All about installing and using an in-house registry of installers, libraries with SBOM, and container images for Kubernetes
Overview
This article is a technical deep-dive into the Artifactory server/service from JFrog.
NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.
Why this?
Many call the Artifactory product “JFrog” even though the JFrog company also offers its XRay CI/CD product, Pipeline, and Project. That’s because Artifactory was the JFrog company’s first and still most popular offering.
JFrog was formed in Israel as “the Liquid Software Company”.
Artifactory
“Artifactory” is a contraction of “artifact” and “factory”.
Artifactory provides an in-house registry of binary files: installers, libraries, and container images for Kubernetes.
https://jfrog.com/solution-sheet/jfrog-artifactory/ calls Artifactory “Universal Artifact Management” – for its ability to store and publish over 30 types of binary assets.
Competitors include:
* GitHub LFS
* Google Artifact Registry API
* AWS CodeArtifact announced in 2020 [comparison]
* Azure</a>
PROTIP: Although Artifactory can also store binary graphics and video files, it’s best that media files be processed by specialized services such as:
* Cloudinary
Receive and Hold
Artifactory’s main job is to receive and hold binaries (executables) created by compilers such as Java, C# .NET, etc.
Files are typically added into Artifactory by an automated CI/CD utility such as Jenkins, GitHub Actions, or JFrog’s own Pipeline product.
Developers can access artifacts within Artifactory faster than a remote public registry such as DockerHub, Quay.io, (Java) Maven/Gradle, (NodeJs) npm/Yarn, (Python) pip/twine PyPi, Nuget (.NET), Ruby Gems, (Kubernetes) Helm, etc.
But more importantly, Artifactory insulates a company from disruptions at accessing public registries – from troubles with the network to files being deleted from the public registry.
Artifacts of interest within external registries are regularly copied into the company’s versioned Artifactory instance. A naming convention is: team-tech-maturity-locator.
Thus, some user companies install utilities to divert requests to public registries into the company’s own Artifactory instance to provide a “seamless” (albeit forced) developer experience.
Artifactory enforces more robust RBAC access controls with its own configurable policies & authentication integrations – to control who accesses each file and how they interact with them.
Artifactory reads the contents of each file. It identifies secrets stored in them.
Internally, Artifactory stores files in an ingenous way similar to how GitHub stores data. Artifactory uses the SHA algorthm to generates a Checksum based on a hash of the file’s contents. That SHA is used as both the address to the file and as a mechanism for verifying immutability and traceability. Checksums also make for more robust searchability and enable deduplication.
References:
- VIDEO: Artifact Management With JFrog Artifactory [1]
- VIDEO: Intellipaat’s tutorial
- Intro to package management
- Advanced Security
[1>3:55]
Pricing
Artifactory is available as both a Service and as an on-prem. install.
https://jfrog.com/start-free/
- $1,176/year for individuals.
-
$8,388/year for SaaS Enterprise
- $3,200/year for 1-server Pro plan
- $19,900/year for 1-server Pro X plan
- $41,500/year for 3-server Enterprise X plan (for resiliance)
Install on-prem. with Terraform
The Terraform provider for JFrog Artifactory first became available May 2023. VIDEO
It started with VIDEO: the JFrog dev team adopting Terrform.
https://registry.terraform.io/providers/jfrog/artifactory/latest
I created automation that creates an Artifactory instance on AWS, Azure, and Google. The installation includes production-grade features such as sample least-privilege RBAC, logs to a SIEM, etc. Scans are performed on the Terraform and other code to ensure that vulnerabilities are identified (and fixed) before resources are even created.
Security Planning
To avoid re-dos and embarrassment, conduct planning, installation, configuration, and operating to include meeting regulatory and other requirements and processes:
- SOC2 requested by customers and thus salespeople
- Risk Management Framework
- GDPR for privacy and retention
- CAIQ for cloud service providers
- FedRAMP for supplying to governments
- SOX (Sarbanes-Oxley) corporate governance
- etc.
TODO: Classification of the app’s security level. Threat modeling.
Incident Readiness and Response
TODO: “App Down” page.
TODO: App Up/Down tracking of Availability & Latency trends (by region).
TODO: FinOps: Budgets. Approval and review of monthly bills. Budget alerts.
TODO: Instructions on how to configure backups.
TODO: Define RTO, RDO, and other expectations and actuals in a dashboard.
TODO: Instructions on how to respond to an outage, including restore from backup. Track mean time to restore service, actual back data recovered, etc. The metrics can be segrated by project team.
TODO: Define security events and processes with SOC.
TODO: Setup and verify logs shipped to SIEM (Splunk, Datadog, etc.) for trending analytics display.
TODO: Setup and verify alerts (based on trend analytics). Verify with SOC.
TODO: Plan outages for upgrades, etc. after confidence is achieved with restores.
Add Files
TODO: Instructions to developers on how to configure their CI/CD pipeline code to save binaries to Artifactory instead of DockerHub, etc.
Get Container Images
TODO: Instructions to developers on how to configure Kubernetes (Helm files) to retrieve container images from Artifactory.
Obtain SBOM
JFrog XRay generates a SBOM (Software Bill of Materials) for Software Composition Analysis (SCA).
https://aws.amazon.com/solutions/partners/jfrog-artifactory-amazon-ec2/
Artifactory XRay generates a SBOM (Software Bill of Materials) referenced by imports (and requirements.txt) in Python program code to identify vulnerabilities identified. JFrog references the public CVE database maintained by the US government as well as its own research.
License policy enforcement
Artifactory also analyzes LICENSE files within packages to identify license compliance violations. Some companies don’t want to use libraries licensed using Apache v2.