Skip to content

Commit

Permalink
[ansible] JFrog Platform 10.20.1 release
Browse files Browse the repository at this point in the history
  • Loading branch information
Ram authored and chukka committed Nov 26, 2024
1 parent 005008a commit 6804524
Show file tree
Hide file tree
Showing 26 changed files with 242 additions and 18 deletions.
8 changes: 8 additions & 0 deletions Ansible/ansible_collections/jfrog/platform/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
# JFrog Platform Ansible Collection Changelog
All changes to this collection will be documented in this file.

## [10.20.1] - Nov 26, 2024
* Postgres - Fixed auth method in pg_hba.conf file [GH-428](https://github.com/jfrog/JFrog-Cloud-Installers/pull/428)
* Artifactory - Fixed issue around /etc/cron.allow does not exist [GH-420](https://github.com/jfrog/JFrog-Cloud-Installers/issues/420)
* Xray - Added `centos_gpg_key` variable to override defaults [GH-420](https://github.com/jfrog/JFrog-Cloud-Installers/issues/413)
* Added support for RHEL 9
* Artifactory - Added AccessConfig Patch support to use mTLS [GH-392](https://github.com/jfrog/JFrog-Cloud-Installers/pull/392)
* Product Updates/fixes

## [10.20.0] - Oct 29, 2024
* Product Updates/fixes

Expand Down
2 changes: 1 addition & 1 deletion Ansible/ansible_collections/jfrog/platform/galaxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ namespace: "jfrog"
name: "platform"

# The version of the collection. Must be compatible with semantic versioning
version: "10.20.0"
version: "10.20.1"

# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
readme: "README.md"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Defaults file for artifactory

# The version of artifactory to install
artifactory_version: 7.98.7
artifactory_version: 7.98.9

# Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role )
artifactory_nginx_ssl_enabled: false
Expand Down Expand Up @@ -116,4 +116,12 @@ artifactory_binarystore: |-
artifactory_systemyaml_override: false

# Allow artifactory user to create crontab rules
artifactory_allow_crontab: false
artifactory_allow_crontab: false

# Provide access config patch content
artifactory_access_config_patch: |-
# security:
# authentication:
# mtls:
# enabled: true
# extraction-regex: (.*)
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
- name: Create the access.config.patch.yml file
become: true
template:
src: access-config-patch.yml.j2
dest: "{{ artifactory_home }}/var/etc/access/access.config.patch.yml"
owner: "{{ artifactory_user }}"
group: "{{ artifactory_group }}"
mode: 0644
notify: Restart artifactory
when:
- artifactory_access_config_patch is defined
- artifactory_access_config_patch | length > 0
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
path: /etc/cron.allow
line: "{{ artifactory_user }}"
state: present
create: true
when: artifactory_allow_crontab

- name: Allow reading cron.allow
Expand Down Expand Up @@ -132,6 +133,9 @@
- artifactory_systemyaml_override or (not systemyaml.stat.exists)
notify: Restart artifactory

- name: Configure access config
ansible.builtin.include_tasks: shared/access_configuration.yml

- name: Configure master key
become: true
ansible.builtin.copy:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
path: /etc/cron.allow
line: "{{ artifactory_user }}"
state: present
create: true
when: artifactory_allow_crontab

- name: Allow reading cron.allow
Expand Down Expand Up @@ -154,6 +155,9 @@
- artifactory_systemyaml_override or (not systemyaml.stat.exists)
notify: Restart artifactory

- name: Configure access config
ansible.builtin.include_tasks: shared/access_configuration.yml

- name: Install Service
ansible.builtin.include_tasks: shared/install_service.yml

Expand All @@ -179,4 +183,4 @@
delay: 5
when:
- not ansible_check_mode
- artifactory_start_service | bool
- artifactory_start_service | bool
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ artifactory_access_config_patch }}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# platform collection version
platform_collection_version: 10.20.0
platform_collection_version: 10.20.1

# indicates where this collection was downloaded from (galaxy, automation_hub, standalone)
ansible_marketplace: galaxy
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,96 @@ The artifactory_nginx_ssl role installs and configures nginx for SSL.
* _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_.
* _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1.
* _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker
subdomains.
subdomains.
* _mtls_ca_certificate_install_: `false` - Enable mTLS by updating to `true`
* _mtls_mtls_ca_certificate_crt_name_: This is the full name of the CA certificate
* _mtls_ca_certificate_path_: This is the full directory path for the CA certificate
* _mtls_mtls_ca_certificate_key_name_: This is the full name of the CA key
* _mtls_ca_certificate_crt_: This is the place to add the certificate
* _mtls_ca_certificate_key_: This is the place to add the key


# Configuring mTLS in Artifactory with NGINX
**To enable mTLS (Mutual TLS) authentication in Artifactory through NGINX, follow these steps:**

1. NGINX Changes
2. Artifactory Changes

## Step: 1 - NGINX Changes

Open `main.yml` in `artifactory_nginx_ssl` from the following location:

`platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml`

### Set Up CA Certificate

Modify the `mtls_ca_certificate_install` parameter from `false` to `true`.

**Create CA Certificates**: CA certificates in mTLS verifies the authenticity and trustworthiness of client and server certificates, ensuring secure and mutual authentication.

**Run the following command to create CA certificates:**

```
openssl req -new -x509 -nodes -days 365 -subj '/CN=my-ca' -keyout ca.key -out ca.crt
```

Add the `ca.crt` and `ca.key` files to the relevant YAML file in the same directory.
Update the above generated certificates with below parameters:

mtls_ca_certificate_crt: |

mtls_ca_certificate_key: |


## Step: 2 - Arifactory Changes

### Enable mTLS Configuration
Under `artifactory_access_config_patch`, add the configuration in the following location to enable mTLS:
`platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml`

```
security:
authentication:
mtls:
enabled: true
extraction-regex: (.*)
```

In the same `main.yaml`, update the following flags to:

- `artifactory_nginx_ssl_enabled: true`
- `artifactory_nginx_enabled: false`

For more information, refer to the [Artifactory Documentation](https://jfrog.com/help/r/jfrog-artifactory-documentation/set-up-mtls-verification-and-certificate-termination-on-the-reverse-proxy).

## Client Validation

**Follow the below steps to validate client:**

1. **Generate Server Certificate and Key for client validation**

Create the Server Key and Certificate:
Use the CA certificates created in [Step 1](#step-1---nginx-changes) to generate the server key and certificate.

```
openssl genrsa -out server.key 2048
```

```
openssl req -new -key server.key -subj '/CN=localhost' -out server.csr
```

```
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out server.crt
```

2. **Verify mTLS Configuration for client testing**
To test the mTLS setup, use a tool like curl:

```
curl -u <username>:<password> "http://<artifactory-url>/artifactory/api/system/ping" --cert server.crt --key server.key -k
```

This command should establish a connection using the configured mTLS, ensuring proper communication with Artifactory.


Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ nginx_daemon: nginx
redirect_http_to_https_enabled: true

nginx_worker_processes: 1

artifactory_docker_registry_subdomain: false

artifactory_conf_template: artifactory.conf.j2
Expand All @@ -18,3 +19,11 @@ ssl_certificate_path: /etc/pki/tls/certs
ssl_certificate_key_path: /etc/pki/tls/private
ssl_certificate: cert.pem
ssl_certificate_key: cert.key

## If we want to use mTLS, set the mtls_ca_certificate_install variable to true and provide the ca certificate and key
mtls_ca_certificate_install: false
mtls_mtls_ca_certificate_crt_name: ca.crt
mtls_ca_certificate_path: /etc/pki/tls/certs
mtls_mtls_ca_certificate_key_name: ca.key
mtls_ca_certificate_crt: |
mtls_ca_certificate_key: |
Original file line number Diff line number Diff line change
Expand Up @@ -92,5 +92,39 @@
no_log: true
when: ssl_certificate_install

- name: Ensure mtls_ca_certificate_key_path exists
become: true
ansible.builtin.file:
path: "{{ mtls_ca_certificate_path }}"
state: directory
mode: 0755
when:
- mtls_ca_certificate_install
- artifactory_version is version('7.77.0', '>=')

- name: Configure ca certificate
become: true
ansible.builtin.template:
src: certificate.crt.j2
dest: "{{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_crt_name }}"
mode: 0644
notify: Restart nginx
no_log: true
when:
- mtls_ca_certificate_install
- artifactory_version is version('7.77.0', '>=')

- name: Configure ca key
become: true
ansible.builtin.template:
src: certificate.cakey.j2
dest: "{{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_key_name }}"
mode: 0600
notify: Restart nginx
no_log: true
when:
- mtls_ca_certificate_install
- artifactory_version is version('7.77.0', '>=')

- name: Restart nginx
ansible.builtin.meta: flush_handlers
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
##Set up mTLS Verification and Certificate Termination on the Reverse Proxy
{% if mtls_ca_certificate_install %}
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate {{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_crt_name }};
proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;
{% endif %}
## Application specific logs
access_log /var/log/nginx/artifactory-access.log;
error_log /var/log/nginx/artifactory-error.log;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{% set cert = mtls_ca_certificate_key.split('|') %}
{% for line in cert %}
{{ line }}
{% endfor %}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{% set cert = mtls_ca_certificate_crt.split('|') %}
{% for line in cert %}
{{ line }}
{% endfor %}
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# defaults file for distribution

# The version of distribution to install
distribution_version: 2.26.1
distribution_version: 2.27.2

# whether to enable HA
distribution_ha_enabled: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
path: /etc/cron.allow
line: "{{ distribution_user }}"
state: present
create: true
when: distribution_allow_crontab

- name: Allow reading cron.allow
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@
path: /etc/cron.allow
line: "{{ distribution_user }}"
state: present
create: true
when: distribution_allow_crontab

- name: Allow reading cron.allow
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# platform collection version
platform_collection_version: 10.20.0
platform_collection_version: 10.20.1

# indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
ansible_marketplace: galaxy
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# platform collection version
platform_collection_version: 10.20.0
platform_collection_version: 10.20.1

# indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
ansible_marketplace: galaxy
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,14 @@
ansible.builtin.yum:
name: python3-psycopg2
state: present
when: ansible_distribution_major_version == '8'
when: ansible_facts['distribution_major_version'] | int in [8, 9]

- name: Install python2-psycopg2
become: true
ansible.builtin.yum:
name: python-psycopg2
state: present
when: ansible_distribution_major_version == '7'
when: ansible_facts['distribution_major_version'] | int == 7

- name: Fixup some locale issues
become: true
Expand Down Expand Up @@ -72,8 +72,8 @@
profiles=
state=disabled
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | int == 8
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] | int in [8, 9]

- name: Install PostgreSQL packages
become: true
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Defaults file for xray

# The version of xray to install
xray_version: 3.104.18
xray_version: 3.107.11

# Whether to enable HA
xray_ha_enabled: false
Expand Down Expand Up @@ -49,6 +49,8 @@ xray_system_yaml_template: system.yaml.j2

linux_distro: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}"

centos_gpg_key: "https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official"

xray_db_util_search_filter:
ubuntu18:
db5: 'db5.3-util.*ubuntu1.1.*amd64\.deb'
Expand All @@ -65,6 +67,10 @@ xray_db_util_search_filter:
debian11:
db5: 'TBD'
db: 'db-util_([0-9]{1,3}\.?){3}.*nmu1_all\.deb'
redhat7:
db: 'libdb-utils-5.3.*el7.x86_64.rpm'
redhat9:
db: 'libdb-utils-5.3.*el9.x86_64.rpm'


yum_python_interpreter: >-
Expand Down
Loading

0 comments on commit 6804524

Please sign in to comment.