Skip to main content
Gå til innhold

Artifactory

Artifactory is a solution that offers a centralized storage place for many types of packages, dependencies, libraries and containers.

How to Login

Artifactory can be accessed on artifactory.sikt.no and sign in with Feide.

Personal Identity Token

💡Info: Personal API Key is deprecated and will be removed in Q4 2024

Every user with access to Artifactory is able to create access token. This token can be later used when accessing Artifactory by e.g. curl.

Steps to create access token:

  1. Log in to Artifactory
  2. Click on your profile → Set Me Up
  3. Select repository type
  4. Generate token & create instructions

Package/Image Types

Artifactory supports a variety of types of packages. Full list of supported types can be found here. In Sikt the most popular package types are: docker, maven and npm.

Docker

Artifactory contains docker repositories that can be used to store images build by the pipeline. The docker repositories can be accessed by navigating to the Artifacts page and filter for Docker.

⚠️ Warning: All docker images should have com.jfrog.artifactory.retention.maxDays="180" label. Artifactory runs automatic cleaning process and deletes images which were not downloaded in last 180 days.

To manually download docker image from private repository in Artifactory, one needs to log in with docker first:

docker login -u USERNAME -p PASSWORD artifactory.sikt.no/docker
  • USERNAME - Artifactory username (e.g. name.surname@sikt.no)
  • PASSWORD - Artifactory password or access token. Access token can be generated by clicking on Set Me Up button after log in to Artifactory.

After successful login, you can use docker pull command to download image from Artifactory. Public repositories don't require login.

docker pull docker-public-local.artifactory.sikt.no:443/<DOCKER_IMAGE>:<DOCKER_TAG>

npm

Artifactory can be used to store npm packages build by the pipeline or cashed packages from other repositories like registry.npmjs.org.

To manually download npm package from Artifactory one needs to log in with npm first:

  1. Log in to Artifactory through web ui

  2. Execute the following command in you terminal

    npm login --registry=https://artifactory.sikt.no/artifactory/api/npm/<npm-repository-name>/ --auth-type=web
    • <npm-repository-name> - name of the repository in Artifactory f.eks. npm-private-local

  3. Hit enter and confirm the login on the web page

Then you can install the package with:

npm install <package-name> --registry https://artifactory.sikt.no/artifactory/api/npm/<npm-repository-name>/
  • <package-name> - name of the package f.eks. @raird/stat-types
  • <npm-repository-name> - name of the repository in Artifactory f.eks. npm-private-local

💡 Info: Sometimes the package you want to install depends on other packages. Npm will give you error message: npm error 404 'joi@13.0.1' is not in this registry. You have to install all dependencies first before installing the package, in this example with: npm install joi@13.0.1

If you don't want to specify the registry each time you install a package, you can point to the repository in your npm config:

npm config set registry https://artifactory.sikt.no/artifactory/api/npm/npm-private-local/

Usage in CI/CD PIPELINES

Artifactory Credentials

Artifactory has a feature which generates temporary credentials that can be used in pipeline jobs for authentication. Those credentials have a default lifetime of 1 hour. The credentials are obtained with a ci component and exposed as $ARTIFACTORY_USERNAME and $ARTIFACTORY_PASSWORD environment variables. The credentials are generated with the same access rights as the defined groups in Artifactory. The groups must be defined before the credentials can be issued. To create groups, contact the Platon team in the Slack channel to create the groups. Please specify:

  • Product area (e.g. NSD, Platon, ...) your team belongs to
  • GitLab group ID which contains the repository accessing Artifactory.

Using Artifactory Credentials in a Pipeline

The artifactory-auth component works with most unix distributions out of the box. The prerequisite is to have wget or curl installed. Here is an example how to use artifactory-auth in a pipeline:

include:
  - component: gitlab.sikt.no/platon/ci-components/artifactory-auth/artifactory-auth@1.3.2
  - component: gitlab.sikt.no/platon/ci-components/docker/docker@1.0.0

build:
  extends: .docker-build
  stage: build
  id_tokens:
    VAULT_ID_TOKEN:
      aud: "https://vault.sikt.no:8200"
  rules:
    - if: $CI_PIPELINE_SOURCE != "schedule"
  before_script:
    - !reference [.artifactory-auth, before_script]
    - echo "$ARTIFACTORY_PASSWORD" | docker login -u "$ARTIFACTORY_USERNAME" --password-stdin artifactory.sikt.no/docker
    - echo "Authenticated to Artifactory"

The example above uses .docker-build from docker ci component as a base. To successfully build and push the image to Artifactory we define the following:

  • include:component - here we include the artifactory-auth component together with version component's version.
  • id_tokens: the job needs to generate JWT token with VAULT_ID_TOKEN.
  • before_script: here we reference the before_script from artifactory-auth to generate the credentials for us. After that we can use the exported $ARTIFACTORY_USERNAME and $ARTIFACTORY_PASSWORD to log in to Artifactory. The before_sript from the extended job is overwritten so keep in mind to define it again if needed. You can also write additional commands (e.g. echo "Authenticated to Artifactory") if needed.
  • script - the script section is not explicitly defined in the example because we are extending the .docker-build job. Hence, the script from .docker-build is used.

Alternative to using CI-component

If using the CI-component creates more problems than advantages, you can copy the before_script section from the ci component and paste it to the ci template your job is using. Keep in mind that the script has curl or wget as dependency.

Gitlab CI

⚠️ Warning: It is the intention of Platon team to use dynamically created credentials to authenticate to Artifactory. Generic CI users with read/write access to Artifactory will gradually lose access to repositories as it creates security risks.

Artifactory has generic service users like, gitlab-ci or readwrite. Those users have read/write access to most repositories in Artifactory.

The projects using generic user define $ARTIFACTORY_USER and $ARTIFACTORY_PASSWORD variables in the CI/CD → Variables project section to store the users credentials. Those variables are then used to log in to Artifactory.

One can use templates at the group level that handle authentication and other setup against Artifactory. Users are encouraged to use these templates instead of struggling to set up everything themselves for each project. See, for example, https://gitlab.sikt.no/raird/ci-templates/-/blob/main/raird-ci-v1.yml how to use the variables.

Troubleshooting

ERROR: Job failed (system failure): resolving secrets: reading secret: reading from Vault: api error: status code 403: 1 error occurred: * permission denied

Please contact Platon team. Your group is missing necessary permissions, or it does not exist.