artifactory-oss 7.12.8

05ff3d29 · Daniel Miakotkin · 813f8a82 · 05ff3d29 · 05ff3d29 · 05ff3d29
Commit 05ff3d29 authored Feb 11, 2021 by Daniel Miakotkin
13 changed files
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dsop.io
 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
 ARG BASE_TAG=8.3

-FROM releases-docker.jfrog.io/jfrog/artifactory-oss:7.12.6 AS base
+FROM releases-docker.jfrog.io/jfrog/artifactory-oss:7.12.8 AS base

 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

@@ -10,7 +10,7 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 USER root

 # Set vars
-ARG ARTIFACTORY_VERSION=7.12.6
+ARG ARTIFACTORY_VERSION=7.12.8
 ENV JF_ARTIFACTORY_USER=artifactory \
    ARTIFACTORY_VERSION=${ARTIFACTORY_VERSION} \
    ARTIFACTORY_BOOTSTRAP=/artifactory_bootstrap \

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "jfrog/artifactory/artifactory-oss"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
- "7.12.6"
+- "7.12.8"
 - "latest"

 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
  org.opencontainers.image.url: "https://jfrog.com"
  ## Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "JFrog"
-  org.opencontainers.image.version: "7.12.6"
+  org.opencontainers.image.version: "7.12.8"
  ## Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "storage,devops,container,binary,docker,maven,gradle,ivy"
  ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:

 # List of resources to make available to the offline build context
 resources:
- tag: releases-docker.jfrog.io/jfrog/artifactory-oss:7.12.6
-  url: docker://releases-docker.jfrog.io/jfrog/artifactory-oss@sha256:6c229effd2a7ef2807268267e1e296638e1f281e4d7b98eb829ef34ae95edef5
+- tag: releases-docker.jfrog.io/jfrog/artifactory-oss:7.12.8
+  url: docker://releases-docker.jfrog.io/jfrog/artifactory-oss@sha256:92924f80c4c656f9d31b5b060e925fa4d44939d4f112938f98f232a2e25a0948

 # List of project maintainers
 maintainers:

--- a/helm/CHANGELOG.md
+++ b/helm/CHANGELOG.md
 # JFrog Artifactory OSS Chart Changelog
 All changes to this chart will be documented in this file.

+## [3.4.1] - Feb 08, 2021
+* Update dependency Artifactory chart version to 11.8.0 (Artifactory 7.12.8)
+
 ## [3.4.0] - Jan 4, 2020
 * Update dependency Artifactory chart version to 11.7.4 (Artifactory 7.12.5)


--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
 apiVersion: v1
-appVersion: 7.12.5
+appVersion: 7.12.8
 description: JFrog Artifactory OSS
 home: https://www.jfrog.com/artifactory/
 icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory/logo/artifactory-logo.png
@@ -15,4 +15,4 @@ maintainers:
 name: artifactory-oss
 sources:
 - https://github.com/jfrog/charts
-version: 3.4.0
+version: 3.4.1
--- a/helm/charts/artifactory/CHANGELOG.md
+++ b/helm/charts/artifactory/CHANGELOG.md
 # JFrog Artifactory Chart Changelog
 All changes to this chart will be documented in this file.

-## [11.7.4] - Jan 04, 2020
+## [11.8.0] - Feb 08, 2021
+* Updated Artifactory version to 7.12.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.8)
+* Support for custom certificates using secrets
+* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io`
+* Update alpine tag version to `3.13.1`
+
+## [11.7.8] - Jan 25, 2021
+* Add support for hostAliases
+
+## [11.7.7] - Jan 11, 2021
+* Fix failures when using creds file for configurating google storage
+
+## [11.7.6] - Jan 11, 2021
+* Updated Artifactory version to 7.12.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.12.6)
+
+## [11.7.5] - Jan 07, 2021
+* Added support for optional tracker dedicated ingress `.Values.artifactory.replicator.trackerIngress.enabled` (defaults to false)
+
+## [11.7.4] - Jan 04, 2021
 * Fixed gid support for statefulset

 ## [11.7.3] - Dec 31, 2020

--- a/helm/charts/artifactory/Chart.yaml
+++ b/helm/charts/artifactory/Chart.yaml
 apiVersion: v1
-appVersion: 7.12.5
+appVersion: 7.12.8
 description: Universal Repository Manager supporting all major packaging formats,
  build tools and CI servers.
 home: https://www.jfrog.com/artifactory/
@@ -15,4 +15,4 @@ name: artifactory
 sources:
 - https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view
 - https://github.com/jfrog/charts
-version: 11.7.4
+version: 11.8.0
--- a/helm/charts/artifactory/templates/_helpers.tpl
+++ b/helm/charts/artifactory/templates/_helpers.tpl
@@ -35,6 +35,19 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}

+{{/*
+Create a default fully qualified replicator tracker ingress name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "artifactory.replicator.tracker.fullname" -}}
+{{- if .Values.artifactory.replicator.trackerIngress.name -}}
+{{- .Values.artifactory.replicator.trackerIngress.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-replication-tracker" .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified nginx name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -235,3 +248,13 @@ Return the proper artifactory app version
 {{- $tag := $image._1 -}}
 {{- printf "%s" $tag -}}
 {{- end -}}
+
+{{/*
+Custom certificate copy command
+*/}}
+{{- define "artifactory.copyCustomCerts" -}}
+echo "Copy custom certificates to {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted";
+mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted;
+find /tmp/certs -type f -not -name "*.key" -exec cp -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted \;;
+find {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ -type f -name "tls.crt" -exec mv -v {} {{ .Values.artifactory.persistence.mountPath }}/etc/security/keys/trusted/ca.crt \;;
+{{- end -}}
--- a/helm/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml
+++ b/helm/charts/artifactory/templates/artifactory-gcp-credentials-secret.yaml
+{{- if not .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+{{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "artifactory.fullname" . }}-gcpcreds
+  labels:
+    app: {{ template "artifactory.name" . }}
+    chart: {{ template "artifactory.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+stringData:
+  gcp.credentials.json: |-
+{{ tpl .Values.artifactory.persistence.googleStorage.gcpServiceAccount.config . | indent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/helm/charts/artifactory/templates/artifactory-statefulset.yaml
+++ b/helm/charts/artifactory/templates/artifactory-statefulset.yaml
@@ -43,6 +43,9 @@ spec:
      {{- if .Values.access.accessConfig }}
        checksum/access-config: {{ include (print $.Template.BasePath "/artifactory-access-config.yaml") . | sha256sum }}
      {{- end }}
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+        checksum/gcpcredentials: {{ include (print $.Template.BasePath "/artifactory-gcp-credentials-secret.yaml") . | sha256sum }}
+      {{- end }}
      {{- if not (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }}
        checksum/admin-creds: {{ include (print $.Template.BasePath "/admin-bootstrap-creds.yaml") . | sha256sum }}
      {{- end }}
@@ -226,6 +229,22 @@ spec:
          - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }}
            mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
    {{- end }}
+      {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
+      - name: copy-custom-certificates
+        image: "{{ .Values.initContainerImage }}"
+        resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
+        command:
+        - 'sh'
+        - '-c'
+        - >
+{{ include "artifactory.copyCustomCerts" . | indent 10 }}
+        volumeMounts:
+          - name: artifactory-volume
+            mountPath: {{ .Values.artifactory.persistence.mountPath }}
+          - name: ca-certs
+            mountPath: "/tmp/certs"
+      {{- end }}
    {{- if .Values.waitForDatabase }}
      {{- if .Values.postgresql.enabled }}
      - name: "wait-for-db"
@@ -334,11 +353,20 @@ spec:
        - name: binarystore-xml
          mountPath: "/artifactory_bootstrap/binarystore.xml"
          subPath: binarystore.xml
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+        - name: gcpcreds-json
+          mountPath: "/artifactory_bootstrap/gcp.credentials.json"
+          subPath: gcp.credentials.json
+      {{- end }}
      {{- end }}
      {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
 {{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }}
      {{- end }}
 {{- end }}
+      {{- if .Values.hostAliases }}
+      hostAliases:
+{{ toYaml .Values.hostAliases | indent 6 }}
+      {{- end }}
      containers:
      - name: {{ .Values.artifactory.name }}
        image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }}
@@ -468,6 +496,11 @@ spec:
        - name: binarystore-xml
          mountPath: "/artifactory_bootstrap/binarystore.xml"
          subPath: binarystore.xml
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+        - name: gcpcreds-json
+          mountPath: "/artifactory_bootstrap/gcp.credentials.json"
+          subPath: gcp.credentials.json
+      {{- end }}
      {{- end }}
      {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }}
        - name: artifactory-license
@@ -586,6 +619,11 @@ spec:
 {{ toYaml . | indent 8 }}
    {{- end }}
      volumes:
+      {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }}
+      - name: ca-certs
+        secret:
+          secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.artifactory.customCertificates.certificateSecretName }}
+      {{- end }}   
      - name: binarystore-xml
        secret:
          {{- if .Values.artifactory.persistence.customBinarystoreXmlSecret }}
@@ -630,6 +668,15 @@ spec:
        configMap:
          name: {{ template "artifactory.fullname" . }}-configmaps
      {{- end }}
+      {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+      - name: gcpcreds-json
+        secret:
+          {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+          secretName: {{ .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }}
+          {{- else }}
+          secretName: {{ template "artifactory.fullname" . }}-gcpcreds
+          {{- end }}
+      {{- end }}
      {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }}
      - name: artifactory-license
        secret:

--- a/helm/charts/artifactory/templates/ingress.yaml
+++ b/helm/charts/artifactory/templates/ingress.yaml
@@ -100,6 +100,49 @@ spec:
 {{ toYaml .Values.artifactory.replicator.ingress.tls | indent 4 }}
  {{- end -}}
 {{- end -}}
+{{- if and .Values.artifactory.replicator.enabled .Values.artifactory.replicator.trackerIngress.enabled }}
+---
+{{- $replicatorTrackerIngressName := default ( include "artifactory.replicator.tracker.fullname" . ) .Values.artifactory.replicator.trackerIngress.name -}}
+  {{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
+apiVersion: networking.k8s.io/v1beta1
+  {{- else }}
+apiVersion: extensions/v1beta1
+  {{- end }}
+kind: Ingress
+metadata:
+  name: {{ $replicatorTrackerIngressName }}
+  labels:
+    app: "{{ template "artifactory.name" $ }}"
+    chart: "{{ template "artifactory.chart" $ }}"
+    release: {{ $.Release.Name | quote }}
+    heritage: {{ $.Release.Service | quote }}
+  {{- if .Values.artifactory.replicator.trackerIngress.annotations }}
+  annotations:
+{{ .Values.artifactory.replicator.trackerIngress.annotations | toYaml | trimSuffix "\n" | indent 4 -}}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.defaultBackend.enabled }}
+  backend:
+    serviceName: {{ $serviceName }}
+    servicePort: {{ $servicePort }}
+  {{- end }}
+  rules:
+{{- if .Values.artifactory.replicator.trackerIngress.hosts }}
+  {{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }}
+  - host: {{ $host | quote }}
+    http:
+      paths:
+        - path: /
+          backend:
+            serviceName: {{ $serviceName }}
+            servicePort: {{ $servicePort }}
+  {{- end -}}
+{{- end -}}
+  {{- if .Values.artifactory.replicator.trackerIngress.tls }}
+  tls:
+{{ toYaml .Values.artifactory.replicator.trackerIngress.tls | indent 4 }}
+  {{- end -}}
+{{- end -}}
 {{- if .Values.customIngress }}
 ---
 {{ .Values.customIngress | toYaml | trimSuffix "\n" }}

--- a/helm/charts/artifactory/values.yaml
+++ b/helm/charts/artifactory/values.yaml
@@ -6,7 +6,7 @@


 global:
-  # imageRegistry: docker.bintray.io
+  # imageRegistry: releases-docker.jfrog.io
  # imagePullSecrets:
  #   - myRegistryKeySecretName
  ## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag
@@ -28,8 +28,13 @@ global:

  # customSidecarContainers: |

+  ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory
+  customCertificates:
+    enabled: false
+    # certificateSecretName:
+

-initContainerImage: docker.bintray.io/alpine:3.12.1
+initContainerImage: releases-docker.jfrog.io/alpine:3.13.1

 # Init containers
 initContainers:
@@ -145,7 +150,7 @@ networkpolicy:

 logger:
  image:
-    registry: docker.bintray.io
+    registry: releases-docker.jfrog.io
    repository: busybox
    tag: 1.31.1

@@ -154,7 +159,7 @@ artifactory:
  name: artifactory
  # Note that by default we use appVersion to get image tag/version
  image:
-    registry: docker.bintray.io
+    registry: releases-docker.jfrog.io
    repository: jfrog/artifactory-pro
    # tag:
    pullPolicy: IfNotPresent
@@ -173,6 +178,11 @@ artifactory:
  # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties
  deleteDBPropertiesOnStartup: true

+  # certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory
+  customCertificates:
+    enabled: false
+    # certificateSecretName:
+
  database:
    maxOpenConnections: 80
  tomcat:
@@ -546,6 +556,22 @@ artifactory:
       # - hosts:
       #   - artifactory.domain.example
       #   secretName: chart-example-tls-secret
+    ## When replicator is enabled and want to use tracker feature, trackerIngress.enabled flag should be set to true
+    ## Please refer - https://www.jfrog.com/confluence/display/JFROG/JFrog+Peer-to-Peer+%28P2P%29+Downloads
+    trackerIngress:
+      enabled: false
+      name:
+      hosts: []
+      annotations: {}
+       # kubernetes.io/ingress.class: nginx
+       # nginx.ingress.kubernetes.io/proxy-buffering: "off"
+       # nginx.ingress.kubernetes.io/configuration-snippet: |
+       #   chunked_transfer_encoding on;
+      tls: []
+       #  Secrets must be manually created in the namespace.
+       # - hosts:
+       #   - artifactory.domain.example
+       #   secretName: chart-example-tls-secret

  ## IMPORTANT: If overriding artifactory.internalPort:
  ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024!
@@ -640,7 +666,11 @@ artifactory:
              <provider id="cache-fs" type="cache-fs">
                  <provider id="eventual" type="eventual">
                      <provider id="retry" type="retry">
+                          {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+                          <provider id="google-storage-v2" type="google-storage-v2"/>
+                          {{- else }}
                          <provider id="google-storage" type="google-storage"/>
+                          {{- end }}
                      </provider>
                  </provider>
              </provider>
@@ -657,13 +687,18 @@ artifactory:
              <tempDir>/tmp</tempDir>
          </provider>

+          {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }}
+          <provider id="google-storage-v2" type="google-storage-v2">
+              <useInstanceCredentials>false</useInstanceCredentials>
+          {{- else }}
          <provider id="google-storage" type="google-storage">
+              <identity>{{ .Values.artifactory.persistence.googleStorage.identity }}</identity>
+              <credential>{{ .Values.artifactory.persistence.googleStorage.credential }}</credential>
+          {{- end }}
              <providerId>google-cloud-storage</providerId>
              <endpoint>{{ .Values.artifactory.persistence.googleStorage.endpoint }}</endpoint>
              <httpsOnly>{{ .Values.artifactory.persistence.googleStorage.httpsOnly }}</httpsOnly>
              <bucketName>{{ .Values.artifactory.persistence.googleStorage.bucketName }}</bucketName>
-              <identity>{{ .Values.artifactory.persistence.googleStorage.identity }}</identity>
-              <credential>{{ .Values.artifactory.persistence.googleStorage.credential }}</credential>
              <path>{{ .Values.artifactory.persistence.googleStorage.path }}</path>
              <bucketExists>{{ .Values.artifactory.persistence.googleStorage.bucketExists }}</bucketExists>
          </provider>
@@ -834,6 +869,25 @@ artifactory:

    ## For artifactory.persistence.type google-storage
    googleStorage:
+      ## When using GCP buckets as your binary store (Available with enterprise license only)
+      gcpServiceAccount:
+        enabled: false
+        ## Use either an existing secret prepared in advance or put the config (replace the content) in the values
+        ## ref: https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#google-storage
+        # customSecretName:
+        # config: |
+        #   {
+        #      "type": "service_account",
+        #      "project_id": "<project_id>",
+        #      "private_key_id": "?????",
+        #      "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n",
+        #      "client_email": "???@j<project_id>.iam.gserviceaccount.com",
+        #      "client_id": "???????",
+        #      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+        #      "token_uri": "https://oauth2.googleapis.com/token",
+        #      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+        #      "client_x509_cert_url": "https://www.googleapis.com/robot/v1....."
+        #   }
      endpoint: commondatastorage.googleapis.com
      httpsOnly: false
      # Set a unique bucket name
@@ -980,7 +1034,7 @@ nginx:
  gid: 107
  # Note that by default we use appVersion to get image tag/version
  image:
-    registry: docker.bintray.io
+    registry: releases-docker.jfrog.io
    repository: jfrog/nginx-artifactory-pro
    # tag:
    pullPolicy: IfNotPresent
@@ -1254,7 +1308,7 @@ waitForDatabase: true
 postgresql:
  enabled: true
  image:
-    registry: docker.bintray.io
+    registry: releases-docker.jfrog.io
    repository: bitnami/postgresql
    tag: 12.5.0-debian-10-r25
  postgresqlUsername: artifactory
@@ -1374,3 +1428,15 @@ filebeat:
 ## Use --- as a separator between multiple resources
 ## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-values.yaml
 additionalResources: |
+
+# Adding entries to a Pod's /etc/hosts file
+# For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases
+hostAliases: []
+#  - ip: "127.0.0.1"
+#    hostnames:
+#      - "foo.local"
+#      - "bar.local"
+#  - ip: "10.1.2.3"
+#    hostnames:
+#      - "foo.remote"
+#      - "bar.remote"
--- a/helm/requirements.lock
+++ b/helm/requirements.lock
 dependencies:
 - name: artifactory
  repository: https://charts.jfrog.io/
-  version: 11.7.4
-digest: sha256:a4c52f49f154be6434a9a37474eee556de8d97a487be9dec923124a64651aac8
-generated: "2021-01-04T14:56:47.550996+05:30"
+  version: 11.8.0
+digest: sha256:f3d2aa3da456a3651df4a25964912af868b9f495e147adfd1ae6d857d2698d99
+generated: "2021-02-08T20:27:40.424738+05:30"
--- a/helm/requirements.yaml
+++ b/helm/requirements.yaml
 dependencies:
  - name: artifactory
-    version: 11.7.4
+    version: 11.8.0
    repository: https://charts.jfrog.io/