{"id":31769987,"url":"https://github.com/jfrog/jfrog-registry-operator","last_synced_at":"2025-10-10T02:56:11.562Z","repository":{"id":211853975,"uuid":"713751669","full_name":"jfrog/jfrog-registry-operator","owner":"jfrog","description":"Enhancing AWS Security: JFrog's Seamless Integration and the Power of AssumeRole","archived":false,"fork":false,"pushed_at":"2025-07-21T07:28:52.000Z","size":16440,"stargazers_count":23,"open_issues_count":5,"forks_count":9,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-07-21T09:25:37.458Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://jfrog.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfrog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-03T06:58:12.000Z","updated_at":"2025-06-10T10:17:30.000Z","dependencies_parsed_at":"2024-07-17T13:20:32.135Z","dependency_job_id":"a0df917b-69b8-4243-9059-00ea95339f3c","html_url":"https://github.com/jfrog/jfrog-registry-operator","commit_stats":null,"previous_names":["jfrog/jfrog-registry-operator"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/jfrog/jfrog-registry-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-registry-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-registry-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-registry-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-registry-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfrog","download_url":"https://codeload.github.com/jfrog/jfrog-registry-operator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-registry-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002511,"owners_count":26083403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-10T02:56:08.425Z","updated_at":"2025-10-10T02:56:11.551Z","avatar_url":"https://github.com/jfrog.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\u003cdiv align=\"center\"\u003e\n\n# JFrog Registry Operator\n\n[![JFrog Registry Operator](config/images/frogbot-intro.png)](#readme)\n\n[![Scanned by JFrog Registry Operator](config/images/frogbot-badge.png)](https://github.com/jfrog/jfrog-registry-operator#readme)\n[![Go Report Card](https://goreportcard.com/badge/github.com/jfrog/jfrog-registry-operator)](https://goreportcard.com/report/github.com/jfrog/jfrog-registry-operator)\n[![Build status](https://github.com/jfrog/jfrog-registry-operator/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/jfrog/jfrog-registry-operator/actions/workflows/test.yml?branch=master)\n[![GitHub issues](https://img.shields.io/github/issues/jfrog/jfrog-registry-operator)](https://github.com/jfrog/jfrog-registry-operator/issues)\n\n\u003c/div\u003e\n\n## Setting up JFrog’s AssumeRole Capabilities in AWS\n\nFollow the [official documentation](https://jfrog.com/help/r/jfrog-installation-setup-documentation/passwordless-access-for-amazon-eks) for detailed instructions on detailed information and AWS configuration required to run the JFrog Registry Operator.\n\nThe integration of AWS Assume Role and JFrog Access presents a powerful solution that enables AWS Identity and Access Management  (IAM) users to temporarily assume permissions to perform actions in a secure and controlled manner. The solution enhances Kubernetes Secrets Management by automating token rotation, enhancing access controls, and seamlessly integrating JFrog Artifactory into the AWS environment\n\n### AssumeRole JFrog Architecture \u0026 Deployment\n\nThe following diagram shows the basic architecture of how AssumeRole integrates with JFrog Access to provide enhanced access control:\n\n![image](./config/images/secretrotator.png)\n\nIf you are interested in making the move from vulnerable manual secret handling to secure automated secret management, then your journey towards a more secure and seamless containerized future begins here. See how quickly this powerful capability can be deployed by checking out our [step-by-step installation and configuration guide](https://jfrog.com/help/r/jfrog-installation-setup-documentation/passwordless-access-for-amazon-eks).\n\n## Install operator using helm chart - Ignore if you already installed using Setting up JFrog’s AssumeRole Capabilities in AWS\n\n```bash\n# Get the latest [Helm release](https://github.com/helm/helm#install) Note: (only V3 is supported)\n# before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io) to your helm client.\nhelm repo add jfrog https://charts.jfrog.io\n\n# update the helm repo\nhelm repo update\n\n# decide on the namespace and kubernetes service account name you will want to create\nexport SERVICE_ACCOUNT_NAME=\"\u003cservice account name\u003e\"\n\n# Support for external service accounts has also been added. Users can now utilize an external service account; for this, follow the multi-user installation details relevant to external service accounts.\n# Setting SERVICE_ACCOUNT_NAME and ANNOTATIONS is optional for multi-user installations, available from release version 2.1.x.\nexport ANNOTATIONS=\"\u003cRole annotation for service account\u003e\" # Example: eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/jfrog-operator-role\nexport NAMESPACE=\"jfrog-operator\"\n\n# install JFrog secret rotator operator\nhelm upgrade --install secretrotator jfrog/jfrog-registry-operator --set \"serviceAccount.name=${SERVICE_ACCOUNT_NAME}\" --set serviceAccount.annotations=${ANNOTATIONS}  --namespace  ${NAMESPACE} --create-namespace\n```\n\n### For multi-user installations, if multiple service accounts need to be created:\n```\n# In a multi-user scenario, please create all service accounts using the role ARN as an annotation via the Helm chart. This will also update the ClusterRole to grant the necessary permissions to each specific service account.\n# Create a custom-values.yaml file with service account details and then install operator.\nexchangedServiceAccounts:\n - name: \"sample-service-account\"\n   namespace: \"\u003cNAMESPACE\u003e\"\n   annotations:\n      eks.amazonaws.com/role-arn: \u003c role arn \u003e\nhelm upgrade --install secretrotator jfrog/jfrog-registry-operator --create-namespace -f custom-values.yaml -n ${NAMESPACE}\nImportant Note: After this, you can use the service account name and namespace in custom resources. You may install multiple custom resources with different service account details.\nExample:\nserviceAccount:\n  name: \"sample-service-account\"\n  namespace: \"\u003cNAMESPACE\u003e\"\n```\n\nOnce operator is in running state, configure `artifactoryUrl`, `refreshTime`, `namespaceSelector`, `serviceAccount`, `generatedSecrets`, `artifactorySubdomains` and `secretMetadata` in [secretrotator.yaml](https://github.com/jfrog/jfrog-registry-operator/blob/master/charts/jfrog-registry-operator/examples/secretrotator.yaml)\n\nSample Manifest:\n\n```\napiVersion: apps.jfrog.com/v1alpha1\nkind: SecretRotator\nmetadata:\n  labels:\n    app.kubernetes.io/name: secretrotators.apps.jfrog.com\n    app.kubernetes.io/instance: secretrotator\n    app.kubernetes.io/created-by: artifactory-secrets-rotator\n  name: secretrotator\nspec:\n  namespaceSelector:\n    matchLabels:\n      kubernetes.io/metadata.name: jfrog-operator\n  generatedSecrets:\n    - secretName: token-imagepull-secret\n      secretType: docker\n    # - secretName: token-generic-secret\n    #   secretType: generic\n  artifactoryUrl: \"artifactory.example.com\"\n  # artifactorySubdomains: []\n  refreshTime: 30m\n  # serviceAccount: # The default name and namespace will be the operator’s service account name and namespace\n  #   name: \"\"\n  #   namespace: \"\"\n  secretMetadata:\n    annotations:\n      annotationKey: annotationValue\n    labels:\n      labelName: labelValue\n  security:\n    enabled: false\n    secretNamespace:\n    ## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret\n    certificateSecretName:\n    insecureSkipVerify: false\n```\nNote: Currently spec.secretName is supported but going forward this will be deprecated soon.\n\nApply the secretrotator mainfest:\n\n```\nkubectl apply -f /charts/jfrog-registry-operator/examples/secretrotator.yaml -n ${NAMESPACE}\n```\n\n### Uninstalling JFrog Secret Rotator operator\n\n```shell\n# Uninstall the secretrotator using the following command\nhelm uninstall secretrotator -n ${NAMESPACE}\n\n# Uninstall the secretrotator object (path should be pointing to the secretrotator.yaml)\nkubectl delete -f secretrotator.yaml -n ${NAMESPACE}\n\n# Remove the CRD from the cluster\nkubectl delete crd secretrotators.apps.jfrog.com\n```\n\n### Upgrading JFrog Secret Rotator operator\n\n```shell\n# update the helm repo\nhelm repo update\n\n# To upgrade the Custom Resource Definition (CRD), run the following command:\nkubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators.yaml\n\n# Uninstall the secretrotator using the following command\nhelm upgrade --install secretrotator jfrog/jfrog-registry-operator --set \"serviceAccount.name=${SERVICE_ACCOUNT_NAME}\" --set serviceAccount.annotations=${ANNOTATIONS}  --namespace  ${NAMESPACE} --create-namespace\n```\n\n### Check Resources in your cluster\n\n```shell\n# For secrets in your namespace\nkubectl get secrets -n ${NAMESPACE}\n\n# For operator pod in your namespace\nkubectl get po -n ${NAMESPACE}\n\n# For SecretRotator\nkubectl get SecretRotator\n```\n\n## 🤖 Monitoring operator\n\nFollow [monitoring setup docs](./config/monitoring/).\n\n## 🔥 Reporting issues\n\nPlease help us improve Frogbot by [reporting issues](https://github.com/jfrog/jfrog-registry-operator/issues/new/choose) you encounter.\n\n\u003cdiv id=\"contributions\"\u003e\u003c/div\u003e\n\n## 💻 Contributions\n\nWe welcome pull requests from the community. To help us improve this project, please read our [Contribution](./CONTRIBUTING.md#-guidelines) guide.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fjfrog-registry-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfrog%2Fjfrog-registry-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fjfrog-registry-operator/lists"}