Integrating Google Cloud Build with JFrog Artifactory
[Editor’s note: Today we hear from software artifact management provider JFrog about how and why to use Google Cloud Build in conjunction with its Artifactory binary repository. Their tools aim to make the application development pipeline more secure and deterministic and in turn ensure reliable apps.]
By the time an end user first interacts with an application, developers have already made countless decisions about how best to bring it to life: which language to use, which package types, whether to use a service such as Google Cloud Build to build and containerize applications, what repository to use to store assets that are written in Java, npm, Go, etc., and finally, where to run these containerized services, e.g., on Google Kubernetes Engine.
These typical steps of building an application, from concept to final consumer product, are shown here:
In the first step, you commit to a version control system. Next, you’ll choose a package such as Maven, Vgo or npm to speed the development process. Then, you can use a service like Cloud Build to containerize an app. Finally, the app is deployed on platforms such as Kubernetes. In this image above, the third-party dependencies in step three can be downloaded from multiple places, including random or unapproved places, which may be a concern.
At JFrog, the goal of our Artifactory product is to ensure the third-party libraries you’re using come from trusted sources, and that you avoid errors like ERR! 418 I'm a Teapot. You might choose to use Cloud Build with a private repository manager like JFrog Artifactory if you need to:
Containerize an existing application that’s stored in a private repository
Containerize an application that relies on both private and public dependencies
Speed up build and deployment time by caching dependencies
When Google Cloud Platform (GCP) recently launched Cloud Build, we were immediately excited by the potential of Cloud Build and Artifactory together. Cloud Build makes high-velocity software development safe and easy, and unleashes your team’s productivity. It enables you to build software quickly across different languages and gives you complete control over the definition of your workflows for building, testing, and deploying across multiple environments.
So we added support for Cloud Build to Artifactory. Using the two together lets you build containerized applications more quickly and flexibly by streamlining dependencies. In this graphic below, you can see what the application development process looks like when you’re using JFrog Artifactory along with Cloud Build. You can see in step three that various packages are pulled from Artifactory as they’re brought into Cloud Build.
We’ll walk you through how to build containerized applications that pull dependencies from Artifactory, with Maven and Java as our sample package and language. Let’s get started.
Ensure sufficient security from the start
JFrog Artifactory uses your credentials to authenticate and allow you to pull or push packages, and it is extremely important that this sensitive information not be compromised. Here’s how to encrypt an API key:
i. Create KeyRing
gcloud kms keyrings create [KEYRING-NAME] --location=global
ii. Create CryptoKey
gcloud kms keys create [KEY-NAME] --location=global --keyring=[KEYRING-NAME] --purpose=encryption
b. Encrypt the API key
echo $RT_API_KEY | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --location=global --keyring=[KEYRING-NAME] --key=[KEY-NAME] | base64
This command outputs an encrypted version of APIKEY that we will refer to as [ENCRYPTED_API_KEY].
Create a Cloud Build image that includes the JFrog CLI
This example points to a pre-built Cloud Build image that includes Maven and the JFrog CLI. If the requirement is to use another package type such as npm, Go, Conan, NuGet or Docker, or to use a different flavor of Maven, then we recommend creating a custom Cloud Build image. You can find sample instructions here to build the Maven builder image, though you can modify it based on your needs. Before you continue, configure your GCP service account permissions to allow it to build images.
Configure Cloud Build to pull Maven packages from Artifactory
First, configure JFrog CLI to authenticate with JFrog Artifactory.
- name: 'jfrog-docker-reg2.bintray.io/google-cloud-builder/java/jfrog:0.1'
args: ['-c', 'jfrog rt c rt-mvn-repo --url=https://[ARTIFACTORY-URL]/artifactory --user=[ARTIFACTORY-USER] --password=$$APIKEY']
Note: There is an added step to use the encrypted version of APIKEY.
- kmsKeyName: projects/[PROJECT]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
- name: 'gcr.io/$PROJECT_ID/java/jfrog'
args: ['rt', 'mvn', "clean install", 'config.yaml', '--build-name=mybuild', '--build-number=$BUILD_ID']
Containerize the Java application
Now, you’re ready to containerize your Java application.
- name: 'gcr.io/cloud-builders/docker'
Next, update cloudbuild.yaml with actual values of [ARTIFACTORY-USER], [ARTIFACTORY-URL], [ENCRYPTED_API_KEY], [KEYRING-NAME] & [KEY-NAME] and trigger a build.
gcloud builds submit --config=cloudbuild.yaml .
This step triggers a build on GCP for this project, and pulls the Maven dependencies from Artifactory while building the application. Once the application is built, it is containerized and the final image is pushed to Google Container Registry, GCP’s managed container registry service. From there, you can choose your deployment target, including Google Kubernetes Engine.
To check build results, navigate to Tools > Cloud Build > Build History:
The status of a successful build will look like this: