Artifactory
Artifactory is a solution that offers a centralized storage place for many types of packages, dependencies, libraries and containers.
How to Login
Artifactory can be accessed on artifactory.sikt.no and sign in with Feide
.
Personal Identity Token
NOTE: Personal API Key is deprecated and will be removed in Q4 2024
Every user with access to Artifactory is able to create access token. This token can be later used when accessing Artifactory by e.g. curl
.
Steps to create access token:
- Log in to Artifactory
- Click on your profile → Set Me Up
- Select repository type
- Generate token & create instructions
Package/Image Types
Artifactory supports a variety of types of packages. Full list of supported types can be found here.
In Sikt the most popular package types are: docker
, maven
and npm
.
Docker
Artifactory contains docker repositories that can be used to store images build by the pipeline. The docker repositories can be accessed by navigating to the Artifacts page and filter for Docker.
⚠️ Warning: All docker images should have
com.jfrog.artifactory.retention.maxDays="180"
label. Artifactory runs automatic cleaning process and deletes images which were not downloaded in last 180 days.
To manually download docker image from private repository in Artifactory, one needs to log in with docker
first:
docker login -u USERNAME -p PASSWORD artifactory.sikt.no/docker
USERNAME
- Artifactory username (e.g. name.surname@sikt.no)PASSWORD
- Artifactory password or access token. Access token can be generated by clicking on Set Me Up button after log in to Artifactory.
After successful login, you can use docker pull
command to download image from Artifactory. Public repositories don't require login.
docker pull docker-public-local.artifactory.sikt.no:443/<DOCKER_IMAGE>:<DOCKER_TAG>
Usage in CI/CD PIPELINES
Artifactory Credentials
Artifactory has a feature which generates temporary credentials that can be used in pipeline jobs for authentication. Those credentials have a default lifetime of 1 hour. The credentials are obtained with a ci component and exposed as $ARTIFACTORY_USERNAME
and $ARTIFACTORY_PASSWORD
environment variables. The credentials are generated with the same access rights as the defined groups in Artifactory. The groups must be defined before the credentials can be issued. To create groups, contact the Platon team in the Slack channel to create the groups. Please specify:
- Product area (e.g. NSD, Platon, ...) your team belongs to
- GitLab group ID which contains the repository accessing Artifactory.
Using Artifactory Credentials in a Pipeline
The artifactory-auth component works with most unix distributions out of the box.
Here is an example how to use artifactory-auth
in a pipeline:
include:
- component: gitlab.sikt.no/platon/ci-components/artifactory-auth/artifactory-auth@1.3.0
- component: gitlab.sikt.no/platon/ci-components/docker/docker@1.0.0
variables:
VAULT_ADDR: "https://vault.sikt.no:8200"
build:
extends: .docker-build
stage: build
id_tokens:
VAULT_ID_TOKEN:
aud: $VAULT_ADDR
rules:
- if: $CI_PIPELINE_SOURCE != "schedule"
before_script:
- !reference [.artifactory-auth, before_script]
- echo "$ARTIFACTORY_PASSWORD" | docker login -u "$ARTIFACTORY_USERNAME" --password-stdin artifactory.sikt.no/docker
- echo "Authenticated to Artifactory"
The example above uses .docker-build
from docker ci component as a base. To successfully build and push the image to Artifactory we define the following:
include:component
- here we include the artifactory-auth component together with version component's version.variables
: URL to the Vault instance with Artifactory plugin installed. In our casehttps://vault.sikt.no:8200
.id_tokens
: the job needs to generate JWT token withVAULT_ID_TOKEN
.before_script
: here we reference thebefore_script
fromartifactory-auth
to generate the credentials for us. After that we can use the exported$ARTIFACTORY_USERNAME
and$ARTIFACTORY_PASSWORD
to log in to Artifactory. Thebefore_sript
from the extended job is overwritten so keep in mind to define it again if needed. You can also write additional commands (e.g.echo "Authenticated to Artifactory"
) if needed.script
- the script section is not explicitly defined in the example because we are extending the.docker-build
job. Hence, thescript
from.docker-build
is used.
Alternative to using CI-component
If using the CI-component creates more problems than advantages, you can copy the before_script
section from the ci component and paste it to the ci template your job is using. Keep in mind that the script has curl
or wget
as dependency.
Gitlab CI
⚠️ Warning: It is the intention of Platon team to use dynamically created credentials to authenticate to Artifactory.
gitlab-ci
user will gradually lose access to repositories in Artifactory.
Gitlab CI has a unique user in Artifactory, gitlab-ci
. This user is a member of the full-access-when-authenticated
and read-access-when-authenticated
groups, and therefore, in practice, has full read/write access to all the repositories listed above.
The projects using gitlab-ci
user define $ARTIFACTORY_USER
and $ARTIFACTORY_PASSWORD
variables in the CI/CD → Variables project section to store the users credentials. Those variables are then used to log in to Artifactory.
One can use templates at the group level that handle authentication and other setup against Artifactory. Users are encouraged to use these templates instead of struggling to set up everything themselves for each project. See, for example, https://gitlab.sikt.no/raird/ci-templates/-/blob/main/raird-ci-v1.yml how to use the variables.
Troubleshooting
ERROR: Job failed (system failure): resolving secrets: reading secret: reading from Vault: api error: status code 403: 1 error occurred: * permission denied
Please contact Platon team. Your group is missing necessary permissions, or it does not exist.