# Default values for artifactory-ha. # This is a YAML-formatted file. # Beware when changing values here. You should know what you are doing! # Access the values with {{ .Values.key.subkey }} global: # imageRegistry: releases-docker.jfrog.io # imagePullSecrets: # - myRegistryKeySecretName ## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion ## This applies also for nginx images (.Values.nginx.image.tag) versions: {} # artifactory: # joinKey: # masterKey: # joinKeySecretName: # masterKeySecretName: ## Note: tags customInitContainersBegin,customInitContainers,customVolumes,customVolumeMounts,customSidecarContainers can be used both from global and application level simultaneously # customInitContainersBegin: | # customInitContainers: | # customVolumes: | # customVolumeMounts: | # customSidecarContainers: | ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory customCertificates: enabled: false # certificateSecretName: ## Applies to artifactory and nginx pods nodeSelector: {} ## String to partially override artifactory-ha.fullname template (will maintain the release name) ## # nameOverride: ## String to fully override artifactory-ha.fullname template ## # fullnameOverride: initContainerImage: releases-docker.jfrog.io/ubi8/ubi-minimal:8.6-941 installer: type: platform: installerInfo: '{"productId": "Helm_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' # For supporting pulling from private registries # imagePullSecrets: # - myRegistryKeySecretName ## Artifactory systemYaml override ## This is for advanced usecases where users wants to provide their own systemYaml for configuring artifactory ## Refer: https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML ## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml ## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example. ## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml systemYamlOverride: ## You can use a pre-existing secret by specifying existingSecret existingSecret: ## The dataKey should be the name of the secret data key created. dataKey: ## Role Based Access Control ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ rbac: create: false role: ## Rules to create. It follows the role specification rules: - apiGroups: - '' resources: - services - endpoints - pods verbs: - get - watch - list ## Service Account ## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ ## serviceAccount: create: false ## The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the fullname template name: annotations: {} ## Explicitly mounts the API token for the service account to the pods automountServiceAccountToken: false ingress: enabled: false defaultBackend: enabled: true # Used to create an Ingress record. hosts: [] routerPath: / artifactoryPath: /artifactory/ className: "" annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # nginx.ingress.kubernetes.io/proxy-body-size: "0" labels: {} # traffic-type: external # traffic-type: internal tls: [] # Secrets must be manually created in the namespace. # - secretName: chart-example-tls # hosts: # - artifactory.domain.example # Additional ingress rules additionalRules: [] ## Allows to add custom ingress customIngress: | networkpolicy: [] # Allows all ingress and egress # - name: artifactory # podSelector: # matchLabels: # app: artifactory-ha # egress: # - {} # ingress: # - {} # Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) # - name: postgresql # podSelector: # matchLabels: # app: postgresql # ingress: # - from: # - podSelector: # matchLabels: # app: artifactory-ha ## Database configurations ## Use the wait-for-db init container. Set to false to skip waitForDatabase: true ## Configuration values for the postgresql dependency ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md ## postgresql: enabled: true image: registry: releases-docker.jfrog.io repository: bitnami/postgresql tag: 13.4.0-debian-10-r39 postgresqlUsername: artifactory postgresqlPassword: "" postgresqlDatabase: artifactory postgresqlExtendedConf: listenAddresses: "*" maxConnections: "1500" persistence: enabled: true size: 200Gi # existingClaim: service: port: 5432 primary: nodeSelector: {} affinity: {} tolerations: [] readReplicas: nodeSelector: {} affinity: {} tolerations: [] resources: {} # requests: # memory: "512Mi" # cpu: "100m" # limits: # memory: "1Gi" # cpu: "500m" ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), ## you MUST specify custom database details here or Artifactory will NOT start database: type: driver: ## If you set the url, leave host and port empty url: ## If you would like this chart to create the secret containing the db ## password, use these values user: password: ## If you have existing Kubernetes secrets containing db credentials, use ## these values secrets: {} # user: # name: "rds-artifactory" # key: "db-user" # password: # name: "rds-artifactory" # key: "db-password" # url: # name: "rds-artifactory" # key: "db-url" logger: image: registry: releases-docker.jfrog.io repository: ubi8/ubi-minimal tag: 8.6-941 ## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName ## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` aws: license: enabled: false licenseConfigSecretName: region: us-east-1 ## The following router settings are to configure only when splitServicesToContainers set to true ## splitServicesToContainers (by default it is false) router: name: router image: registry: releases-docker.jfrog.io repository: jfrog/router tag: 7.51.0 imagePullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled insecure: false internalPort: 8082 externalPort: 8082 tlsEnabled: false ## Extra environment variables that can be used to tune router to your needs. ## Uncomment and set value as needed extraEnvironmentVariables: # - name: MY_ENV_VAR # value: "" resources: {} # requests: # memory: "100Mi" # cpu: "100m" # limits: # memory: "1Gi" # cpu: "1" # Add lifecycle hooks for router container lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] # preStop: # exec: # command: ["/bin/sh","-c","echo Hello from the preStop handler"] ## Add custom volumesMounts customVolumeMounts: | # - name: custom-script # mountPath: /scripts/script.sh # subPath: script.sh livenessProbe: enabled: true config: | exec: command: - sh - -c - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "artifactory-ha.scheme" . }}://localhost:{{ .Values.router.internalPort }}/router/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare ":8082" username: "" password: "" # This directory is intended for use with NFS eventual configuration for HA haDataDir: enabled: false path: haBackupDir: enabled: false path: # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup copyOnEveryStartup: # # Absolute path # - source: /artifactory_bootstrap/binarystore.xml # # Relative to ARTIFACTORY_HOME/ # target: etc/artifactory/ # # Absolute path # - source: /artifactory_bootstrap/artifactory.cluster.license # # Relative to ARTIFACTORY_HOME/ # target: etc/artifactory/ # Sidecar containers for tailing Artifactory logs loggers: [] # - access-audit.log # - access-request.log # - access-security-audit.log # - access-service.log # - artifactory-access.log # - artifactory-event.log # - artifactory-import-export.log # - artifactory-request.log # - artifactory-service.log # - frontend-request.log # - frontend-service.log # - metadata-request.log # - metadata-service.log # - router-request.log # - router-service.log # - router-traefik.log # - derby.log # Loggers containers resources loggersResources: {} # requests: # memory: "10Mi" # cpu: "10m" # limits: # memory: "100Mi" # cpu: "50m" # Sidecar containers for tailing Tomcat (catalina) logs catalinaLoggers: [] # - tomcat-catalina.log # - tomcat-localhost.log # Tomcat (catalina) loggers resources catalinaLoggersResources: {} # requests: # memory: "10Mi" # cpu: "10m" # limits: # memory: "100Mi" # cpu: "50m" # Migration support from 6.x to 7.x migration: enabled: true timeoutSeconds: 3600 ## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" ## Add custom init containers execution before predefined init containers customInitContainersBegin: | # - name: "custom-setup" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - NET_RAW # command: # - 'sh' # - '-c' # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' # volumeMounts: # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" # name: volume ## Add custom init containers ## Add custom init containers execution after predefined init containers customInitContainers: | # - name: "custom-systemyaml-setup" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - NET_RAW # command: # - 'sh' # - '-c' # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' # volumeMounts: # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" # name: volume ## Add custom sidecar containers # - The provided example uses a custom volume (customVolumes) # - The provided example shows running container as root (id 0) customSidecarContainers: | # - name: "sidecar-list-etc" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false # capabilities: # drop: # - NET_RAW # command: # - 'sh' # - '-c' # - 'sh /scripts/script.sh' # volumeMounts: # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" # name: volume # - mountPath: "/scripts/script.sh" # name: custom-script # subPath: script.sh # resources: # requests: # memory: "32Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "100m" ## Add custom volumes # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory-ha.name" . }}-unified-secret'. customVolumes: | # - name: custom-script # configMap: # name: custom-script ## Add custom volumesMounts customVolumeMounts: | # - name: custom-script # mountPath: "/scripts/script.sh" # subPath: script.sh # - name: posthook-start # mountPath: "/scripts/posthoook-start.sh" # subPath: posthoook-start.sh # - name: prehook-start # mountPath: "/scripts/prehook-start.sh" # subPath: prehook-start.sh # Add custom persistent volume mounts - Available to the entire namespace customPersistentVolumeClaim: {} # name: # mountPath: # accessModes: # - "-" # size: # storageClassName: ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! ## You can generate one with the command: "openssl rand -hex 32" ## Pass it to helm with '--set artifactory.masterKey=${MASTER_KEY}' ## Alternatively, you can use a pre-existing secret with a key called master-key by specifying masterKeySecretName ## IMPORTANT: You should NOT use the example masterKey for a production deployment! ## IMPORTANT: This is a mandatory for fresh Install of 7.x (App version) # masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # masterKeySecretName: ## Join Key to connect to other services to Artifactory. ## IMPORTANT: Setting this value overrides the existing joinKey ## IMPORTANT: You should NOT use the example joinKey for a production deployment! # joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE ## Alternatively, you can use a pre-existing secret with a key called join-key by specifying joinKeySecretName # joinKeySecretName: ## Registration Token for JFConnect # jfConnectToken: ## Alternatively, you can use a pre-existing secret with a key called jfconnect-token by specifying jfConnectTokenSecretName # jfConnectTokenSecretName: # Add custom secrets - secret per file # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory-ha.name" . }}-unified-secret' common to all secrets customSecrets: # - name: custom-secret # key: custom-secret.yaml # data: > # custom_secret_config: # parameter1: value1 # parameter2: value2 # - name: custom-secret2 # key: custom-secret2.config # data: | # here the custom secret 2 config ## If false, all service console logs will not redirect to a common console.log consoleLog: false ## admin allows to set the password for the default admin user. ## See: https://www.jfrog.com/confluence/display/JFROG/Users+and+Groups#UsersandGroups-RecreatingtheDefaultAdminUserrecreate admin: ip: "127.0.0.1" username: "admin" password: secret: dataKey: ## Artifactory license. license: ## licenseKey is the license key in plain text. Use either this or the license.secret setting licenseKey: ## If artifactory.license.secret is passed, it will be mounted as ## ARTIFACTORY_HOME/etc/artifactory.cluster.license and loaded at run time. secret: ## The dataKey should be the name of the secret data key created. dataKey: ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter configMapName: # Add any list of configmaps to Artifactory configMaps: | # posthook-start.sh: |- # echo "This is a post start script" # posthook-end.sh: |- # echo "This is a post end script" ## List of secrets for Artifactory user plugins. ## One Secret per plugin's files. userPluginSecrets: # - archive-old-artifacts # - build-cleanup # - webhook # - '{{ template "my-chart.fullname" . }}' ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" # Add lifecycle hooks for artifactory container lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] # preStop: # exec: # command: ["/bin/sh","-c","echo Hello from the preStop handler"] ## Extra environment variables that can be used to tune Artifactory to your needs. ## Uncomment and set value as needed extraEnvironmentVariables: # - name: SERVER_XML_ARTIFACTORY_PORT # value: "8081" # - name: SERVER_XML_ARTIFACTORY_MAX_THREADS # value: "200" # - name: SERVER_XML_ACCESS_MAX_THREADS # value: "50" # - name: SERVER_XML_ARTIFACTORY_EXTRA_CONFIG # value: "" # - name: SERVER_XML_ACCESS_EXTRA_CONFIG # value: "" # - name: SERVER_XML_EXTRA_CONNECTOR # value: "" # - name: DB_POOL_MAX_ACTIVE # value: "100" # - name: DB_POOL_MAX_IDLE # value: "10" # - name: MY_SECRET_ENV_VAR # valueFrom: # secretKeyRef: # name: my-secret-name # key: my-secret-key # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) systemYaml: | router: serviceRegistry: insecure: {{ .Values.router.serviceRegistry.insecure }} shared: {{- if .Values.artifactory.openMetrics.enabled }} metrics: enabled: true {{- if .Values.artifactory.openMetrics.filebeat.enabled }} filebeat: {{ toYaml .Values.artifactory.openMetrics.filebeat | nindent 6 }} {{- end }} {{- end }} logging: consoleLog: enabled: {{ .Values.artifactory.consoleLog }} extraJavaOpts: > -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} {{- with .Values.artifactory.primary.javaOpts }} {{- if .corePoolSize }} -Dartifactory.async.corePoolSize={{ .corePoolSize }} {{- end }} {{- if .xms }} -Xms{{ .xms }} {{- end }} {{- if .xmx }} -Xmx{{ .xmx }} {{- end }} {{- if .jmx.enabled }} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port={{ .jmx.port }} -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} {{- if .jmx.host }} -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} {{- else }} -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} {{- end }} {{- if .jmx.authenticate }} -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} {{- else }} -Dcom.sun.management.jmxremote.authenticate=false {{- end }} {{- end }} {{- if .other }} {{ .other }} {{- end }} {{- end }} database: {{- if .Values.postgresql.enabled }} type: postgresql url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" host: "" driver: org.postgresql.Driver username: "{{ .Values.postgresql.postgresqlUsername }}" {{ else }} type: "{{ .Values.database.type }}" driver: "{{ .Values.database.driver }}" {{- end }} artifactory: {{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} node: {{- if .Values.artifactory.haDataDir.path }} haDataDir: {{ .Values.artifactory.haDataDir.path }} {{- end }} {{- if .Values.artifactory.haBackupDir.path }} haBackupDir: {{ .Values.artifactory.haBackupDir.path }} {{- end }} {{- end }} database: maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} tomcat: maintenanceConnector: port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} connector: maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} frontend: session: timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} access: database: maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} tomcat: connector: maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} {{- if .Values.access.database.enabled }} type: "{{ .Values.access.database.type }}" url: "{{ .Values.access.database.url }}" driver: "{{ .Values.access.database.driver }}" username: "{{ .Values.access.database.user }}" password: "{{ .Values.access.database.password }}" {{- end }} {{- if .Values.mc.enabled }} mc: enabled: true database: maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} idgenerator: maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} tomcat: connector: maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} {{- end }} metadata: database: maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} {{- if .Values.artifactory.replicator.enabled }} replicator: enabled: true {{- end }} {{- if .Values.jfconnect.enabled }} jfconnect: enabled: true {{- else }} jfconnect: enabled: false {{- end }} ## IMPORTANT: If overriding artifactory.internalPort: ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! externalPort: 8082 internalPort: 8082 externalArtifactoryPort: 8081 internalArtifactoryPort: 8081 uid: 1030 gid: 1030 # fsGroupChangePolicy: "Always" terminationGracePeriodSeconds: 30 ## By default, the Artifactory StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `artifactory.uid` value. ## If you want to disable the securityContext for the Artifactory StatefulSet, set this tag to false setSecurityContext: true ## The following settings are to configure the frequency of the liveness and startup probes. livenessProbe: enabled: true config: | exec: command: - sh - -c - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.artifactory.tomcat.maintenanceConnector.port }}/artifactory/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare " ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClassName: "-" ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config ## Supported types are: ## file-system (default) ## nfs ## google-storage ## google-storage-v2 ## aws-s3-v3 ## s3-storage-v3-direct ## azure-blob ## azure-blob-storage-direct type: file-system ## Use binarystoreXml to provide a custom binarystore.xml ## This is intentionally commented and below previous content of binarystoreXml is moved under files/binarystore.xml ## binarystoreXml: ## For artifactory.persistence.type file-system fileSystem: ## You may also use existing shared claims for the data and backup storage. This allows storage (NAS for example) to be used for Data and Backup dirs which are safe to share across multiple artifactory nodes. ## You may specify numberOfExistingClaims to indicate how many of these existing shared claims to mount. (Default = 1) ## Create PVCs with ReadWriteMany that match the naming convetions: ## {{ template "artifactory-ha.fullname" . }}-data-pvc- ## {{ template "artifactory-ha.fullname" . }}-backup-pvc ## Example (using numberOfExistingClaims: 2) ## myexample-data-pvc-0 ## myexample-data-pvc-1 ## myexample-backup-pvc ## Note: While you need two PVC fronting two PVs, multiple PVs can be attached to the same storage in many cases allowing you to share an underlying drive. ## Need to have the following set existingSharedClaim: enabled: false numberOfExistingClaims: 1 ## Should be a child directory of {{ .Values.artifactory.persistence.mountPath }} dataDir: "{{ .Values.artifactory.persistence.mountPath }}/artifactory-data" backupDir: "/var/opt/jfrog/artifactory-backup" ## For artifactory.persistence.type nfs ## If using NFS as the shared storage, you must have a running NFS server that is accessible by your Kubernetes ## cluster nodes. ## Need to have the following set nfs: # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' ip: haDataMount: "/data" haBackupMount: "/backup" dataDir: "/var/opt/jfrog/artifactory-ha" backupDir: "/var/opt/jfrog/artifactory-backup" capacity: 200Gi mountOptions: [] ## For artifactory.persistence.type google-storage googleStorage: ## When using GCP buckets as your binary store (Available with enterprise license only) gcpServiceAccount: enabled: false ## Use either an existing secret prepared in advance or put the config (replace the content) in the values ## ref: https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/README.md#google-storage # customSecretName: # config: | # { # "type": "service_account", # "project_id": "", # "private_key_id": "?????", # "private_key": "-----BEGIN PRIVATE KEY-----\n????????==\n-----END PRIVATE KEY-----\n", # "client_email": "???@j.iam.gserviceaccount.com", # "client_id": "???????", # "auth_uri": "https://accounts.google.com/o/oauth2/auth", # "token_uri": "https://oauth2.googleapis.com/token", # "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", # "client_x509_cert_url": "https://www.googleapis.com/robot/v1....." # } endpoint: commondatastorage.googleapis.com httpsOnly: false # Set a unique bucket name bucketName: "artifactory-ha-gcp" ## GCP Bucket Authentication with Identity and Credential is deprecated. ## identity: ## credential: path: "artifactory-ha/filestore" bucketExists: false useInstanceCredentials: false enableSignedUrlRedirect: false ## For artifactory.persistence.type aws-s3-v3 awsS3V3: testConnection: false identity: credential: region: bucketName: artifactory-aws path: artifactory/filestore endpoint: maxConnections: 50 kmsServerSideEncryptionKeyId: kmsKeyRegion: kmsCryptoMode: useInstanceCredentials: true usePresigning: false signatureExpirySeconds: 300 signedUrlExpirySeconds: 30 cloudFrontDomainName: cloudFrontKeyPairId: cloudFrontPrivateKey: enableSignedUrlRedirect: false enablePathStyleAccess: false ## For artifactory.persistence.type azure-blob azureBlob: accountName: accountKey: endpoint: containerName: multiPartLimit: 100000000 multipartElementSize: 50000000 testConnection: false service: name: artifactory type: ClusterIP ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] ## or pass from helm command line ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' loadBalancerSourceRanges: [] annotations: {} ## Which nodes in the cluster should be in the external load balancer pool (have external traffic routed to them) ## Supported pool values ## members ## all pool: members ## If the type is NodePort you can set a fixed port # nodePort: 32082 ## The following Java options are passed to the java process running Artifactory. ## This will be passed to all cluster members. Primary and member nodes. javaOpts: {} # other: "" statefulset: annotations: {} ## The following setting are to configure a dedicated Ingress object for Replicator service replicator: name: replicator enabled: false ## Extra environment variables that can be used to tune replicator to your needs. ## Uncomment and set value as needed extraEnvironmentVariables: # - name: MY_ENV_VAR # value: "" resources: {} # requests: # memory: "100Mi" # cpu: "100m" # limits: # memory: "1Gi" # cpu: "1" # Add lifecycle hooks for replicator container lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] # preStop: # exec: # command: ["/bin/sh","-c","echo Hello from the preStop handler"] ingress: name: hosts: [] className: "" annotations: {} # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/proxy-buffering: "off" # nginx.ingress.kubernetes.io/configuration-snippet: | # chunked_transfer_encoding on; tls: [] # Secrets must be manually created in the namespace. # - hosts: # - artifactory.domain.example # secretName: chart-example-tls-secret ## When replicator is enabled and want to use tracker feature, trackerIngress.enabled flag should be set to true ## Please refer - https://www.jfrog.com/confluence/display/JFROG/JFrog+Peer-to-Peer+%28P2P%29+Downloads trackerIngress: enabled: false name: hosts: [] className: "" annotations: {} # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/proxy-buffering: "off" # nginx.ingress.kubernetes.io/configuration-snippet: | # chunked_transfer_encoding on; tls: [] # Secrets must be manually created in the namespace. # - hosts: # - artifactory.domain.example # secretName: chart-example-tls-secret ssh: enabled: false internalPort: 1339 externalPort: 1339 annotations: {} # Spread Artifactory pods evenly across your nodes or some other topology # Note this applies to both the primary and replicas topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: kubernetes.io/hostname # whenUnsatisfiable: DoNotSchedule # labelSelector: # matchLabels: # app: '{{ template "artifactory-ha.name" . }}' # role: '{{ template "artifactory-ha.name" . }}' # release: "{{ .Release.Name }}" ## Type specific configurations. ## There is a difference between the primary and the member nodes. ## Customising their resources and java parameters is done here. primary: name: artifactory-ha-primary # preStartCommand specific to the primary node, to be run after artifactory.preStartCommand # preStartCommand: labels: {} persistence: ## Set existingClaim to true or false ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-primary-0` existingClaim: false replicaCount: 1 # minAvailable: 1 updateStrategy: type: RollingUpdate ## Resources for the primary node resources: {} # requests: # memory: "1Gi" # cpu: "500m" # limits: # memory: "2Gi" # cpu: "1" ## The following Java options are passed to the java process running Artifactory primary node. ## You should set them according to the resources set above javaOpts: # xms: "1g" # xmx: "2g" # corePoolSize: 24 jmx: enabled: false port: 9010 host: ssl: false # When authenticate is true, accessFile and passwordFile are required authenticate: false accessFile: passwordFile: # other: "" nodeSelector: {} tolerations: [] affinity: {} ## Only used if "affinity" is empty podAntiAffinity: ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity type: "soft" topologyKey: "kubernetes.io/hostname" node: name: artifactory-ha-member # preStartCommand specific to the member node, to be run after artifactory.preStartCommand # preStartCommand: labels: {} persistence: ## Set existingClaim to true or false ## If true, you must prepare a PVC with the name e.g `volume-myrelease-artifactory-ha-member-0` existingClaim: false replicaCount: 2 updateStrategy: type: RollingUpdate minAvailable: 1 ## Resources for the member nodes resources: {} # requests: # memory: "1Gi" # cpu: "500m" # limits: # memory: "2Gi" # cpu: "1" ## The following Java options are passed to the java process running Artifactory member nodes. ## You should set them according to the resources set above javaOpts: # xms: "1g" # xmx: "2g" # corePoolSize: 24 jmx: enabled: false port: 9010 host: ssl: false # When authenticate is true, accessFile and passwordFile are required authenticate: false accessFile: passwordFile: # other: "" # xms: "1g" # xmx: "2g" # other: "" nodeSelector: {} ## Wait for Artifactory primary waitForPrimaryStartup: enabled: true ## Setting time will override the built in test and will just wait the set time time: tolerations: [] ## Complete specification of the "affinity" of the member nodes; if this is non-empty, ## "podAntiAffinity" values are not used. affinity: {} ## Only used if "affinity" is empty podAntiAffinity: ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity type: "soft" topologyKey: "kubernetes.io/hostname" frontend: name: frontend enabled: true internalPort: 8070 ## Extra environment variables that can be used to tune frontend to your needs. ## Uncomment and set value as needed extraEnvironmentVariables: # - name: MY_ENV_VAR # value: "" resources: {} # requests: # memory: "100Mi" # cpu: "100m" # limits: # memory: "1Gi" # cpu: "1" ## Session settings session: ## Time in minutes after which the frontend token will need to be refreshed timeoutMinutes: '30' # Add lifecycle hooks for frontend container lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] # preStop: # exec: # command: ["/bin/sh","-c","echo Hello from the preStop handler"] ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true livenessProbe: enabled: true config: | exec: command: - sh - -c - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.frontend.internalPort }}/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare " --cert=ca.crt --key=ca.private.key` # customCertificatesSecretName: ## When resetAccessCAKeys is true, Access will regenerate the CA certificate and matching private key # resetAccessCAKeys: false database: maxOpenConnections: 80 tomcat: connector: maxThreads: 50 sendReasonPhrase: false extraConfig: 'acceptCount="100"' metadata: name: metadata enabled: true internalPort: 8086 ## Extra environment variables that can be used to tune metadata to your needs. ## Uncomment and set value as needed extraEnvironmentVariables: # - name: MY_ENV_VAR # value: "" resources: {} # requests: # memory: "100Mi" # cpu: "100m" # limits: # memory: "1Gi" # cpu: "1" database: maxOpenConnections: 80 # Add lifecycle hooks for metadata container lifecycle: {} # postStart: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] # preStop: # exec: # command: ["/bin/sh","-c","echo Hello from the preStop handler"] ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true livenessProbe: enabled: true config: | exec: command: - sh - -c - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.metadata.internalPort }}/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare " /var/opt/jfrog/nginx/message"] # preStop: # exec: # command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] # Sidecar containers for tailing Nginx logs loggers: [] # - access.log # - error.log # Loggers containers resources loggersResources: {} # requests: # memory: "64Mi" # cpu: "25m" # limits: # memory: "128Mi" # cpu: "50m" # Logs options logs: stderr: false level: warn ## A list of custom ports to expose on the NGINX pod. Follows the conventional Kubernetes yaml syntax for container ports. customPorts: [] # customPorts: # - containerPort: 8066 # name: docker mainConf: | # Main Nginx configuration file worker_processes 4; {{ if .Values.nginx.logs.stderr }} error_log stderr {{ .Values.nginx.logs.level }}; {{- else -}} error_log {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }}; {{- end }} pid /tmp/nginx.pid; {{- if .Values.artifactory.ssh.enabled }} ## SSH Server Configuration stream { server { listen {{ .Values.nginx.ssh.internalPort }}; proxy_pass {{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }}; } } {{- end }} events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; variables_hash_max_size 1024; variables_hash_bucket_size 64; server_names_hash_max_size 4096; server_names_hash_bucket_size 128; types_hash_max_size 2048; types_hash_bucket_size 64; proxy_read_timeout 2400s; client_header_timeout 2400s; client_body_timeout 2400s; proxy_connect_timeout 75s; proxy_send_timeout 2400s; proxy_buffer_size 128k; proxy_buffers 40 128k; proxy_busy_buffers_size 128k; proxy_temp_file_write_size 250m; proxy_http_version 1.1; client_body_buffer_size 128k; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format timing 'ip = $remote_addr ' 'user = \"$remote_user\" ' 'local_time = \"$time_local\" ' 'host = $host ' 'request = \"$request\" ' 'status = $status ' 'bytes = $body_bytes_sent ' 'upstream = \"$upstream_addr\" ' 'upstream_time = $upstream_response_time ' 'request_time = $request_time ' 'referer = \"$http_referer\" ' 'UA = \"$http_user_agent\"'; access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } artifactoryConf: | {{- if .Values.nginx.https.enabled }} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; {{- end }} ## server configuration server { {{- if .Values.nginx.internalPortHttps }} listen {{ .Values.nginx.internalPortHttps }} ssl; {{- else -}} {{- if .Values.nginx.https.enabled }} listen {{ .Values.nginx.https.internalPort }} ssl; {{- end }} {{- end }} {{- if .Values.nginx.internalPortHttp }} listen {{ .Values.nginx.internalPortHttp }}; {{- else -}} {{- if .Values.nginx.http.enabled }} listen {{ .Values.nginx.http.internalPort }}; {{- end }} {{- end }} server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} {{- range .Values.ingress.hosts -}} {{- if contains "." . -}} {{ "" | indent 0 }} ~(?.+)\.{{ . }} {{- end -}} {{- end -}}; if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } ## Application specific logs ## access_log /var/log/nginx/artifactory-access.log timing; ## error_log /var/log/nginx/artifactory-error.log; rewrite ^/artifactory/?$ / redirect; if ( $repo != "" ) { rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; } chunked_transfer_encoding on; client_max_body_size 0; location / { proxy_read_timeout 900; proxy_pass_header Server; proxy_cookie_path ~*^/.* /; proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; {{- if .Values.nginx.service.ssloffload}} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; {{- else }} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; proxy_set_header X-Forwarded-Port $server_port; {{- end }} proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Strict-Transport-Security always; location /artifactory/ { if ( $request_uri ~ ^/artifactory/(.*)$ ) { proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; } proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; } location /pipelines/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; {{- if .Values.router.tlsEnabled }} proxy_pass https://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; {{- else }} proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; {{- end }} } } } customInitContainers: | customSidecarContainers: | customVolumes: | customVolumeMounts: | customCommand: ## allows overwriting the command for the nginx container. ## defaults to [ 'nginx', '-g', 'daemon off;' ] service: ## For minikube, set this to NodePort, elsewhere use LoadBalancer type: LoadBalancer ssloffload: false ## For supporting whitelist on the Nginx LoadBalancer service ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] ## or pass from helm command line ## Example: helm install ... --set nginx.service.loadBalancerSourceRanges='{10.10.10.5/32,10.11.10.5/32}' loadBalancerSourceRanges: [] ## Provide static ip address loadBalancerIP: ## There are two available options: “Cluster” (default) and “Local”. externalTrafficPolicy: Cluster labels: {} # label-key: label-value ## If the type is NodePort you can set a fixed port # nodePort: 32082 ## A list of custom ports to be exposed on nginx service. Follows the conventional Kubernetes yaml syntax for service ports. customPorts: [] # - port: 8066 # targetPort: 8066 # protocol: TCP # name: docker http: enabled: true externalPort: 80 internalPort: 80 https: enabled: true externalPort: 443 internalPort: 443 # DEPRECATED: The following will be replaced by L1065-L1076 in a future release # externalPortHttp: 80 # internalPortHttp: 80 # externalPortHttps: 443 # internalPortHttps: 443 ssh: internalPort: 1339 externalPort: 1339 ## The following settings are to configure the frequency of the liveness and readiness probes. livenessProbe: enabled: true config: | exec: command: - sh - -c - curl -s -k --fail --max-time 1 {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/ initialDelaySeconds: {{ if semverCompare " ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClassName: "-" resources: {} # requests: # memory: "250Mi" # cpu: "100m" # limits: # memory: "250Mi" # cpu: "500m" nodeSelector: {} tolerations: [] affinity: {} # Filebeat Sidecar container ## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. filebeat: enabled: false name: artifactory-filebeat image: repository: "docker.elastic.co/beats/filebeat" version: 7.16.2 logstashUrl: "logstash:5044" terminationGracePeriod: 10 livenessProbe: exec: command: - sh - -c - | #!/usr/bin/env bash -e curl --fail 127.0.0.1:5066 failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 readinessProbe: exec: command: - sh - -c - | #!/usr/bin/env bash -e filebeat test output failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 resources: {} # requests: # memory: "100Mi" # cpu: "100m" # limits: # memory: "100Mi" # cpu: "100m" filebeatYml: | logging.level: info path.data: {{ .Values.artifactory.persistence.mountPath }}/log/filebeat name: artifactory-filebeat queue.spool: file: permissions: 0760 filebeat.inputs: - type: log enabled: true close_eof: ${CLOSE:false} paths: - {{ .Values.artifactory.persistence.mountPath }}/log/*.log fields: service: "jfrt" log_type: "artifactory" output: logstash: hosts: ["{{ .Values.filebeat.logstashUrl }}"] ## Allows to add additional kubernetes resources ## Use --- as a separator between multiple resources ## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml additionalResources: | # Adding entries to a Pod's /etc/hosts file # For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases hostAliases: [] # - ip: "127.0.0.1" # hostnames: # - "foo.local" # - "bar.local" # - ip: "10.1.2.3" # hostnames: # - "foo.remote" # - "bar.remote" ## This is an experimental feature (not ready for production yet ) that will become default in one of the future releases ## Toggling this feature will enable all microservices to run in different containers in a single pod (by default it is false) splitServicesToContainers: false ## Specify common probes parameters probes: timeoutSeconds: 5