Artifactory Can Be Installed by Using Docker and Kubernetes.

There are many benefits to working with JFrog Artifactory as your private Docker registry, assuasive you lot to shop, share and deploy your binary artifacts in a single source of truth.

This weblog post volition focus on using Artifactory in Kubernetes. Specifically, we'll walk through the steps for configuring Kubernetes to pull images from Artifactory and nigh chiefly – scale upward! It will also describe how you tin can enable cluster-wide authenticated access to Artifactory behind the scenes.

When Artifactory meets Kubernetes

Once you've got your Artifactory all set-up and configured every bit a individual Docker Registry, pushed some Docker images into your registry from your favorite CI tool, everything is at present ready to be deployed on your Kubernetes cluster

Not using Artifactory as your Docker registry? Check out our docker2artifactory GitHub tool to ease the transition from tertiary political party V2 Docker registries to JFrog Artifactory.

Sign up to the JFrog Academy to learn more about building your Docker awarding in JFrog Pipelines.

1. Setting up Artifactory for a unmarried Kubernetes namespace

We'll start by deploying some pods from one of our Artifactory Docker registry images using the post-obit commands.

          ➜  ~ kubectl create namespace my-app-ns namespace/my-app-ns created  ➜  ~ kubectl create deployment my-app -n my-app-ns --image my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1 deployment.apps/my-app created  ➜  ~ kubectl go pods -n my-app-ns NAME                        READY   STATUS         RESTARTS   AGE my-app-6f6b796547-2ttcz   0/1     ErrImagePull   0          9s        

ErrImagePull? Allow'due south detect out why:

          ➜  ~ kubectl draw pod -n my-app-ns my-app-6f6b796547-2ttcz ... Events:   Type          Reason         Age                                      From                         Message   ------            ----------         -----                                       ------                            ------------   Normal     Scheduled  8m22s                                  default-scheduler  Successfully assigned my-app-ns/my-app-6f6b796547-2ttcz to ip-192-168-121-179.ec2.internal   Normal     Pulling         6m58s (x4 over 8m22s)    kubelet                    Pulling image "my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1"   Warning    Failed          6m58s (x4 over 8m22s)    kubelet                    Failed to pull image "my-artifactory.jfrog.io/default-docker-virtual/my-app:ane.0.1": rpc error: lawmaking = Unknown desc = Error response from daemon: Go https://my-artifactory.jfrog.io/v2/default-docker-virtual/my-app/manifests/1.0.1: unknown: Authentication is required   Warning    Failed          6m58s (x4 over 8m22s)    kubelet                    Mistake: ErrImagePull   Warning    Failed          6m33s (x6 over 8m21s)    kubelet                    Mistake: ImagePullBackOff   Normal     BackOff       3m11s (x21 over 8m21s)  kubelet                   Dorsum-off pulling prototype "my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1"                  

Oh yeah, we demand to authenticate with the private Docker registry. How practise we practise that in Kubernetes?

2.  Authenticating Kubernetes with the private Docker registry

We'll now create a Kubernetes undercover of type docker-registry. The Kubernetes secret must be created in the same namespace as the pods nosotros are deploying and needs to include the credentials to authenticate against our Artifactory Docker registry.

          ➜  ~ kubectl create secret docker-registry regcred \ --docker-server=my-artifactory.jfrog.io \ --docker-username=read-merely \ --docker-password=my-super-secret-laissez passer \ --docker-electronic mail=johndoe@example.com \ -n my-app-ns  secret/regcred created        

Now we demand to instruct Kubernetes to use the secret credentials we merely created when pulling images for our pods in this namespace. There are 2 options to practice this:

1. Add an imagePullSecrets section to the pod spec. For example,

                 ➜  ~ kubectl edit deployment my-app -n my-app-ns apiVersion: apps/v1 kind: Deployment ... spec:   ...   template:     spec:       containers:       - epitome: my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1       imagePullSecrets:       - name: regcred            

2. Patch the default service account to include the imagePullSecrets section.
   By default a service account named default automatically gets created with each namespace and all workloads will automatically use it. You can also patch a custom service account to include the imagePullSecrets department and configure your workload to apply it instead of the default.

                 ➜  ~ kubectl edit serviceaccount default -n my-app-ns apiVersion: v1 kind: ServiceAccount imagePullSecrets: - name: regcred ...            

The second option is usually preferred. This way all workloads in that namespace that their image is pulled from the individual Docker registry (ex. my-artifactory.jfrog.io) will be able to do and then without having to explicitly configure the imagePullSecrets for each workload.

Later we've configured our imagePullSecrets using ane the options above, let's check on our deployment:

          ➜  ~ kubectl become pods -n my-app-ns NAME                        READY   STATUS    RESTARTS   AGE my-app-57db67b7d5-nr8db   1/i     Running   0          5m        

Much improve! We got a new pod in a Running country.

Bonus points – Calibration upwards whatsoever namespace!

Simply what if nosotros are planning to apply our Artifactory Docker registry for pulling only trusted production images for pods beyond multiple namespaces, or even all namespaces?

Does that mean we need to repeat the same process of creating the secret and updating the default service account with that cloak-and-dagger in every namespace?!

Well yeah… but that sounds dull. Can we do improve? YES Nosotros CAN!

We recommend using the imagepullsecrets-patcher open source tool created by Titansoft, which is "a elementary Kubernetes client-go application that creates and patches imagePullSecrets to service accounts in all Kubernetes namespaces to let cluster-wide authenticated access to private container registry." Read more in their web log >

Configure Once, Run Everywhere

In brusk, using the imagepullsecrets-patcher tool you'll create the image-pull-secret-src hole-and-corner file in the imagepullsecret-patcher namespace and in the imagepullsecret-patcher deployment set the CONFIG_ALLSERVICEACCOUNT surroundings variable to true.

Using this environment variable will allow any workload in any namespace using any service account within our Kubernetes cluster, the power to pull images from Artifactory without editing our workloads spec.

Note: Alternatively, starting from Kubernetes v1.twenty, the kubelet tin can dynamically retrieve credentials for a container image registry using exec plugins. You lot may exist interested in using this capability if storing registry credentials on deejay or in imagePullSecrets is not adequate, then kubelet can pull these credentials as runtime from an external service. This characteristic is all the same in alpha state in the latest Kubernetes version (v1.23 currently).

Learn More than

Start a free trial and endeavour out the JFrog DevOps Platform for yourself, or bring together our weekly group demo to see it in action.

freemansweves.blogspot.com

Source: https://jfrog.com/blog/pulling-all-your-kubernetes-cluster-images-from-a-private-artifactory-registry/

Share this post