SSL - ambitus/artifactory-vault GitHub Wiki

This wiki contains instructions on how to build preconfigured production Artifactory and PostgreSQL container images.

Before you begin, ensure that you have the following:

  • Pull JFrog Artifactory OSS from IBM Z Curated Container Registry. docker pull icr.io/ibmz/jfrog-artifactory-oss:<version>
  • Pull PostgreSQL from IBM Z Curated Container Registry. docker pull icr.io/ibmz/postgres:<version>
  • x509 SSL Certificate and Key file for your zCX instance. ENSURE THAT THESE FILES ARE IN PEM FORMAT.
  • If you are using an Interal SSL Certificate or a Self-Signed SSL Certificate for your zCX instance, you will need to acquire a copy of the CA Root Certificate that corresponds to your SSL Certificate and Key file. ENSURE THAT THIS FILE IS IN PEM FORMAT.

If you need help formatting SSL certificates see this guide.

 

Build Preconfigured PostgreSQL Image

  • Get template files for building preconfigured PostgreSQL image on to your zCX appliance here.

You may need to use FTP to get them on to your zCX instance.

FTP:

$ cd <path to place where you downloaded these files to your workstation>
$ ls
build.sh              docker-entrypoint.sh*  key.pem.placeholder
cert.pem.placeholder  Dockerfile             postgresql.conf
$ sftp -o Port=8022 <your username>@<host/ip of your zCX instance>
<your username>@<host/ip of your zCX instance>'s password:
Connected to <your username>@<host/ip of your zCX instance>.
s    cd <wherever you want to put the files on zCX>
s    put *
...
<output that indicates that files are being copied to your zCX instance>
...
s    exit

$

  • Replace cert.pem.placeholder with your SSL Certificate File and name it cert.pem.

  • Replace key.pem.placeholder with your SSL Certificate Key File and name it key.pem.

  • Fill the <version> placeholder in Dockerfile and build.sh with the version number for the version of PostgreSQL that you are using.

  • Feel free to customize postgresql.conf or add other resources that may be needed for your PostgreSQL container.

  • Build your fully configured PostgreSQL image

$ ./build.sh
  • Run your production PostgreSQL container

Note that the ONLY difference here is that we are now referencing the icr.io/ibmz/postgres:<version>-full-prod image that you just built instead of icr.io/ibmz/postgres:<version>.

$ docker run --name <arbitrary container name> --user postgres -d --restart always -p 5432:5432 \
>            -v <persistent postgresql storage volume nfs or local>:/var/lib/postgresql/data \
>            -e POSTGRES_USER=artifactory \
>            -e POSTGRES_PASSWORD=<password>  \
>            icr.io/ibmz/postgres:<version>-full-prod

 

Build Preconfigured Artifactory Image

  • Get template files for building a preconfigured Artifactory image on to your zCX instance here. (You may need to use FTP to get them on to your zCX instance)

FTP:

$ cd <path to place where you downloaded these files to your workstation>
$ ls
build.sh              Dockerfile           root.crt.placeholder
cert.pem.placeholder  key.pem.placeholder  server.xml
$ sftp -o Port=8022 <your username>@<host/ip of your zCX instance>
<your username>@<host/ip of your zCX instance>'s password:
Connected to <your username>@<host/ip of your zCX instance>.
s    cd <wherever you want to put the files on zCX>
s    put *
...
<output that indicates that files are being copied to your zCX instance>
...
s    exit

$
  • Replace cert.pem.placeholder with your SSL Certificate File and name it cert.pem.
  • Replace key.pem.placeholder with your SSL Certificate Key File and name it key.pem.
  • Replace root.crt.placeholder with your CA Root Certificate File and name it root.crt.

⚠️ If you are NOT using either an Internal SSL Certificate or a Self-Signed SSL Certificate, you can just remove the following code in the Dockerfile that handles copying root.crt into the container:

11  RUN mkdir .postgresql
12  COPY root.crt .postgresql/

  • Fill the <version> placeholder in Dockerfile and build.sh with the version number for the version of Artifactory that you are using.

  • Feel free to customize server.xml or add other resources that may be needed for your Artifactory container in the Dockerfile.

  • Build your fully configured Artifactory image.

$ ./build.sh
  • Run your production Artifactory container.

Note that the ONLY difference here is that we are now referencing the icr.io/ibmz/jfrog-artifactory-oss:<version>-full-prod image that you just built instead of icr.io/ibmz/jfrog-artifactory-oss:<version>

$ docker run --name <arbitrary container name> -d --restart always -p 8443:8443 \
>            -v <persistent artifactory storage volume nfs or local>:/var/opt/jfrog/artifactory \
>            -e DB_TYPE=postgresql \
>            -e DB_USER=artifactory \
>            -e DB_PASSWORD=<password> \
>            -e DB_URL="jdbc:postgresql://<host/ip where postgresql database is hosted>:<port>/artifactory?ssl=true&sslmode=verify-full" \
>            icr.io/ibmz/jfrog-artifactory-oss:<version>-full-prod
⚠️ **GitHub.com Fallback** ⚠️