From 299d99b84dd2f746c26a3b43bea17e358b7e19bf Mon Sep 17 00:00:00 2001 From: caggles Date: Mon, 18 Sep 2023 15:05:19 -0700 Subject: [PATCH 1/5] artifactory service account update --- .../setup-artifactory-service-account.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-service-account.md b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-service-account.md index f54f4807..f91feb0c 100644 --- a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-service-account.md +++ b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-service-account.md @@ -43,12 +43,14 @@ When referring to service accounts, keep in mind the following differences: * `ArtifactoryServiceAccount` refers to an OpenShift object with type `ArtifactoryServiceAccount`. This is a custom resource that the Platform Services team created in OpenShift. * Artifactory "service account" refers to the actual account that exists inside the Artifactory software, which you can then use to interact with Artifactory's features. While closely related to each other, they're not the same. -If you have a project set somewhere in the OpenShift 4 clusters, you already have a service account. +If you have a project set somewhere in the Silver or Emerald clusters, you already have a service account. An `ArtifactoryServiceAccount` object is created in the appropriate `tools` namespace, which the Artifactory Operator then actions. One such `ArtifactoryServiceAccount` object is created automatically as part of namespace provisioning and has the name `default`. There's a random license plate assigned to the end of each object name, in order to ensure uniqueness. Collect this information by running `oc describe artsvcacct default`. This also provides some information about reconciliation status, as well as other details about the account. If you need support with the Artifactory service account object, include the spec and status information in your ticket. +If you are working in Gold/Gold-DR, please follow the instructions below in order to set up a new Artifactory Service Account. The `default` account is not generated automatically in Gold. + **Note**: `ArtifactoryServiceAccount` objects have two available short-names to make them easier to use in the CLI: `ArtSvcAcct` and `ArtSA`. You can get the username and password out of the secret using the following command: @@ -61,9 +63,12 @@ Users with edit and administrator access on the `tools` namespace can also creat If either of the secrets is deleted manually, the operator can act to change the password of the service account. Then it recreates one or both secrets with the new password. This is an easy method for teams to change their service account passwords. -## Create multiple service accounts +## Create a new service account + You're able to make as many Artifactory service accounts as you need, in as many namespaces as required. Be aware that Archeobot needs to be able to keep up with the amount you're making. +If you are working in Gold, you will need to create your own service account by following this process at least once. + Run the following command to create a new service account: `oc process -f https://raw.githubusercontent.com/bcgov/platform-services-archeobot/master/archeobot/config/samples/tmpl-artifactoryserviceaccount.yaml -p NAME="[ASAname]" -p DESCRIPTOR="[Description of Service Account]" | oc create -f -` @@ -72,6 +77,8 @@ The `ASAname` is the name of the ArtifactoryServiceAccount object. It's not the For example, if you make an account specifically for use in your Jenkins pipeline, you might want to use the name `jenkins` for the Artifactory Service Account object. This results in a secret called `artifacts-jenkins-[random]` and an account name called `jenkins-[namespace]-[random]`. Don't worry about name collisions with other teams, your account name has your namespace plate in it (the six alphanumeric characters that go before the `-tools`, `-dev`, `-test` or `-prod` in the namespace name), so even if there's another team who called their ArtifactoryServiceAccount `jenkins`, they have a different name. +**Note**: For those working in Gold, please note that you will need to create this `ArtifactoryServiceAccount` object in the Gold cluster. Then, you will need to manually copy the generated secrets into your matching namespace in Gold-DR. This is to prevent edit conflicts between Gold and Gold-DR. + ## Delete a service account You can delete a service account by deleting the ArtifactoryServiceAccount object through the OpenShift CLI. Use the following command: `oc delete ArtifactoryServiceAccount [ASAname]` or `oc delete artsvcacct [ASAname]`. From 0556f38058f956316c7a563360e4835c55e41c87 Mon Sep 17 00:00:00 2001 From: caggles Date: Mon, 18 Sep 2023 15:07:04 -0700 Subject: [PATCH 2/5] how to pull update --- .../push-pull-artifacts-artifactory.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/docs/build-deploy-and-maintain-apps/push-pull-artifacts-artifactory.md b/src/docs/build-deploy-and-maintain-apps/push-pull-artifacts-artifactory.md index d1bb4c68..3ed27780 100644 --- a/src/docs/build-deploy-and-maintain-apps/push-pull-artifacts-artifactory.md +++ b/src/docs/build-deploy-and-maintain-apps/push-pull-artifacts-artifactory.md @@ -34,21 +34,19 @@ To test your account and start to pull locally, do the following: 1. On the command line, log in to the registry. Type the following: ```bash -docker login -u -p artifacts.developer.gov.bc.ca/ +docker login -u -p artifacts.developer.gov.bc.ca ``` -For example, the DockerHub caching repository looks like this: +2. Pull from the registry on your local machine. Do this for local development and to test your account credentials. Type the following: ```bash -docker login -u -p artifacts.developer.gov.bc.ca/docker-remote +docker pull artifacts.developer.gov.bc.ca//: ``` - -2. Pull from the registry on your local machine. Do this for local development and to test your account credentials. Type the following: +**Note**: The `REPO_NAME` is unique to each docker repository and must be a part of the URL to pull or push from docker registries hosted in Artifactory. For example, if you were to pull an image from the DockerHub registry through Artifactory, the command would look like this: ```bash -docker pull artifacts.developer.gov.bc.ca//: +docker pull artifacts.developer.gov.bc.ca/docker-remote/: ``` -**Note**: The `REPO_NAME` is unique to each docker repository and must be a part of the URL to pull or push from docker registries hosted in Artifactory. ### Pull from Artifactory in OpenShift From 75f1da3597ad0069b2aef1ad4488a50de34fbeb2 Mon Sep 17 00:00:00 2001 From: caggles Date: Mon, 18 Sep 2023 15:31:46 -0700 Subject: [PATCH 3/5] clarifying first-time project access --- .../setup-artifactory-project-repository.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md index a96748ce..64ff4e9d 100644 --- a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md +++ b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md @@ -79,7 +79,9 @@ Once you have your Artifactory project you can add repositories and users, adjus **Note**: To use an existing Artifactory service account with your new Artifactory project, you must add that service account to the project. If you created the `ArtifactoryProject` object in the same OpenShift namespace as an existing `ArtifactoryServiceAccount` object, the related service account isn't automatically given access to the project. -To use these features, enter the project in the Artifactory UI. Log in and expand **All**. Choose your new project to go to that project space. If you don't see your new project, it may be because of one of the following: +To use these features, go to `artifacts.developer.gov.bc.ca` and login using your IDIR or GitHub account. Select your project name from the dropdown found at the top of the page. + +If you don't see your new project, it may be because of one of the following: * You may not be an administrator in the applicable OpenShift namespace. Ask one of the administrators to add you to the project. * You may not have logged in to Artifactory before creating the project. Contact the Platform Services team to fix the issue. You can reach out in the `#devops-artifactory` or `#devops-how-to` channels in Rocket.Chat. From b9c36ebc0ee5ac63adeb6f40ba03e616fad397aa Mon Sep 17 00:00:00 2001 From: caggles Date: Mon, 18 Sep 2023 16:05:50 -0700 Subject: [PATCH 4/5] clarifying adding a service account to a project --- .../setup-artifactory-project-repository.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md index 64ff4e9d..4c504487 100644 --- a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md +++ b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md @@ -94,9 +94,9 @@ Once you've gotten your project, make sure to add your own service account to th To add a new user account to your project, do the following: 1. Click the gear at the top of the menu on the left, then choose **Identity and Access Members**. Click **Add Member**. 2. On the **Users** tab, search for a username. -3. Add a user with their IDIR or GitHub ID. The user has to have already signed into Artifactory's GUI at least once. If the user hasn't done so yet, tell them to. +3. Add a user with their IDIR or GitHub ID, or a service account with the name found in the generated secret (see our [Service Account documentation](/setup-artifactory-service-account/) for details). The user has to have already signed into Artifactory's GUI at least once. If the user hasn't done so yet, tell them to. -You can also add any Artifactory service account and select multiple users to add them all at once. Then, specify the role you want to grant them. +You can also select multiple users to add them all at once. Then, specify the role you want to grant them. * **Contributor**: Service accounts are commonly given this role. * **Developer**: Assign this role if you want a service account to manage artifacts. * **Administrator**: Assign this role if you want a service account to manage access to the project. From a9e6589a2386ef68272c436fa44e5151e7c5e1cb Mon Sep 17 00:00:00 2001 From: caggles Date: Mon, 18 Sep 2023 16:06:33 -0700 Subject: [PATCH 5/5] clarifying adding a service account to a project --- .../setup-artifactory-project-repository.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md index 4c504487..852fba81 100644 --- a/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md +++ b/src/docs/build-deploy-and-maintain-apps/setup-artifactory-project-repository.md @@ -98,8 +98,8 @@ To add a new user account to your project, do the following: You can also select multiple users to add them all at once. Then, specify the role you want to grant them. * **Contributor**: Service accounts are commonly given this role. -* **Developer**: Assign this role if you want a service account to manage artifacts. -* **Administrator**: Assign this role if you want a service account to manage access to the project. +* **Developer**: Assign this role if you want a user or service account to manage artifacts. +* **Administrator**: Assign this role if you want a user to manage access to the project. This role is not recommended for service accounts. You can also add additional roles to the project, if you want more finely-tuned control over who gets access to what.