charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon jfrog

[artifactory] feat: copy service account support from #696

Open jasondamour opened this issue 4 years ago • 10 comments

PR Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • [x] Chart Version bumped
  • [x] CHANGELOG.md updated
  • [x] Variables and other changes are documented in the README.md
  • [x] Title of the PR starts with chart name (e.g. [artifactory])

What this PR does / why we need it: Copying work from artifactory-ha to artifactory #696 to support google service account authentication

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #304

Special notes for your reviewer: Is there any process to keep charts up to date? A common chart that all variant charts should inherit? Maintaining 2+ charts for the same application seems incredibly tedious

jasondamour avatar Jun 11 '20 18:06 jasondamour

@jdamour98 Thanks for contribution ! Can you please rebase and update PR (bumping chart versions in chart.yaml & CHANGELOG.md) ?

chukka avatar Jun 12 '20 04:06 chukka

@jdamour98 Thanks for contribution - Can you please address review comments and rebase the PR ?

chukka avatar Jun 18 '20 12:06 chukka

@jdamour98 Gentle Reminder !

chukka avatar Jun 30 '20 03:06 chukka

@jdamour98 Thanks for contribution - Can you please address review comments and rebase the PR ?

chukka avatar Jul 09 '20 07:07 chukka

@danielezer @eldada Sorry its been a while. added comments and changes

jasondamour avatar Aug 13 '20 04:08 jasondamour

I can't get this working myself. Pretty much anything i try results in

2020-08-13T07:55:28.948Z [1;32m[jfrt ][0;39m [1;31m[ERROR][0;39m [9c7672c769188260] [ctoryContextConfigListener:116] [art-init ] - Application could not be initialized: Missing identity field in config

java.lang.reflect.InvocationTargetException: null 
...
Missing identity field in config

My values.yaml (relevant block):

  persistence:
    type: google-storage
    googleStorage:
      httpsOnly: false
      bucketExists: true
      bucketName: "xxxxxxxxxxxxxxx"
      gcpServiceAccount:
        enabled: true
        customSecretName: artifactory
      path: "artifactory/filestore"

The file exists on the pod:

~ kubectl exec -it artifactory-artifactory-0 bash
Defaulting container name to artifactory.

$ cat /artifactory_bootstrap/gcp.credentials.json
{
  "type": "service_account",
  "project_id": "xxxxxxxxx",
  "private_key_id": "xxxxxxxxxxx",
  "private_key": "xxxxxxxxxxxx",
  "client_email": "xxxxxxxxxxxxxx",
  "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxx",
  "auth_uri": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "token_uri": "xxxxxxxxxxxxxxxxxxx",
  "auth_provider_x509_cert_url": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "client_x509_cert_url": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

LivenessProbe is failing with 503. I'm also seeing this error in the application logs, but I don't think its the root cause:

Error: Error starting application Failed pinging artifactory for 180Request failed with status code 404 at createError (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/core/createError.js:16:15) at settle (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/core/settle.js:17:12) at IncomingMessage.handleStreamEnd (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/adapters/http.js:236:11) at IncomingMessage.emit (events.js:203:15) at endReadableNT (_stream_readable.js:1145:12) at process._tickCallback (internal/process/next_tick.js:63:19)

jasondamour avatar Aug 13 '20 08:08 jasondamour

@jdamour98 can you please rebase one more time and fix conflicts ?

chukka avatar Aug 13 '20 08:08 chukka

@chukka Done

jasondamour avatar Aug 13 '20 16:08 jasondamour

@eldada will this change work with the default image docker.bintray.io/jfrog/artifactory-pro:7.5.5?

jasondamour avatar Aug 13 '20 16:08 jasondamour

I tested the same chart and service account with the legacy HMAC keys, which worked for google cloud storage. So this change for service accounts does not work yet. I need some help understanding why. Is this a license issue (I'm using a Pro trial license)?

Additionally, even after using HMAC keys successfully, the pod is crashing with

Error: Error starting application Failed pinging artifactory for 180Request failed with status code 404 
at createError (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/core/createError.js:16:15) 
at settle (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/core/settle.js:17:12) 
at IncomingMessage.handleStreamEnd (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/axios/lib/adapters/http.js:236:11) 
at IncomingMessage.emit (events.js:203:15) at endReadableNT (_stream_readable.js:1145:12) at process._tickCallback (internal/process/next_tick.js:63:19)

I found only one issue referencing this, but its unhelpful: https://www.jfrog.com/jira/browse/RTFACT-22104

Can anybody clarify what connection is being attempted?

jasondamour avatar Aug 13 '20 18:08 jasondamour