[ansible] JFrog Platform 10.20.1 release

Author: Ram

Ansible/ansible_collections/jfrog/platform/CHANGELOG.md

@@ -1,6 +1,14 @@
 # JFrog Platform Ansible Collection Changelog
 All changes to this collection will be documented in this file.
 
+## [10.20.1] - Nov 26, 2024
+* Postgres - Fixed auth method in pg_hba.conf file [GH-428](https://github.com/jfrog/JFrog-Cloud-Installers/pull/428)
+* Artifactory - Fixed issue around /etc/cron.allow does not exist [GH-420](https://github.com/jfrog/JFrog-Cloud-Installers/issues/420)
+* Xray - Added `centos_gpg_key` variable to override defaults [GH-420](https://github.com/jfrog/JFrog-Cloud-Installers/issues/413)
+* Added support for RHEL 9
+* Artifactory - Added AccessConfig Patch support to use mTLS [GH-392](https://github.com/jfrog/JFrog-Cloud-Installers/pull/392)
+* Product Updates/fixes
+
 ## [10.20.0] - Oct 29, 2024
 * Product Updates/fixes
 

Ansible/ansible_collections/jfrog/platform/galaxy.yml

@@ -9,7 +9,7 @@ namespace: "jfrog"
 name: "platform"
 
 # The version of the collection. Must be compatible with semantic versioning
-version: "10.20.0"
+version: "10.20.1"
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: "README.md"

Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml

@@ -1,7 +1,7 @@
 # Defaults file for artifactory
 
 # The version of artifactory to install
-artifactory_version: 7.98.7
+artifactory_version: 7.98.9
 
 # Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role )
 artifactory_nginx_ssl_enabled: false
@@ -116,4 +116,12 @@ artifactory_binarystore: |-
 artifactory_systemyaml_override: false
 
 # Allow artifactory user to create crontab rules
-artifactory_allow_crontab: false
+artifactory_allow_crontab: false
+
+# Provide access config patch content 
+artifactory_access_config_patch: |-
+# security:
+#   authentication:
+#     mtls:
+#       enabled: true                  
+#       extraction-regex: (.*)

Ansible/ansible_collections/jfrog/platform/roles/artifactory/shared/access_configuration.yml

@@ -0,0 +1,12 @@
+- name: Create the access.config.patch.yml file
+  become: true
+  template:
+    src: access-config-patch.yml.j2
+    dest: "{{ artifactory_home }}/var/etc/access/access.config.patch.yml"
+    owner: "{{ artifactory_user }}"
+    group: "{{ artifactory_group }}"
+    mode: 0644
+  notify: Restart artifactory
+  when:
+    - artifactory_access_config_patch is defined
+    - artifactory_access_config_patch | length > 0

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml

@@ -47,6 +47,7 @@
     path: /etc/cron.allow
     line: "{{ artifactory_user }}"
     state: present
+    create: true
   when: artifactory_allow_crontab
 
 - name: Allow reading cron.allow
@@ -132,6 +133,9 @@
     - artifactory_systemyaml_override or (not systemyaml.stat.exists)
   notify: Restart artifactory
 
+- name: Configure access config
+  ansible.builtin.include_tasks: shared/access_configuration.yml
+
 - name: Configure master key
   become: true
   ansible.builtin.copy:

Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml

@@ -6,6 +6,7 @@
     path: /etc/cron.allow
     line: "{{ artifactory_user }}"
     state: present
+    create: true
   when: artifactory_allow_crontab
 
 - name: Allow reading cron.allow
@@ -154,6 +155,9 @@
     - artifactory_systemyaml_override or (not systemyaml.stat.exists)
   notify: Restart artifactory
 
+- name: Configure access config
+  ansible.builtin.include_tasks: shared/access_configuration.yml
+
 - name: Install Service
   ansible.builtin.include_tasks: shared/install_service.yml
 
@@ -179,4 +183,4 @@
   delay: 5
   when:
     - not ansible_check_mode
-    - artifactory_start_service | bool
+    - artifactory_start_service | bool

Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/access-config-patch.yml.j2

@@ -0,0 +1 @@
+{{ artifactory_access_config_patch }}

Ansible/ansible_collections/jfrog/platform/roles/artifactory/vars/main.yml

@@ -1,5 +1,5 @@
 # platform collection version
-platform_collection_version: 10.20.0
+platform_collection_version: 10.20.1
 
 # indicates where this collection was downloaded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/README.md

@@ -10,4 +10,96 @@ The artifactory_nginx_ssl role installs and configures nginx for SSL.
 * _ssl_certificate_key_path_: This is the full directory path for the SSL private key, excluding _ssl_certificate_key_.
 * _nginx_worker_processes_: The worker_processes configuration for nginx. Defaults to 1.
 * _artifactory_docker_registry_subdomain_: Whether to add a redirect directive to the nginx config for the use of docker
-  subdomains.
+  subdomains.
+* _mtls_ca_certificate_install_: `false` - Enable mTLS by updating to `true`
+* _mtls_mtls_ca_certificate_crt_name_: This is the full name of the CA certificate
+* _mtls_ca_certificate_path_: This is the full directory path for the CA certificate
+* _mtls_mtls_ca_certificate_key_name_: This is the full name of the CA key
+* _mtls_ca_certificate_crt_: This is the place to add the certificate
+* _mtls_ca_certificate_key_: This is the place to add the key
+
+
+# Configuring mTLS in Artifactory with NGINX
+**To enable mTLS (Mutual TLS) authentication in Artifactory through NGINX, follow these steps:**
+
+1. NGINX Changes
+2. Artifactory Changes
+
+## Step: 1 - NGINX Changes
+
+Open `main.yml` in `artifactory_nginx_ssl` from the following location:
+
+`platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml`
+
+### Set Up CA Certificate
+
+Modify the `mtls_ca_certificate_install` parameter from `false` to `true`.
+
+**Create CA Certificates**: CA certificates in mTLS verifies the authenticity and trustworthiness of client and server certificates, ensuring secure and mutual authentication.
+
+**Run the following command to create CA certificates:**
+
+```
+openssl req -new -x509 -nodes -days 365 -subj '/CN=my-ca' -keyout ca.key -out ca.crt
+```
+
+Add the `ca.crt` and `ca.key` files to the relevant YAML file in the same directory.
+Update the above generated certificates with below parameters:
+
+mtls_ca_certificate_crt: | 
+
+mtls_ca_certificate_key: |
+
+
+## Step: 2 - Arifactory Changes
+
+### Enable mTLS Configuration
+Under `artifactory_access_config_patch`, add the configuration in the following location to enable mTLS:
+`platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml`
+
+```
+security:
+  authentication:
+    mtls:
+      enabled: true                  
+      extraction-regex: (.*)
+```
+
+In the same `main.yaml`, update the following flags to:
+
+- `artifactory_nginx_ssl_enabled: true`
+- `artifactory_nginx_enabled: false`
+
+For more information, refer to the [Artifactory Documentation](https://jfrog.com/help/r/jfrog-artifactory-documentation/set-up-mtls-verification-and-certificate-termination-on-the-reverse-proxy).
+
+## Client Validation
+
+**Follow the below steps to validate client:**
+
+1. **Generate Server Certificate and Key for client validation**
+
+Create the Server Key and Certificate:
+Use the CA certificates created in [Step 1](#step-1---nginx-changes) to generate the server key and certificate.
+
+```
+openssl genrsa -out server.key 2048
+```
+
+```
+openssl req -new -key server.key -subj '/CN=localhost' -out server.csr
+```
+
+```
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out server.crt
+```
+
+2. **Verify mTLS Configuration for client testing**
+To test the mTLS setup, use a tool like curl:
+
+```
+curl -u <username>:<password> "http://<artifactory-url>/artifactory/api/system/ping" --cert server.crt --key server.key -k
+```
+
+This command should establish a connection using the configured mTLS, ensuring proper communication with Artifactory.
+
+

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml

@@ -8,6 +8,7 @@ nginx_daemon: nginx
 redirect_http_to_https_enabled: true
 
 nginx_worker_processes: 1
+
 artifactory_docker_registry_subdomain: false
 
 artifactory_conf_template: artifactory.conf.j2
@@ -18,3 +19,11 @@ ssl_certificate_path: /etc/pki/tls/certs
 ssl_certificate_key_path: /etc/pki/tls/private
 ssl_certificate: cert.pem
 ssl_certificate_key: cert.key
+
+## If we want to use mTLS, set the mtls_ca_certificate_install variable to true and provide the ca certificate and key
+mtls_ca_certificate_install: false
+mtls_mtls_ca_certificate_crt_name: ca.crt
+mtls_ca_certificate_path: /etc/pki/tls/certs
+mtls_mtls_ca_certificate_key_name: ca.key  
+mtls_ca_certificate_crt: |
+mtls_ca_certificate_key: |

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/tasks/main.yml

@@ -92,5 +92,39 @@
   no_log: true
   when: ssl_certificate_install
 
+- name: Ensure mtls_ca_certificate_key_path exists
+  become: true
+  ansible.builtin.file:
+    path: "{{ mtls_ca_certificate_path }}"
+    state: directory
+    mode: 0755
+  when: 
+    - mtls_ca_certificate_install
+    - artifactory_version is version('7.77.0', '>=')
+
+- name: Configure ca certificate
+  become: true
+  ansible.builtin.template:
+    src: certificate.crt.j2
+    dest: "{{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_crt_name }}"
+    mode: 0644
+  notify: Restart nginx
+  no_log: true
+  when: 
+    - mtls_ca_certificate_install
+    - artifactory_version is version('7.77.0', '>=')
+
+- name: Configure ca key
+  become: true
+  ansible.builtin.template:
+    src: certificate.cakey.j2
+    dest: "{{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_key_name }}"
+    mode: 0600
+  notify: Restart nginx
+  no_log: true
+  when: 
+    - mtls_ca_certificate_install
+    - artifactory_version is version('7.77.0', '>=')
+
 - name: Restart nginx
   ansible.builtin.meta: flush_handlers

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2

@@ -22,6 +22,13 @@
   if ($http_x_forwarded_proto = '') {
   set $http_x_forwarded_proto  $scheme;
   }
+  ##Set up mTLS Verification and Certificate Termination on the Reverse Proxy
+  {% if mtls_ca_certificate_install %}
+  ssl_verify_client      on;
+  ssl_verify_depth       2;
+  ssl_client_certificate {{ mtls_ca_certificate_path }}/{{ mtls_mtls_ca_certificate_crt_name }};
+  proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;
+  {% endif %}
   ## Application specific logs
   access_log /var/log/nginx/artifactory-access.log;
   error_log /var/log/nginx/artifactory-error.log;

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.cakey.j2

@@ -0,0 +1,4 @@
+{% set cert = mtls_ca_certificate_key.split('|') %}
+{% for line in cert %}
+{{ line }}
+{% endfor %}

Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/certificate.crt.j2

@@ -0,0 +1,4 @@
+{% set cert = mtls_ca_certificate_crt.split('|') %}
+{% for line in cert %}
+{{ line }}
+{% endfor %}

Ansible/ansible_collections/jfrog/platform/roles/distribution/defaults/main.yml

@@ -1,7 +1,7 @@
 # defaults file for distribution
 
 # The version of distribution to install
-distribution_version: 2.26.1
+distribution_version: 2.27.2
 
 # whether to enable HA
 distribution_ha_enabled: false

Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/install.yml

@@ -22,6 +22,7 @@
     path: /etc/cron.allow
     line: "{{ distribution_user }}"
     state: present
+    create: true
   when: distribution_allow_crontab
 
 - name: Allow reading cron.allow

Ansible/ansible_collections/jfrog/platform/roles/distribution/tasks/upgrade.yml

@@ -122,6 +122,7 @@
     path: /etc/cron.allow
     line: "{{ distribution_user }}"
     state: present
+    create: true
   when: distribution_allow_crontab
 
 - name: Allow reading cron.allow

Ansible/ansible_collections/jfrog/platform/roles/distribution/vars/main.yml

@@ -1,5 +1,5 @@
 # platform collection version
-platform_collection_version: 10.20.0
+platform_collection_version: 10.20.1
 
 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/insight/vars/main.yml

@@ -1,5 +1,5 @@
 # platform collection version
-platform_collection_version: 10.20.0
+platform_collection_version: 10.20.1
 
 # indicates were this collection was downlaoded from (galaxy, automation_hub, standalone)
 ansible_marketplace: galaxy

Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/RedHat.yml

@@ -13,14 +13,14 @@
   ansible.builtin.yum:
     name: python3-psycopg2
     state: present
-  when: ansible_distribution_major_version == '8'
+  when: ansible_facts['distribution_major_version'] | int in [8, 9]
 
 - name: Install python2-psycopg2
   become: true
   ansible.builtin.yum:
     name: python-psycopg2
     state: present
-  when: ansible_distribution_major_version == '7'
+  when: ansible_facts['distribution_major_version'] | int  == 7
 
 - name: Fixup some locale issues
   become: true
@@ -72,8 +72,8 @@
       profiles=
       state=disabled
   when:
-    - ansible_os_family == 'RedHat'
-    - ansible_distribution_major_version | int == 8
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] | int in [8, 9]
 
 - name: Install PostgreSQL packages
   become: true

Ansible/ansible_collections/jfrog/platform/roles/xray/defaults/main.yml

@@ -1,7 +1,7 @@
 # Defaults file for xray
 
 # The version of xray to install
-xray_version: 3.104.18
+xray_version: 3.107.11
 
 # Whether to enable HA
 xray_ha_enabled: false
@@ -49,6 +49,8 @@ xray_system_yaml_template: system.yaml.j2
 
 linux_distro: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}"
 
+centos_gpg_key: "https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official"
+
 xray_db_util_search_filter:
   ubuntu18:
     db5: 'db5.3-util.*ubuntu1.1.*amd64\.deb'
@@ -65,6 +67,10 @@ xray_db_util_search_filter:
   debian11:
     db5: 'TBD'
     db: 'db-util_([0-9]{1,3}\.?){3}.*nmu1_all\.deb'
+  redhat7:
+    db: 'libdb-utils-5.3.*el7.x86_64.rpm'
+  redhat9:
+    db: 'libdb-utils-5.3.*el9.x86_64.rpm'
 
 
 yum_python_interpreter: >-