Skip to main content
Gå til innhold

Artifactory

Artifactory is a solution that offers a centralized storage place for many types of packages, dependencies, libraries and containers.

How to Login

Artifactory can be accessed on artifactory.sikt.no and sign in with Feide.

Personal Identity Token

NOTE: Personal API Key is deprecated and will be removed in Q4 2024

Every user with access to Artifactory is able to create access token. This token can be later used when accessing Artifactory by e.g. curl.

Steps to create access token:

  1. Log in to Artifactory
  2. Click on your profile → Set Me Up
  3. Select repository type
  4. Generate token & create instructions

Package/Image Types

Artifactory supports a variety of types of packages. Full list of supported types can be found here. In Sikt the most popular package types are: docker, maven and npm.

Docker

Artifactory contains docker repositories that can be used to store images build by the pipeline. The docker repositories can be accessed by navigating to the Artifacts page and filter for Docker.

⚠️ Warning: All docker images should have com.jfrog.artifactory.retention.maxDays="180" label. Artifactory runs automatic cleaning process and deletes images which were not downloaded in last 180 days.

To manually download docker image from private repository in Artifactory, one needs to log in with docker first:

docker login -u USERNAME -p PASSWORD artifactory.sikt.no/docker
  • USERNAME - Artifactory username (e.g. name.surname@sikt.no)
  • PASSWORD - Artifactory password or access token. Access token can be generated by clicking on Set Me Up button after log in to Artifactory.

After successful login, you can use docker pull command to download image from Artifactory. Public repositories don't require login.

docker pull docker-public-local.artifactory.sikt.no:443/<DOCKER_IMAGE>:<DOCKER_TAG>

Usage in CI/CD PIPELINES

Artifactory Credentials

Artifactory has a feature which generates temporary credentials that can be used in pipeline jobs for authentication. Those credentials have a default lifetime of 1 hour. The credentials are obtained with a ci component and exposed as $ARTIFACTORY_USERNAME and $ARTIFACTORY_PASSWORD environment variables. The credentials are generated with the same access rights as the defined groups in Artifactory. The groups must be defined before the credentials can be issued. To create groups, contact the Platon team in the Slack channel to create the groups. Please specify:

  • Product area (e.g. NSD, Platon, ...) your team belongs to
  • GitLab group ID which contains the repository accessing Artifactory.

Using Artifactory Credentials in a Pipeline

The artifactory-auth component works with most unix distributions out of the box. Here is an example how to use artifactory-auth in a pipeline:

include:
  - component: gitlab.sikt.no/platon/ci-components/artifactory-auth/artifactory-auth@1.3.0
  - component: gitlab.sikt.no/platon/ci-components/docker/docker@1.0.0

variables:
  VAULT_ADDR: "https://vault.sikt.no:8200"

build:
  extends: .docker-build
  stage: build
  id_tokens:
    VAULT_ID_TOKEN:
      aud: $VAULT_ADDR
  rules:
    - if: $CI_PIPELINE_SOURCE != "schedule"
  before_script:
    - !reference [.artifactory-auth, before_script]
    - echo "$ARTIFACTORY_PASSWORD" | docker login -u "$ARTIFACTORY_USERNAME" --password-stdin artifactory.sikt.no/docker
    - echo "Authenticated to Artifactory"

The example above uses .docker-build from docker ci component as a base. To successfully build and push the image to Artifactory we define the following:

  • include:component - here we include the artifactory-auth component together with version component's version.
  • variables: URL to the Vault instance with Artifactory plugin installed. In our case https://vault.sikt.no:8200.
  • id_tokens: the job needs to generate JWT token with VAULT_ID_TOKEN.
  • before_script: here we reference the before_script from artifactory-auth to generate the credentials for us. After that we can use the exported $ARTIFACTORY_USERNAME and $ARTIFACTORY_PASSWORD to log in to Artifactory. The before_sript from the extended job is overwritten so keep in mind to define it again if needed. You can also write additional commands (e.g. echo "Authenticated to Artifactory") if needed.
  • script - the script section is not explicitly defined in the example because we are extending the .docker-build job. Hence, the script from .docker-build is used.

Alternative to using CI-component

If using the CI-component creates more problems than advantages, you can copy the before_script section from the ci component and paste it to the ci template your job is using. Keep in mind that the script has curl or wget as dependency.

Gitlab CI

⚠️ Warning: It is the intention of Platon team to use dynamically created credentials to authenticate to Artifactory. gitlab-ci user will gradually lose access to repositories in Artifactory.

Gitlab CI has a unique user in Artifactory, gitlab-ci. This user is a member of the full-access-when-authenticated and read-access-when-authenticated groups, and therefore, in practice, has full read/write access to all the repositories listed above.

The projects using gitlab-ci user define $ARTIFACTORY_USER and $ARTIFACTORY_PASSWORD variables in the CI/CD → Variables project section to store the users credentials. Those variables are then used to log in to Artifactory.

One can use templates at the group level that handle authentication and other setup against Artifactory. Users are encouraged to use these templates instead of struggling to set up everything themselves for each project. See, for example, https://gitlab.sikt.no/raird/ci-templates/-/blob/main/raird-ci-v1.yml how to use the variables.

Troubleshooting

ERROR: Job failed (system failure): resolving secrets: reading secret: reading from Vault: api error: status code 403: 1 error occurred: * permission denied

Please contact Platon team. Your group is missing necessary permissions, or it does not exist.