Artifactory
This document outlines the steps needed to create an API token or authentication secret in Artifactory and then integrate that secret into Jenkins to establish credentials. It also provides detailed instructions on managing both the Artifactory authentication secrets and Jenkins credentials to help users effectively set up and maintain these resources.
- Log in to Artifactory using your EAU account. Note that while some packages may be visible without logging in, full access to all features requires authentication. You can log in here: (https://artifactory.cloud.cms.gov/).
- After logging in, use the dropdown menu at the top of the page to select the project you want to manage. This will provide you with an additional user interface for managing the project.
- Locate the Applications tab. Click on the gear icon to access the Project Settings.
1. Navigate to Project Settings.
2. Go to Repositories and click on Add Repositories in the top-right corner.
3. Select Local Repositories.
4. In the Package Type options, choose Docker as the container registry type.
5. In the dialog box that appears, enter a unique name for the Repository Key, ensuring it includes a prefix related to your project name.
6. Leave all other settings at their default values.
7. Click Create Local Repository.
1. Verify Registry and Service Account Creation:
* Ensure that the registry exists, and the service account has been created. The account names should follow the format:
-
<org>-<projectname>-jfrog-rw(read-write) -
<org>-<projectname>-jfrog-ro(read-only)
* In the project settings view select User Management, the members
* On the right side with project members list, do a search with Jfrog to list service accounts with Jfrog.
2. Retrieve Service Account Credentials:
* Use Cloudtamer to login into AWS account and access the project in question with the application admin profile for web access to access secrets manager
* In AWS Secrets Manager, search for "Jfrog" to locate the credentials. Retrieve the read-write credentials, as these are used for both pulling containers from and writing to the registry by the delivery section of the pipeline.
3. Log in to Artifactory:
Use the credentials retrieved from Secrets Manager (username and password) to log in to Artifactory. 4. Access Project and Generate Token:
* Once logged in, switch to the relevant project.
* Navigate to Artifactory and select Artifacts.
* Select the project container folder e.g. “ado-container”
* In the top-right corner, click on "Set Me Up" to open the Docker client setup dialog.
5. Generate and Save Token:
* On the Set Up a Docker Client dialog screen select the project container e.g. “ado-containers” from the drop-down menu
* Enter the password obtained from Secrets Manager to generate a token in the box next to the Generate Token and Create instructions tab.
* Click Generate Token and Create instructions.
- This action will produce a Base64-encoded token and the auths.json sections.
6. Prepare auths.json for Jenkins:
* Save the content of the auths.json section to a file.
* Edit the file to update the URL by removing the https and subdomain portion of the URL so that it reads as: artifactory.cloud.cms.gov, then save the file.
* This edited auths.json will be used for authentication in Jenkins.
To ensure security, it is important to rotate tokens if they are leaked or compromised. Follow these steps to generate a new token and revoke the compromised one:
1. Log in as the Service Account:
* Access Artifactory using the service account credentials.
2. Revoke the Compromised Token:
* Click on the Welcome dropdown menu and select Edit Profile.
* Enter the account password to unlock the profile for editing.
- You will see a list of identity tokens. Select the compromised token and click Revoke.
3. Generate a New Token:
* Follow the steps outlined in the previous section to generate a new token:
* Navigate to Artifactory and select Artifacts.
* Click on "Set Me Up" in the top-right corner to open the Docker client setup dialog.
* Enter the account password to generate a new token.
* Click Generate Token and Create Instructions to obtain the new Base64-encoded token and auths.json.
4. Update Authentication:
* Save the updated auths.json and ensure it reflects the new token. This file will need to be reloaded into Jenkins or any other system that uses it for authentication.
By following these steps, you can effectively manage token security and maintain access control.
To integrate your auths.json file with Jenkins, follow these steps:
1. Log In to Jenkins:
* Access your Jenkins instance with your EUA credentials.
2. Select Your Project:
* Navigate to the project for which the auths.json file was created.
3. Add New Credentials:
* From the Jenkins main menu on the left side, select Manage Jenkins.
* In the Security section, click on Credentials.
* In the Stores scoped to Jenkins section, select Global.
* On the Global credentials (unrestricted) screen, click Add Credentials in the top right corner.
* From the Kind dropdown menu, choose Secret file.
* In the ID field, enter a descriptive name, e.g., artifactory-rw-token-docker-json.
* In the Description field, input a relevant description, e.g., Docker config JSON with a token credentials for ado-jfrog-rw service account.
* Under the File section, browse to select the auths.json file you prepared.
* Click OK to create the new credentials.
* Click create to create the new credential
1. Locate Existing Credential:
* Go to Manage Jenkins and then Credentials.
* Find the existing credential you want to update in the list. 2. Update Credential:
* Click Update next to the credential.
* Select the Replace option to upload the new auths.json file.
* Click Save to apply the changes.
By following these steps, you ensure that Jenkins has the latest authentication information from your auths.json file, either by adding new credentials or updating existing ones.