selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: simplify JFrog integration docs (#11787)

This commit is contained in:
Muhammad Atif Ali 2024-01-26 03:50:06 +03:00 committed by GitHub
parent 005c014f13
commit 541154b74b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 181 additions and 271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
docs/guides/artifactory-integration.md Normal file
View File

@ -0,0 +1,176 @@
# JFrog Artifactory Integration
<div>
<a href="https://github.com/matifali" style="text-decoration: none; color: inherit;">
<span style="vertical-align:middle;">M Atif Ali</span>
<img src="https://github.com/matifali.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>
</a>
</div>
January 24, 20204
---
Use Coder and JFrog Artifactory together to secure your development environments
without disturbing your developers' existing workflows.
This guide will demonstrate how to use JFrog Artifactory as a package registry
within a workspace.
## Requirements
- A JFrog Artifactory instance
- 1:1 mapping of users in Coder to users in Artifactory by email address or
username
- Repositories configured in Artifactory for each package manager you want to
use
## Provisioner Authentication
The most straight-forward way to authenticate your template with Artifactory is
by using our official Coder [modules](https://registry.coder.com). We publish
two type of modules that automate the JFrog Artifactory and Coder integration.
1. JFrog-OAuth
2. JFrog-Token
### JFrog-OAuth
This module is usable by JFrog self-hosted (on-premises) Artifactory as it
requires configuring a custom integration. This integration benefits from
Coder's [external-auth](https://coder.com/docs/v2/latest/admin/external-auth)
feature and allows each user to authenticate with Artifactory using an OAuth
flow and issues user-scoped tokens to each user.
To set this up, follow these steps:
1. Modify your Helm chart `values.yaml` for JFrog Artifactory to add,
```yaml
artifactory:
enabled: true
frontend:
extraEnvironmentVariables:
- name: JF_FRONTEND_FEATURETOGGLER_ACCESSINTEGRATION
value: "true"
access:
accessConfig:
integrations-enabled: true
integration-templates:
- id: "1"
name: "CODER"
redirect-uri: "https://CODER_URL/external-auth/jfrog/callback"
scope: "applied-permissions/user"
```
> Note Replace `CODER_URL` with your Coder deployment URL, e.g.,
> <coder.example.com>
2. Create a new Application Integration by going to
<https://JFROG_URL/ui/admin/configuration/integrations/new> and select the
Application Type as the integration you created in step 1.
![JFrog Platform new integration](../images/guides/artifactory-integration/jfrog-oauth-app.png)
3. Add a new
[external authentication](https://coder.com/docs/v2/latest/admin/external-auth)
to Coder by setting these env variables,
```env
# JFrog Artifactory External Auth
CODER_EXTERNAL_AUTH_1_ID="jfrog"
CODER_EXTERNAL_AUTH_1_TYPE="jfrog"
CODER_EXTERNAL_AUTH_1_CLIENT_ID="YYYYYYYYYYYYYYY"
CODER_EXTERNAL_AUTH_1_CLIENT_SECRET="XXXXXXXXXXXXXXXXXXX"
CODER_EXTERNAL_AUTH_1_DISPLAY_NAME="JFrog Artifactory"
CODER_EXTERNAL_AUTH_1_DISPLAY_ICON="/icon/jfrog.svg"
CODER_EXTERNAL_AUTH_1_AUTH_URL="https://JFROG_URL/ui/authorization"
CODER_EXTERNAL_AUTH_1_SCOPES="applied-permissions/user"
```
> Note Replace `JFROG_URL` with your JFrog Artifactory base URL, e.g.,
> <example.jfrog.io>
4. Create or edit a Coder template and use the
[JFrog-OAuth](https://registry.coder.com/modules/jfrog-oauth) module to
configure the integration.
```hcl
module "jfrog" {
source = "registry.coder.com/modules/jfrog-oauth/coder"
version = "1.0.0"
agent_id = coder_agent.example.id
jfrog_url = "https://jfrog.example.com"
configure_code_server = true # this depends on the code-server
username_field = "username" # If you are using GitHub to login to both Coder and Artifactory, use username_field = "username"
package_managers = {
"npm": "npm",
"go": "go",
"pypi": "pypi"
}
}
```
### JFrog-Token
This module makes use of the
[Artifactory terraform provider](https://registry.terraform.io/providers/jfrog/artifactory/latest/docs)
and an admin-scoped token to create user-scoped tokens for each user by matching
their Coder email or username with Artifactory. This can be used for both SaaS
and self-hosted(on-premises) Artifactory instances.
To set this up, follow these steps:
1. Get a JFrog access token from your Artifactory instance. The token must be an
[admin token](https://registry.terraform.io/providers/jfrog/artifactory/latest/docs#access-token)
with scope `applied-permissions/admin`.
2. Create or edit a Coder template and use the
[JFrog-Token](https://registry.coder.com/modules/jfrog-token) module to
configure the integration and pass the admin token. It is recommended to
store the token in a sensitive terraform variable to prevent it from being
displayed in plain text in the terraform state.
```hcl
variable "artifactory_access_token" {
type = string
sensitive = true
}
module "jfrog" {
source = "registry.coder.com/modules/jfrog-token/coder"
version = "1.0.0"
agent_id = coder_agent.example.id
jfrog_url = "https://example.jfrog.io"
configure_code_server = true # this depends on the code-server
artifactory_access_token = var.artifactory_access_token
package_managers = {
"npm": "npm",
"go": "go",
"pypi": "pypi"
}
}
```
<blockquote class="info">
The admin-level access token is used to provision user tokens and is never exposed to
developers or stored in workspaces.
</blockquote>
If you do not want to use the official modules, you can check example template
that uses Docker as the underlying compute
[here](https://github.com/coder/coder/tree/main/examples/jfrog/docker). The same
concepts apply to all compute types.
## Offline Deployments
See the [offline deployments](../install/offline.md#coder-modules) section for
instructions on how to use coder-modules in an offline environment with
Artifactory.
## More reading
- See the full example template
[here](https://github.com/coder/coder/tree/main/examples/jfrog/docker).
- To serve extensions from your own VS Code Marketplace, check out
[code-marketplace](https://github.com/coder/code-marketplace#artifactory-storage).
- To store templates in Artifactory, check out our
[Artifactory modules](../templates/modules.md#artifactory) docs.

BIN
docs/images/guides/artifactory-integration/jfrog-oauth-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

10
docs/manifest.json
View File

@ -88,11 +88,6 @@
"path": "./platforms/gcp.md",
"icon_path": "./images/google-cloud.svg"
},
{
"title": "JFrog",
"description": "Integrate Coder with JFrog",
"path": "./platforms/jfrog.md"
},
{
"title": "Kubernetes",
"description": "Set up Coder on Kubernetes",
@ -1041,6 +1036,11 @@
"description": "Federating a Google Cloud service account to AWS",
"path": "./guides/gcp-to-aws.md"
},
{
"title": "JFrog Artifactory Integration",
"description": "Integrate Coder with JFrog Artifactory",
"path": "./guides/artifactory-integration.md"
},
{
"title": "Template ImagePullSecrets",
"description": "Creating ImagePullSecrets for private registries",

266
docs/platforms/jfrog.md
View File

@ -1,266 +0,0 @@
# JFrog
Use Coder and JFrog together to secure your development environments without
disturbing your developers' existing workflows.
This guide will demonstrate how to use JFrog Artifactory as a package registry
within a workspace. We'll use Docker as the underlying compute. But, these
concepts apply to any compute platform.
The full example template can be found
[here](https://github.com/coder/coder/tree/main/examples/jfrog/docker).
## Requirements
- A JFrog Artifactory instance
- An admin-level access token for Artifactory
- 1:1 mapping of users in Coder to users in Artifactory by email address and
username
- Repositories configured in Artifactory for each package manager you want to
use
<blockquote class="info">
The admin-level access token is used to provision user tokens and is never exposed to
developers or stored in workspaces.
</blockquote>
<blockquote class="info">
You can skip the whole page and use [JFrog module](https://registry.coder.com/modules/jfrog-token) for easy JFrog Artifactory integration.
</blockquote>
## Provisioner Authentication
The most straight-forward way to authenticate your template with Artifactory is
by using
[Terraform-managed variables](https://coder.com/docs/v2/latest/templates/parameters#terraform-template-wide-variables).
See the following example:
```hcl
terraform {
required_providers {
coder = {
source = "coder/coder"
}
docker = {
source = "kreuzwerker/docker"
}
artifactory = {
source = "registry.terraform.io/jfrog/artifactory"
}
}
}
variable "jfrog_url" {
type = string
description = "JFrog instance URL. e.g. https://jfrog.example.com"
# validate the URL to ensure it starts with https:// or http://
validation {
condition = can(regex("^https?://", var.jfrog_url))
error_message = "JFrog URL must start with https:// or http://"
}
}
variable "artifactory_admin_access_token" {
type = string
description = "The admin-level access token to use for JFrog with scope applied-permissions/admin"
}
# Configure the Artifactory provider
provider "artifactory" {
url = "${var.jfrog_url}/artifactory"
access_token = "${var.artifactory_admin_access_token}"
}
resource "artifactory_scoped_token" "me" {
# This is hacky, but on terraform plan the data source gives empty strings,
# which fails validation.
username = length(local.artifactory_username) > 0 ? local.artifactory_username : "plan"
}
```
When pushing the template, you can pass in the variables using the `--var` flag:
```shell
coder templates push --var 'jfrog_url=https://YYY.jfrog.io' --var 'artifactory_admin_access_token=XXX'
```
## Installing JFrog CLI
`jf` is the JFrog CLI. It can do many things across the JFrog platform, but
we'll focus on its ability to configure package managers, as that's the relevant
functionality for most developers.
Most users should be able to install `jf` by running the following command:
```shell
curl -fL https://install-cli.jfrog.io | sh
```
Other methods are listed [here](https://jfrog.com/getcli/).
In our Docker-based example, we install `jf` by adding these lines to our
`Dockerfile`:
```Dockerfile
RUN curl -fL https://install-cli.jfrog.io | sh && chmod 755 $(which jf)
```
## Configuring Coder workspace to use JFrog Artifactory repositories
Create a `locals` block to store the Artifactory repository keys for each
package manager you want to use in your workspace. For example, if you want to
use artifactory repositories with keys `npm`, `pypi`, and `go`, you can create a
`locals` block like this:
```hcl
locals {
artifactory_repository_keys = {
npm = "npm"
python = "pypi"
go = "go"
}
# Make sure to use the same field as the username field in the Artifactory
# It can be either the username or the email address.
artifactory_username = data.coder_workspace.me.owner_email
jfrog_host = replace(var.jfrog_url, "^https://", "")
}
```
To automatically configure `jf` CLI and Artifactory repositories for each user,
add the following lines to your `startup_script` in the `coder_agent` block:
```hcl
resource "coder_agent" "main" {
arch = data.coder_provisioner.me.arch
os = "linux"
startup_script_timeout = 180
startup_script = <<-EOT
set -e
# install and start code-server
curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/tmp/code-server
/tmp/code-server/bin/code-server --auth none --port 13337 >/tmp/code-server.log 2>&1 &
# The jf CLI checks $CI when determining whether to use interactive
# flows.
export CI=true
jf c rm 0 || true
echo ${artifactory_scoped_token.me.access_token} | \
jf c add --access-token-stdin --url ${var.jfrog_url} 0
# Configure the `npm` CLI to use the Artifactory "npm" repository.
cat << EOF > ~/.npmrc
email = ${data.coder_workspace.me.owner_email}
registry = ${var.jfrog_url}/artifactory/api/npm/${local.artifactory_repository_keys["npm"]}
EOF
jf rt curl /api/npm/auth >> .npmrc
# Configure the `pip` to use the Artifactory "python" repository.
mkdir -p ~/.pip
cat << EOF > ~/.pip/pip.conf
[global]
index-url = https://${local.artifactory_username}:${artifactory_scoped_token.me.access_token}@${local.jfrog_host}/artifactory/api/pypi/${local.artifactory_repository_keys["python"]}/simple
EOF
EOT
# Set GOPROXY to use the Artifactory "go" repository.
env = {
GOPROXY : "https://${local.artifactory_username}:${artifactory_scoped_token.me.access_token}@${local..jfrog_host}/artifactory/api/go/${local.artifactory_repository_keys["go"]}"
}
}
```
You can verify that `jf` is configured correctly in your workspace by running
`jf c show`. It should display output like:
```text
coder@jf:~$ jf c show
Server ID: 0
JFrog Platform URL: https://YYY.jfrog.io/
Artifactory URL: https://YYY.jfrog.io/artifactory/
Distribution URL: https://YYY.jfrog.io/distribution/
Xray URL: https://YYY.jfrog.io/xray/
Mission Control URL: https://YYY.jfrog.io/mc/
Pipelines URL: https://YYY.jfrog.io/pipelines/
User: ammar@....com
Access token: ...
Default: true
```
## Installing the JFrog VS Code Extension
You can install the JFrog VS Code extension into workspaces by inserting the
following lines into your `startup_script`:
```shell
# Install the JFrog VS Code extension.
# Find the latest version number at
# https://open-vsx.org/extension/JFrog/jfrog-vscode-extension.
/tmp/code-server/bin/code-server --install-extension jfrog.jfrog-vscode-extension
```
Note that this method will only work if your developers use code-server.
## Configuring npm
Add the following line to your `startup_script` to configure `npm` to use
Artifactory:
```shell
# Configure the `npm` CLI to use the Artifactory "npm" registry.
cat << EOF > ~/.npmrc
email = ${data.coder_workspace.me.owner_email}
registry = ${var.jfrog_url}/artifactory/api/npm/npm/
EOF
jf rt curl /api/npm/auth >> .npmrc
```
Now, your developers can run `npm install`, `npm audit`, etc. and transparently
use Artifactory as the package registry. You can verify that `npm` is configured
correctly by running `npm install --loglevel=http react` and checking that npm
is only hitting your Artifactory URL.
## Configuring pip
Add the following lines to your `startup_script` to configure `pip` to use
Artifactory:
```shell
mkdir -p ~/.pip
cat << EOF > ~/.pip/pip.conf
[global]
index-url = https://${data.coder_workspace.me.owner}:${artifactory_scoped_token.me.access_token}@${local.jfrog_host}/artifactory/api/pypi/pypi/simple
EOF
```
Now, your developers can run `pip install` and transparently use Artifactory as
the package registry. You can verify that `pip` is configured correctly by
running `pip install --verbose requests` and checking that pip is only hitting
your Artifactory URL.
## Configuring Go
Add the following environment variable to your `coder_agent` block to configure
`go` to use Artifactory:
```hcl
env = {
GOPROXY : "https://${data.coder_workspace.me.owner}:${artifactory_scoped_token.me.access_token}@${local.jfrog_host}/artifactory/api/go/go"
}
```
You can apply the same concepts to Docker, Maven, and other package managers
supported by Artifactory. See the
[JFrog documentation](https://jfrog.com/help/r/jfrog-artifactory-documentation/package-management)
for more information.
## More reading
- See the full example template
[here](https://github.com/coder/coder/tree/main/examples/jfrog/docker).
- To serve extensions from your own VS Code Marketplace, check out
[code-marketplace](https://github.com/coder/code-marketplace#artifactory-storage).
- To store templates in Artifactory, check out our
[Artifactory modules](../templates/modules.md#artifactory) docs.