Kubernetes Nginx-Ingress with Artifactory on GKE

Exposing JFrog Artifactory with Nginx-Ingress

In this blog we will talk about how to deploy Artifactory in Kubernetes using Helm Chart to use it as docker registry by exposing Artifactory service using nginx-ingress.

Till Artifactory version 5.8 there was a requirement of having a reverse proxy to use it as docker registry. Now as it supports proxy less method we will use that to use Artifactory for multiple docker registry.

An Ingress is a Kubernetes resource that lets you configure an HTTP load balancer for your Kubernetes services. Such a load balancer usually exposes your services to clients outside of your Kubernetes cluster. An Ingress resource supports exposing services:

  • Via custom URLs.
  • Via multiple host names.
  • Configuring SSL termination for each exposed host name.

Step 1: Create GKE Cluster with RBAC Enabled using instruction provided in
https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster

Note: RBAC is enabled by default on all clusters running Kubernetes version 1.6 or later.

Step 2: Install Helm client using instruction provided in https://github.com/helm/helm/blob/master/docs/install.md

## Mac users can just run following command to install helm:
brew install kubernetes-helm

Step 3: Initialize Helm and install Tiller using instruction provided in
https://docs.helm.sh/using_helm/#initialize-helm-and-install-tiller

## Command to initialize helm and install tiller
helm init

Step 4: Install Cert-manager using Helm Chart (This step is optional if you have valid SSL Certificate) using instruction provided in https://hub.kubeapps.com/charts/stable/cert-manager

Cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources (e.g Letsencrypt).
It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.

helm install --name cert-manager --namespace cert-manager stable/cert-manager

Create letsencrypt ACME issuer:

## Create file letsencrypt-prod.yaml with following content
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name:
letsencrypt-prod
namespace: cert-manager
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: jainishshah@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name:
letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}

Create ClusterIssuer in Kubernetes:

kubectl create -f letsencrypt-prod.yaml

Step 5: Install Nginx-ingress Controller using Helm Chart

helm install --name nginx-ingress --namespace nginx-ingress stable/nginx-ingress

Step 6: Point domain to EXTERNAL_IP of nginx-ingress service

For example create a dns my.artifactory.com point it to EXTERNAL_IP

## Command to get EXTERNAL_IP
kubectl get svc -n nginx-ingress nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

Step 7: Install JFrog Artifactory using Helm Chart
https://hub.kubeapps.com/charts/stable/artifactory

## Create values.yaml with following content:
ingress:
## If true, Artifactory Ingress will be created
##
enabled: true

## Artifactory Ingress hostnames
## Must be provided if Ingress is enabled
##
hosts:
- my.artifactory.com
annotations:
kubernetes.io/tls-acme: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
ingress.kubernetes.io/proxy-read-timeout: "600"
ingress.kubernetes.io/proxy-send-timeout: "600"
kubernetes.io/ingress.class:
nginx
ingress.kubernetes.io/force-ssl-redirect: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/configuration-snippet:
|
rewrite ^/(v2)/token /artifactory/api/docker/null/v2/token;
rewrite ^/(v2)/([^\/]*)/(.*) /artifactory/api/docker/$2/$1/$3;

## Artifactory Ingress TLS configuration
## Secrets must be manually created in the namespace
##
tls:
- secretName: my.artifactory.com
hosts:
- my.artifactory.com
## Disable Nginx deployment
nginx:
enabled:
false

Step 8: Install Artifactory with Ingress enabled

helm install --name artifactory --namespace artifactory -f values.yaml stable/artifactory

Once you have installed Artifactory wait for couple of minutes till it becomes healthy. You should be able to access it via your domain name.
e.g https://my.artifactory.com/artifactory

Note: You need Artifactory Pro/Enterprise license to use this feature. Default vales provides in values.yaml of chart are only for POC use case.

Step 9: Install license in Artifactory and set Docker Access Method to Repository path in Admin -> Configuration -> HTTP_Settings.
As shown in screenshot below:

HTTP Settings

Step 10: Now let’s create docker registry in Artifactory to push/pull docker images from.

Create Docker registry in Artifactory using instruction provided in https://www.jfrog.com/confluence/display/RTF/Docker+Registry

## Command to login to Artifacotry docker registry 
docker login my.artifactory.com
## Command to pull docker image from Artifactory
## In example I am using Virtual docker registry name docker
docker pull my.artifactory.com/docker/nginx
## Command to push docker image from Artifactory
## In example I am using Virtual docker registry name docker
docker pull alpine
docker tag alpine my.artifactory.com/docker/alpine
docker push my.artifactory.com/docker/alpine
Check you docker images in Artifactory UI

Congratulation! You have configured Secure Artifactory Docker registry in just few steps.

I’m a Software Developer. I am passionate about SAAS Solutions and Container Orchestration tools like DC/OS, Kubernetes, RedHat OpenShift, Docker Swarm.