jfrog
LDAP configurations in Helm chart
Is this a request for help?:
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Version of Helm and Kubernetes: helm=v3.4.1 k8s=v1.19.4
Which chart: artifactory helm chart(uses artifactory-pro)
What happened: i want to integrate LDAP configuartions in the chart how to do it ? can we integrate it on system.yaml?
What you expected to happen: LDAP configarations shhould be automated in the chart
How to reproduce it (as minimally and precisely as possible): no idea
Anything else we need to know: when im deploying chart on logs it says system.yaml validation is failed how to recitify that ?
@vikram383 can you please provide more Info on LDAP configurations that you are looking, we are happy to take a pull request if you are interested to raise it
Hi chukka thanks for your reply , i want to configure LDAP to artifactory but i couldnt find any relevant documents for that , can you please let me know how to configure LDAP in system.yaml in helm chart if you can send some basic syntax it would be beneficial thanks
thanks , how to configure identity access managment in yaml ? i couldnt find that in yaml configuartions
Finally is impossible via system.yaml so I create a job to do that
---
apiVersion: batch/v1
kind: Job
metadata:
name: artifactory-config-patcher
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
securityContext:
fsGroup: 10001
imagePullSecrets:
- name: gitlab-registry
volumes:
- name: patcher-file
secret:
secretName: artifactory-config-patcher-file
containers:
- name: executer
image: curlimages/curl:7.74.0
imagePullPolicy: Always
command:
- "sh"
- "-c"
- >-
until
curl -u $ADMIN_USER:$ADMIN_PASSWORD -v
--connect-timeout 100 $ARTIFACTORY_URL/$HEALTH_API | grep OK; do
sleep 10; done;
curl -v --connect-timeout 100 -u $ADMIN_USER:$ADMIN_PASSWORD
-X PATCH $ARTIFACTORY_URL/$SETTINGS_API
-H "Content-Type: application/yaml" -T /var/patcher-file/configuration.yaml
env:
- name: ARTIFACTORY_URL
value: http://bio4n-artifactory-jfrog:8081
- name: SETTINGS_API
value: artifactory/api/system/configuration
- name: HEALTH_API
value: artifactory/api/system/ping
envFrom:
- secretRef:
name: artifactory-admin-credentials
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 512Mi
volumeMounts:
- name: patcher-file
mountPath: /var/patcher-file
readOnly: true
securityContext:
runAsUser: 10001
runAsGroup: 10001
readOnlyRootFilesystem: true
restartPolicy: Never
ttlSecondsAfterFinished: 300
---
apiVersion: v1
stringData:
ADMIN_PASSWORD: some_password
ADMIN_USER: some_user_admin
kind: Secret
metadata:
name: artifactory-admin-credentials
type: Opaque
---
apiVersion: v1
stringData:
configuration.yaml: |
security: #Security configuration (LDAP, SAML, Password Policy, ...)
ldapSettings: #LDAP server(s) settings
x-coniguration-id: # The unique ID of the LDAP setting
emailAttribute: mail #An attribute that can be used to map a user's email to a user created automatically by Artifactory
ldapPoisoningProtection: true #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
ldapUrl: <ldap_url> #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
search:
managerDn: <ldap_bindDn> #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
managerPassword: <ldap_bindPassword> #The password of the user binding to the LDAP server when using "search" authentication
searchBase: <ldap_baseDn> #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
searchFilter: (uid={0}) #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
searchSubTree: true #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
userDnPattern: uid={0},$<ldap_baseDn> #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
allowUserToAccessProfile: true #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
autoCreateUser: true #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
enabled: true #When set, these settings are enabled
kind: Secret
metadata:
name: artifactory-config-patcher-file
type: Opaque
great! is this working with your helm chart? do you have RESTapi calls for RBAC ??
- yep, is working with helm-chart, FYI I used helm-release of HelmOperator
- Nooooo, RBAC for k8s is not necessary, because it use Artifactory API with main credentials
Great bro , good job thanks i was asking about identity access management for artifactory i couldnt find any documention for setting permissions for groups (eg dev,test etc) i have found only through UI , so i was asking if there is anything like RESTAPI (similar to ldap configuaration which you have shared )
Many configurations in this part https://www.jfrog.com/confluence/display/JFROG/Artifactory+YAML+Configuration works with this implementation.
Was just about to implement this, saved me the time. For jfrog- I wasted quite a bit of time with artifactory.config.import.xml before discovering that there didn't seem to be any way to provide partial config with that, since it overwrote any changes made after launch.
Hi All, Recently we added the ability to configure LDAP settings via a dedicated REST API - https://jfrog.com/help/r/jfrog-rest-apis/ldap. Closing this ticket.
