UNCLASSIFIED - NO CUI

Skip to content

Two containers not coming from registry1

Postgresql and nginx are not coming from registry1. Since OPA out of the box now will deny this, there should be a note on how to deploy this for newer versions of big bang.

Add the following to your bigbang configmap to fix deployment issues.

gatekeeper:
  values:
    violations:
      allowedDockerRegistries:
        parameters:
          repos:
          - releases-docker.jfrog.io
          - docker.io

docker.io/bitnami/postgresql:13.2.0-debian-10-r55

releases-docker.jfrog.io/jfrog/nginx-artifactory-pro:7.21.7

Please let me know if this is on the roadmap to change or if this was noted by iron bank somewhere in the process? @ariel.shnitzer

Side note, I did try to deploy with iron bank open source nginx but was running into the following errors:

sh-4.2$ kubectl get po -n jfrog
NAME                                            READY   STATUS    RESTARTS   AGE
jfrog-jfrog-platform-artifactory-ha-member-0    1/1     Running   0          7m19s
jfrog-jfrog-platform-artifactory-ha-member-1    1/1     Running   0          4m50s
jfrog-jfrog-platform-artifactory-ha-primary-0   1/1     Running   0          7m19s
jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v      0/1     Running   0          7m20s
jfrog-jfrog-platform-postgresql-0               1/1     Running   0          7m17s
jfrog-jfrog-platform-rabbitmq-0                 1/1     Running   0          7m18s
jfrog-jfrog-platform-xray-0                     5/5     Running   0          7m18s

sh-4.2$ kubectl describe po jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v -n jfrog
Name:         jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v
Namespace:    jfrog
Priority:     0
Node:         ip-10-0-10-133.us-gov-west-1.compute.internal/10.0.10.133
Start Time:   Sat, 04 Dec 2021 03:28:44 +0000
Labels:       app=artifactory-ha
              chart=artifactory-ha-107.24.3
              component=nginx
              heritage=Helm
              pod-template-hash=ccf9cdc69
              release=jfrog-jfrog-platform
Annotations:  checksum/nginx-artifactory-conf: 2259a43ba2d0f78a92fd370d4ddf9fc3567ff1af6b5993b200ef1eb2249c749b
              checksum/nginx-conf: 25359512a08a5a17491a21482fdcd27c0c9994c64b7c1a0de23eacf8524fcaf1
              kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.0.10.41
IPs:
  IP:           10.0.10.41
Controlled By:  ReplicaSet/jfrog-jfrog-platform-nginx-ccf9cdc69
Init Containers:
  setup:
    Container ID:  docker://bc7a2fdf4990d9f3846307c6678bbbe70b89f9bbbff5fc398e5e2e88561fd7a3
    Image:         releases-docker.jfrog.io/alpine:3.14.0
    Image ID:      docker-pullable://releases-docker.jfrog.io/alpine@sha256:1775bebec23e1f3ce486989bfc9ff3c4e951690df84aa9f926497d82f2ffca9d
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -c
      rm -rfv /var/opt/jfrog/nginx/lost+found; mkdir -p /var/opt/jfrog/nginx/logs;

    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sat, 04 Dec 2021 03:28:45 +0000
      Finished:     Sat, 04 Dec 2021 03:28:45 +0000
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/opt/jfrog/nginx from nginx-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lxfbq (ro)
Containers:
  nginx:
    Container ID:  docker://d0e3c19cbd735066ae6fb69562dec162d361b5332bf452a9626234e02df7853e
    Image:         registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3
    Image ID:      docker-pullable://registry1.dso.mil/ironbank/opensource/nginx/nginx@sha256:d126f5b55151cafd08ec99f88165913964884dae33f10a69eebee982c983e575
    Ports:         80/TCP, 443/TCP
    Host Ports:    0/TCP, 0/TCP
    Command:
      nginx
      -g
      daemon off;
    State:          Running
      Started:      Sat, 04 Dec 2021 03:28:52 +0000
    Ready:          False
    Restart Count:  0
    Liveness:       http-get http://:80/router/api/v1/system/health delay=0s timeout=5s period=10s #success=1 #failure=10
    Readiness:      http-get http://:80/router/api/v1/system/health delay=0s timeout=5s period=10s #success=1 #failure=10
    Startup:        http-get http://:80/router/api/v1/system/health delay=30s timeout=5s period=5s #success=1 #failure=90
    Environment:    <none>
    Mounts:
      /etc/nginx/nginx.conf from nginx-conf (rw,path="nginx.conf")
      /var/opt/jfrog/nginx from nginx-volume (rw)
      /var/opt/jfrog/nginx/conf.d/ from nginx-artifactory-conf (rw)
      /var/opt/jfrog/nginx/ssl from ssl-certificates (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lxfbq (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  nginx-conf:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jfrog-jfrog-platform-artifactory-ha-nginx-conf
    Optional:  false
  nginx-artifactory-conf:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jfrog-jfrog-platform-artifactory-ha-nginx-artifactory-conf
    Optional:  false
  nginx-volume:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  ssl-certificates:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  jfrog-jfrog-platform-artifactory-ha-nginx-certificate
    Optional:    false
  kube-api-access-lxfbq:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  7m6s                   default-scheduler  Successfully assigned jfrog/jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v to ip-10-0-10-133.us-gov-west-1.compute.internal
  Normal   Pulled     7m5s                   kubelet            Container image "releases-docker.jfrog.io/alpine:3.14.0" already present on machine
  Normal   Created    7m5s                   kubelet            Created container setup
  Normal   Started    7m5s                   kubelet            Started container setup
  Normal   Pulling    7m5s                   kubelet            Pulling image "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3"
  Normal   Pulled     6m59s                  kubelet            Successfully pulled image "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3" in 5.745530839s
  Normal   Created    6m59s                  kubelet            Created container nginx
  Normal   Started    6m58s                  kubelet            Started container nginx
  Warning  Unhealthy  2m1s (x54 over 6m26s)  kubelet            Startup probe failed: Get "http://10.0.10.41:80/router/api/v1/system/health": dial tcp 10.0.10.41:80: connect: connection refused

sh-4.2$ kubectl get pods -n jfrog -o jsonpath="{.items[*].spec.containers[*].image}" |\
>     tr -s '[[:space:]]' '\n' |\
>     sort |\
>     uniq -c
      1 docker.io/bitnami/postgresql:13.2.0-debian-10-r55
      3 registry1.dso.mil/ironbank/jfrog/artifactory/artifactory:7.21.7
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/router:7.21.5
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-analysis:3.30.2
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-indexer:3.30.2
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-persist:3.30.2
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-rabbitmq:3.8.14-debian-10-r32
      1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-server:3.30.2
      1 registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3
Edited by Collin Chew

UNCLASSIFIED - NO CUI