ + + + + + + + + s3.amazonaws.com + bucketName + pathPrefix + yourCredentials + true + 600 + 50 + 10000 + true + + + 5000000000 + + \ No newline at end of file diff --git a/examples/jfrog-platform/HA-with-distribution-S3/readme.md b/examples/jfrog-platform/HA-with-distribution-S3/readme.md new file mode 100644 index 000000000..419a75e50 --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/readme.md @@ -0,0 +1,128 @@ +## 3-Node Artifactory Cluster with Distribution and direct-S3 Provider + +### Overall +| Product | Enabled | +|-------------|-------------| +| Artifactory | ✅ | +| xray | ❌ | +| distribution | ✅ | +| insight | ❌ | +| pipelines | ❌ | +| worker | ❌ | + + +### Artifactory +| Detail | Value | +|-------------|-------------| +| Replica | 3 | +| Database | External Postgres | +| Persistence | Default Storage Class + S3 | +| SSL | ✅ | +| Ingress | ❌ | +| Nginx Deployment | ✅ | +| UnifiedSecret | ✅ | +| Non-Default Admin Credential | ✅ | +| Default Master Key | ❌ | +| Sizing Parameters | artifactory-xlarge | +| Private Registry | ✅ | + + +### Distribution + +| Detail | Value | +|-------------|-------------| +| Replica | 2 | +| Database | External Postgres | +| Persistence | Default Storage Class | +| External Redis | ❌ | +| SSL | ✅ | +| UnifiedSecret | ❌ | +| Sizing Parameters | distribution-xlarge | +| Private Registry | ✅ | + +## Install + +1. In `values-main.yaml`, add your Artifactory hostname as `jfrogUrl`. + +2. To pull images from a private registry, create your own `imagePullSecrets` and fill in `imagePullSecrets` and `imageRegistry` in `values-main.yaml`: + + ``` + $ kubectl create secret docker-registry regsecret --docker-server= --docker-username= --docker-password= --docker-email= + ``` + +3. Passing secret: + + If you want to change the secret name, remember to update the reference in `values-main.yaml` or `values-artifactory.yaml` + + a. Master Key + + ``` + $ kubectl create secret generic my-master-key --from-literal=master-key="$(openssl rand -hex 32)" -n + ``` + + b. Join Key + + ``` + $ kubectl create secret generic my-join-key --from-literal=join-key="$(openssl rand -hex 32)" -n + ``` + + c. CA Certificate for SSL + + Passing your own `ca.crt` for artifactory if needed for ssl configuration. See prerequisite for `ca.crt`. [here](https://jfrog.com/help/r/jfrog-installation-setup-documentation/prerequisites-for-custom-tls-certificate) + + ``` + $ kubectl create secret tls my-cacert --cert=ca.crt --key=ca.private.key -n + ``` + + d. Default Admin Credentials + + ``` + $ kubectl create secret generic my-admin --from-literal=bootstrap.creds="$(printf "%s@%s=%s" admin 127.0.0.1 password| base64 )" -n + ``` + +4. Fill in database details ( `values-artifactory.yaml` ). [See here for more details related to database.](https://jfrog.com/help/r/jfrog-installation-setup-documentation/database-configuration) + + ``` + $ kubectl create secret generic my-database --from-literal=db-url='database_url' --from-literal=db-user='admin_user' --from-literal=db-password='password' -n + $ kubectl create secret generic my-distribution-database --from-literal=db-url='database_url' --from-literal=db-user='admin_user' --from-literal=db-password='password' -n + ``` + +5. Create the `binarystore.xml` secret or pull the values from environment variables. + + ``` + $ kubectl create secret generic my-binarystore --from-file=binarystore.xml + ``` + + [Create an IAM role with `AmazonS3FullAccess` permission](https://jfrog.com/help/r/active/artifactory-connect-artifactory-to-s3-bucket-with-iam-role) + + Associate an IAM role to the service account in `values-artifactory.yaml` by specifying the ARN: + + ``` + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam:::role/ + ``` + +6. Pull charts ( if you need to reference the suggested sizing paramerters ) and install + + In this example, we are going to reference the baseline xlarge sizing parameters for our Artifactory and Distribution release. To do so, first pull and untar the chart. You may skip these steps and add/create your own sizing parameter YAML. + + See more details regarding the baseline sizing parameters [here](https://jfrog.com/help/r/jfrog-platform-reference-architecture/jfrog-platform-reference-architecture) + + ``` + $ helm repo update + $ helm pull jfrog/jfrog-platform --untar + ``` + + ``` + $ helm install jfrog/jfrog-platform -n -f values-main.yaml -f values-artifactory.yaml -f values-distribution.yaml -f jfrog-platform/charts/artifactory/sizing/artifactory-xlarge.yaml -f jfrog-platform/charts/distribution/sizing/distribution-xlarge.yaml + ``` + +7. If installing on OpenShift, add values-openshift.yaml: + + ``` + $ helm install jfrog/jfrog-platform -n -f values-main.yaml -f values-artifactory.yaml -f values-distribution.yaml -f values-openshift.yaml -f jfrog-platform/charts/artifactory/sizing/artifactory-xlarge.yaml -f jfrog-platform/charts/distribution/sizing/distribution-xlarge.yaml + ``` + +Note: To install on OpenShift out-of-the-box, you need Distribution chart 102.23.0+, so the minimum platform chart version is 10.17.4+. \ No newline at end of file diff --git a/examples/jfrog-platform/HA-with-distribution-S3/values-artifactory.yaml b/examples/jfrog-platform/HA-with-distribution-S3/values-artifactory.yaml new file mode 100644 index 000000000..2141faa35 --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/values-artifactory.yaml @@ -0,0 +1,84 @@ +artifactory: + ingress: + enabled: false + router: + tlsEnabled: true + + artifactory: + name: artifactory + admin: + secret: my-admin + dataKey: bootstrap.creds + + service: + name: artifactory + + replicator: + enabled: false + ingress: + enabled: false + + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam:::role/ + + persistence: + enabled: true + accessMode: ReadWriteOnce + size: 100Gi + customBinarystoreXmlSecret: my-binarystore + + access: + enabled: true + accessConfig: + security: + tls: true + + mc: + enabled: true + + # Nginx + nginx: + enabled: true + labels: {} + service: + ## For minikube, set this to NodePort, elsewhere use LoadBalancer + type: LoadBalancer + ssloffload: false + ## For supporting whitelist on the Nginx LoadBalancer service + ## Set this to a list of IP CIDR ranges + ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] + ## or pass from helm command line + ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' + loadBalancerSourceRanges: [] + ## Assuming ssl terminiation at load balancer + ## For example, on Eks , add annoation like + ## service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:... + ## service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + annotations: {} + ## Provide static ip address + loadBalancerIP: + + # chose your selector/affinities/toleration strategy based on actual need + nodeSelector: {} + tolerations: [] + affinity: {} + + + postgresql: + enabled: false + + database: + type: "postgresql" + driver: org.postgresql.Driver + secrets: + user: + name: "my-database" + key: "db-user" + password: + name: "my-database" + key: "db-password" + url: + name: "my-database" + key: "db-url" \ No newline at end of file diff --git a/examples/jfrog-platform/HA-with-distribution-S3/values-distribution.yaml b/examples/jfrog-platform/HA-with-distribution-S3/values-distribution.yaml new file mode 100644 index 000000000..ad6c43cdf --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/values-distribution.yaml @@ -0,0 +1,16 @@ +distribution: + postgresql: + enabled: false + database: + type: "postgresql" + driver: org.postgresql.Driver + secrets: + user: + name: "my-distribution-database" + key: "db-user" + password: + name: "my-distribution-database" + key: "db-password" + url: + name: "my-distribution-database" + key: "db-url" \ No newline at end of file diff --git a/examples/jfrog-platform/HA-with-distribution-S3/values-main.yaml b/examples/jfrog-platform/HA-with-distribution-S3/values-main.yaml new file mode 100644 index 000000000..9fc078044 --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/values-main.yaml @@ -0,0 +1,41 @@ +global: + imagePullSecrets: + - regsecret ## credential for your local registry + imageRegistry: releases-docker.jfrog.io ## local private registry + jfrogUrl: 'https://myjfrog.io' ## The artifactory host url + joinKeySecretName: my-join-key + masterKeySecretName: my-master-key + database: + initDBCreation: false + +## This Postgresql is used by all products , set postgresql.enabled: false, when you want to use external postgresql for all products +postgresql: + enabled: false + +## This Rabbitmq is used by Xray and Pipelines only, set rabbitmq.enabled: false, when Xray or Pipelines is not enabled +rabbitmq: + enabled: false + +## This Redis is used by pipelines only, set redis.enabled: false, when pipelines is not enabled +redis: + enabled: false + +artifactory: + enabled: true + artifactory: + replicaCount: 3 + +xray: + enabled: false + +distribution: + enabled: true + unifiedUpgradeAllowed: true + distribution: + unifiedSecretInstallation: false + +insight: + enabled: false + +pipelines: + enabled: false \ No newline at end of file diff --git a/examples/jfrog-platform/HA-with-distribution-S3/values-openshift.yaml b/examples/jfrog-platform/HA-with-distribution-S3/values-openshift.yaml new file mode 100644 index 000000000..dd75046fa --- /dev/null +++ b/examples/jfrog-platform/HA-with-distribution-S3/values-openshift.yaml @@ -0,0 +1,24 @@ +artifactory: + containerSecurityContext: + enabled: false + artifactory: + podSecurityContext: + enabled: false + nginx: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false +distribution: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false + redis: + containerSecurityContext: + enabled: false + postgresql: + securityContext: + enabled: false + containerSecurityContext: + enabled: false \ No newline at end of file