Application Development

Integrating Google Cloud Build with JFrog Artifactory

[Editor’s note: Today we hear from software artifact management provider JFrog about how and why to use Google Cloud Build in conjunction with its Artifactory binary repository. Their tools aim to make the application development pipeline more secure and deterministic and in turn ensure reliable apps.]  

By the time an end user first interacts with an application, developers have already made countless decisions about how best to bring it to life: which language to use, which package types, whether to use a service such as Google Cloud Build to build and containerize applications, what repository to use to store assets that are written in Java, npm, Go, etc., and finally, where to run these containerized services, e.g., on Google Kubernetes Engine.

These typical steps of building an application, from concept to final consumer product, are shown here:

building an application.png

In the first step, you commit to a version control system. Next, you’ll choose a package such as Maven, Vgo or npm to speed the development process. Then, you can use a service like Cloud Build to containerize an app. Finally, the app is deployed on platforms such as Kubernetes. In this image above, the third-party dependencies in step three can be downloaded from multiple places, including random or unapproved places, which may be a concern.

At JFrog, the goal of our Artifactory product is to ensure the third-party libraries you’re using come from trusted sources, and that you avoid errors like ERR! 418 I'm a Teapot. You might choose to use Cloud Build with a private repository manager like JFrog Artifactory if you need to:

  • Containerize an existing application that’s stored in a private repository

  • Containerize an application that relies on both private and public dependencies

  • Speed up build and deployment time by caching dependencies

When Google Cloud Platform (GCP) recently launched Cloud Build, we were immediately excited by the potential of Cloud Build and Artifactory together. Cloud Build makes high-velocity software development safe and easy, and unleashes your team’s productivity. It enables you to build software quickly across different languages and gives you complete control over the definition of your workflows for building, testing, and deploying across multiple environments.

So we added support for Cloud Build to Artifactory. Using the two together lets you build containerized applications more quickly and flexibly by streamlining dependencies. In this graphic below, you can see what the application development process looks like when you’re using JFrog Artifactory along with Cloud Build. You can see in step three that various packages are pulled from Artifactory as they’re brought into Cloud Build.

Artifactory.png

We’ll walk you through how to build containerized applications that pull dependencies from Artifactory, with Maven and Java as our sample package and language. Let’s get started.

Ensure sufficient security from the start

JFrog Artifactory uses your credentials to authenticate and allow you to pull or push packages, and it is extremely important that this sensitive information not be compromised. Here’s how to encrypt an API key:

a. Create a Google Cloud Key Management Service (KMS) KeyRing and CryptoKey

i. Create KeyRing

gcloud kms keyrings create [KEYRING-NAME] --location=global

ii. Create CryptoKey

gcloud kms keys create [KEY-NAME] --location=global --keyring=[KEYRING-NAME] --purpose=encryption

b. Encrypt the API key

echo $RT_API_KEY | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --location=global --keyring=[KEYRING-NAME] --key=[KEY-NAME] | base64

This command outputs an encrypted version of APIKEY that we will refer to as [ENCRYPTED_API_KEY].

Create a Cloud Build image that includes the JFrog CLI

We’ll use the example provided in the build step contributed by JFrog Artifactory.

This example points to a pre-built Cloud Build image that includes Maven and the JFrog CLI. If the requirement is to use another package type such as npm, Go, Conan, NuGet or Docker, or to use a different flavor of Maven, then we recommend creating a custom Cloud Build image. You can find sample instructions here to build the Maven builder image, though you can modify it based on your needs. Before you continue, configure your GCP service account permissions to allow it to build images.

Configure Cloud Build to pull Maven packages from Artifactory

First, configure JFrog CLI to authenticate with JFrog Artifactory.

  - name: 'jfrog-docker-reg2.bintray.io/google-cloud-builder/java/jfrog:0.1'
  entrypoint: 'bash'
  args: ['-c', 'jfrog rt c rt-mvn-repo --url=https://[ARTIFACTORY-URL]/artifactory --user=[ARTIFACTORY-USER] --password=$$APIKEY']
  secretEnv: ['APIKEY']
  dir: 'maven-example'

Note: There is an added step to use the encrypted version of APIKEY.

  secrets:
- kmsKeyName: projects/[PROJECT]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
  secretEnv:
    APIKEY: [ENCRYPTED_API_KEY]

Configure the JFrog CLI to specify Maven repositories to use for pull/push. You can find more information on how to do this here, and you can check out a sample version of a configuration file here.

Next, build the sample Maven project.

  - name: 'gcr.io/$PROJECT_ID/java/jfrog'
  args: ['rt', 'mvn', "clean install", 'config.yaml', '--build-name=mybuild', '--build-number=$BUILD_ID']
  dir: 'maven-example'

Containerize the Java application

Now, you’re ready to containerize your Java application.

  - name: 'gcr.io/cloud-builders/docker'
  args:
  - 'build'
  - '--tag=gcr.io/$PROJECT_ID/java-app:${BUILD_ID}'
  - '.'
  dir: 'maven-example'

Next, update cloudbuild.yaml with actual values of [ARTIFACTORY-USER], [ARTIFACTORY-URL], [ENCRYPTED_API_KEY], [KEYRING-NAME] & [KEY-NAME] and trigger a build.

  gcloud builds submit --config=cloudbuild.yaml .

This step triggers a build on GCP for this project, and pulls the Maven dependencies from Artifactory while building the application. Once the application is built, it is containerized and the final image is pushed to Google Container Registry, GCP’s managed container registry service. From there, you can choose your deployment target, including Google Kubernetes Engine.

To check build results, navigate to Tools > Cloud Build > Build History:

build results.png

The status of a successful build will look like this:

Build History.png

Congratulations! You’ve successfully configured Google Cloud Build to work with JFrog Artifactory using Maven packages. To learn more about Cloud Build, read the documentation. To learn how to configure Artifactory for other package formats, check out our documentation, and happy building.