Container Registry with Amazon EKS on the AWS Cloud

Quick Start Reference Deployment

September 2020
Mark Bennett, Trace3
Yaniv Bossem and Dylan Owen, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by JFrog Ltd. in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

JFrog’s Container Registry (JCR) is a comprehensive and advanced repository manager, supporting Docker containers and Helm Chart repositories for your Kubernetes deployments. This Quick Start deploys Container Registry in a highly scalable and redundant configuration in the AWS Cloud.

This Quick Start is for administrators who want the flexibility, scale, and availability of AWS through products such as Amazon Virtual Private Cloud (Amazon VPC), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Simple Storage Service (Amazon S3), Elastic Load Balancing (ELB), and Amazon Relational Database Service (Amazon RDS) to deploy Container Registry as their Docker container and Helm Chart repository manager.

Amazon EC2 and Amazon EKS, along with Amazon S3 and Amazon RDS, form the foundation for the deployment. By using Amazon S3 and Amazon RDS as persistent storage for artifacts and the configuration, respectively, Container Registry can be completely redeployed, scaled up, or scaled down, depending on your requirements. This configuration allows organizations to save on costs by needing to pay only for storage used.

This Quick Start configures an Amazon Elastic Kubernetes Service (Amazon EKS) cluster comprising one partition, with its own Amazon EC2 Auto Scaling group. The partition is labeled production. The number of production Kubernetes nodes is configurable, if more than one is desired, this can greatly reduce any downtime experienced as the StatefulSet will redeploy the Container Registry container to another node. The underlying nodes can be run in any of the three Availability Zones. If left at one, the Auto Scaling group is configured to boot a node into another Availability Zone upon a failure. The deployment is configured and managed via Helm. The bastion host is preconfigured with the Helm and Kubectl, which can be used to check or manage the deployment.

A Classic Load Balancer is configured to provide ingress to the Virtual Private Cloud (VPC) and to forward traffic to the NGINX pod, which provides ingress and load balancing to the Container Registry pods within the deployment.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Container Registry with Amazon EKS on AWS

Once you deploy JFrog’s Container Registry, you can use it as a production service. For further information about setting up Container Registry, see the Getting started with Container Registry section, later in this guide.

The deployment is configured as “infrastructure as code.” Any changes to the infrastructure should be done by updating the CloudFormation stack. Any changes performed on the Ec2 instances, containers, or Kubernetes configuration objects, (including reverse-proxy configurations) are lost when an instance reboots. By design, upon shutdown of a node an Auto Scaling group replaces the node, following a load-balancing health check. Should the Container Registry container fail, it will be re-started by the Kubernetes statefulset.

Cost

You are responsible for the cost of the AWS services used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This Quick Start does not require you to purchase any license as JFrog Container Registry is a free product.

Architecture

Deploying this Quick Start for a new Virtual Private Cloud (VPC) with default parameters builds the following {partner-product-name_ environment in the AWS Cloud.

Figure 1. Quick Start architecture for Container Registry with Amazon EKS on AWS

As shown in Figure 1, the Quick Start sets up the following:

A highly resilient architecture that spans three Availability Zones.*
A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
A Network Load Balancer attached to the public subnets is listening on port 443 and directs traffic via port 443 to the NGINX pod configured as a Load Balancer Kubernetes object. The NGINX pod provides ingress, reverse proxy, and SSL termination for the Container Registry node.
A private and encrypted S3 bucket for repository storage.

In the public subnets:

Managed NAT gateways to allow outbound internet access for resources in the private subnets.*
A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.*

In the private subnets:

An RDS instance connected via the private subnets of the VPC and only accessible from those subnets on port 5532.
An EKS cluster with one partition.
A Helm deployment responsible for managing your Kubernetes deployment; the Helm deployment creates the following:
- jfrog-artifactory namespace.
- NGINX SSL secret.
- Container Registry database access secret.
- Primary, secondary, and NGINX pods.

*The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Amazon EKS services

There is a single Auto Scaling group for the Container Registry EKS host that makes up the production partition. The pods (NGINX and Container Registry) are configured to be deployed to this partition. Upon an Container Registry service or overall pod failure, Kubernetes handles rescheduling and redeploying the failed pod to a node. As a result, all configurations are done on boot to each container and results in a loss of data that is not stored in the Amazon RDS instance or the S3 bucket.

Do not change the stack’s master key when you update the stack. This will result in future nodes being unable to connect to the database and in an unsupported configuration.

To update a Secure Sockets Layer (SSL) certificate, you will need to update the CloudFormation stack by changing the certificate and certificate key inputs, and redeploying the nodes. (See Updating Container Registry.) If you change the certificate and certificate key manually on the EC2 instances, instead of updating the CloudFormation stack, the manual changes will be lost during the next upgrade or reboot, resulting in an unwanted configuration.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, visit Getting Started with AWS and Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with JFrog Container Registry, infrastructure as code, and Kubernetes.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource	This deployment uses
VPCs	1
Elastic IP addresses	4
AWS Identity and Access Management (IAM) security groups	1
IAM roles	2
Security groups	4
Auto Scaling groups	1
Load Balancers	1
m4.xlarge instances	1
t2.micro instances	1
db.m4.large (RDS)	1
S3 Buckets	1
EKS cluster**	1

Supported Regions

us-east-1 (N. Virginia)
us-east-2 (Ohio)
us-west-1 (N. California)
us-west-2 (Oregon)
eu-central-1 (Frankfurt)
eu-west-1 (Ireland)
eu-west-2 (London)
eu-west-3 (Paris)
ap-southeast-2 (Sydney)
ap-northeast-1 (Tokyo)

Certain Regions are available on an opt-in basis. See Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides two deployment options:

Deploy Container Registry with Amazon EKS into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, an Amazon EKS cluster with its supporting infrastructure, an S3 bucket, an Amazon RDS instance. It then deploys Container Registry via Helm.
Deploy Container Registry with Amazon EKS into an existing VPC. This option provisions an Amazon EKS cluster, an S3 bucket, an Amazon RDS instance, into your existing AWS infrastructure. It then deploys Container Registry via Helm.

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Container Registry with Amazon EKS settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.
Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Prepare the certificate and certificate key

Due to the underlying JSON system, the parameters for both the certificate and certificate key must be edited by replacing their line endings.

Copy the certificate into a text editor, and view line endings. Line endings on Windows and Linux terminate in CRFL and LF, respectively.
Remove all CRFL or LF characters, and replace them with the | (pipe) character. This puts the certificate on a single line.
Follow the same process for the certificate key.

Add the certificate to AWS Secrets Manager

Open AWS Secrets Manager in the same Region in which you deploy the Quick Start.
Choose Store a new secret.
Choose Other type of secret.
For the secret key value, create three rows for the certificate information.
Key names should be as follows, with the key values being the certificate details. (See Figure 2.)
1. Certificate
2. CertificateKey
3. CertificateDomain

Figure 2. Secrets Manager key-value page

Choose Next.
Provide a secret name. This name is used to deploy this Quick Start.
Choose Next twice.
Choose Store.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see deployment options earlier in this guide.

Deploy Container Registry with Amazon EKS into a new VPC on AWS

View template

Deploy Container Registry with Amazon EKS into an existing VPC on AWS

View template

If you’re deploying Container Registry with Amazon EKS into an existing VPC, make sure that your VPC has three private subnets in different Availability Zones for the workload instances, and that the subnets aren’t shared. This Quick Start doesn’t support shared subnets. These subnets require NAT gateways in their route tables, to allow the instances to download packages and software without exposing them to the internet.

Also, make sure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation. You provide your VPC settings when you launch the Quick Start.

Each deployment takes about 1 hour to complete.

Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Container Registry with Amazon EKS will be built. The template is launched in the us-east-1 Region by default.

On the Create stack page, keep the default setting for the template URL, and then choose Next.
On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary.

In the following tables, parameters are listed by category and described separately for the deployment options. When you finish reviewing and customizing the parameters, choose Next.

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Launch into a new VPC

Table 1. Security configuration
Parameter label (name)	Default value	Description
SSH key name (`KeyPairName`)	`Requires input`	Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches.
Permitted IP range (`AccessCidr`)	`Requires input`	CIDR IP range that is permitted to access Artifactory. We recommend that you set this value to a trusted IP range. For example, you might want to grant only your corporate network access to the software.
Remote access CIDR (`RemoteAccessCidr`)	`Requires input`	Remote CIDR range for allowing SSH into the bastion instance. We recommend that you set this value to a trusted IP range. For example, you might want to grant specific ranges inside your corporate network SSH access.
Additional EKS admin ARNs (`AdditionalEKSAdminArns`)	`Blank string`	[OPTIONAL] Amazon Resource Names (ARNs): a comma-separated list of IAM users and roles to be granted admin access to the EKS cluster.
Kubernetes config KMS context (`KubeConfigKmsContext`)	`JFrogContainerRegistry`	String value used by KMS to encrypt/decrypt Kubernetes configuration file.

Table 2. Network configuration
Parameter label (name)	Default value	Description
Availability Zones (`AvailabilityZones`)	`Requires input`	List of Availability Zones to use for the subnets in the VPC. Three Availability Zones are used for this deployment, and the logical order of your selections is preserved.
VPC CIDR (`VpcCidr`)	`10.0.0.0/16`	CIDR block for the VPC.
Private subnet 1 CIDR (`PrivateSubnet1Cidr`)	`10.0.0.0/19`	CIDR block for private subnet 1 located in Availability Zone 1.
Private subnet 2 CIDR (`PrivateSubnet2Cidr`)	`10.0.32.0/19`	CIDR block for private subnet 2 located in Availability Zone 2.
Private subnet 3 CIDR (`PrivateSubnet3Cidr`)	`10.0.64.0/19`	CIDR block for private subnet 3 located in Availability Zone 3.
Public subnet 1 CIDR (`PublicSubnet1Cidr`)	`10.0.128.0/20`	CIDR block for the public (DMZ) subnet 1 located in Availability Zone 1.
Public subnet 2 CIDR (`PublicSubnet2Cidr`)	`10.0.144.0/20`	CIDR block for the public (DMZ) subnet 2 located in Availability Zone 2.
Public subnet 3 CIDR (`PublicSubnet3Cidr`)	`10.0.160.0/20`	CIDR block for the public (DMZ) subnet 3 located in Availability Zone 3.

Table 3. Bastion configuration
Parameter label (name)	Default value	Description
Bastion instance (`ProvisionBastionHost`)	`Enabled`	Choose Disabled to skip creating a bastion instance. Due to the JFrog Container Registry nodes being created in private subnets, the default setting of Enabled this is highly recommended.
Bastion instance type (`BastionInstanceType`)	`t2.micro`	Size of the bastion instances.
Bastion operating system (`BastionOs`)	`Amazon-Linux2-HVM`	Linux distribution for the Amazon Machine Image (AMI) to be used for the bastion instances.
Bastion root volume size (`BastionRootVolumeSize`)	`10`	Size of the root volume on the bastion instances.
Bastion enable TCP forwarding (`BastionEnableTcpForwarding`)	`true`	Choose whether to enable TCPForwarding via the bootstrapping of the bastion instance or not.
Bastion enable X11 forwarding (`BastionEnableX11Forwarding`)	`false`	Choose true to enable X11 via the bootstrapping of the bastion host. Setting this value to true will enable X Windows over SSH. X11 forwarding can be very useful but it is also a security risk, so we recommend that you keep the default (false) setting unless required.

Table 4. JFrog Container Registry configuration
Parameter label (name)	Default value	Description
JFrog Container Registry version (`JcrVersion`)	`7.7.3`	Version of JFrog Container Registry that you want to deploy into the Quick Start. Please see the release notes to select the version you want to deploy. https://www.jfrog.com/confluence/display/RTF/Release+Notes
Release stage of the product to deploy (`ReleaseStage`)	`GA`	Whether to use the upstream repository that is pre-GA.
Default JCR deployment size (`DefaultDeploymentSize`)	`true`	Choose false to overwrite the standard calculations of memory options to pass Java Options for the deployment If overwriting them, not to over provision the nodes.
JCR deployment size (`DeploymentSize`)	`xSmall`	Configuration settings implemented by the Helm chart. There are currently eight supported sizes. This value is only taken into account if you choose 'false' for DefaultDeploymentSize. 'xxxLarge:' Only applicable to node InstanceType m5.24xlarge or larger - Memory request of 240 GiB, memory limit of 384GiB; CPU request of 64, CPU limit of 96; Java heap size minimum of 192 GB, maximum of 288 GB. 'xxLarge:' Only applicable to node InstanceType m5.16xlarge or larger - Memory request of 160 GiB, memory limit of 256GiB; CPU request of 48, CPU limit of 64; Java heap size minimum of 128 GB, maximum of 192 GB. 'xLarge:' Only applicable to node InstanceType m5.12xlarge or larger - Memory request of 120 GiB, memory limit of 192GiB; CPU request of 32, CPU limit of 48; Java heap size minimum of 96 GB, maximum of 144 GB. 'Large:' Only applicable to node InstanceType m5.8xlarge or larger - Memory request of 80 GiB, memory limit of 128GiB; CPU request of 16, CPU limit of 32; Java heap size minimum of 64 GB, maximum of 96 GB. 'Medium:' Only applicable to node InstanceType m5.4xlarge or larger - Memory request of 42 GiB, memory limit of 64 GiB; CPU request of 8, CPU limit of 16; Java heap size minimum of 32 GB, maximum of 48 GB. 'Small:' Only applicable to node InstanceType m5.2xlarge or larger - Memory request of 20 GiB, memory limit of 32 GiB; CPU request of 4, CPU limit of 8; Java heap size minimum of 16 GB, maximum of 24 GB. 'xSmall:' Only applicable to node InstanceType m5.xlarge or larger - Memory request of 6 GiB, memory limit of 16 GiB; CPU request of 2, CPU limit of 4; Java heap size minimum of 8 GB, maximum of 12 GB. 'xxSmall:' Applicable to all node Instance Types - Memory request of 4 GiB, memory limit of 6 GiB; CPU request of 2, CPU limit of 2; Java heap size of 4 GB.
JCR certificate and secret name (`SmLicenseCertName`)	`Requires input`	Secret name created in AWS Secrets Manager which contains the SSL certificate and certificate key.
Master server key (`MasterKey`)	`Requires input`	Master key for the JFrog Container Registry cluster. Generate a master key by using the command '$openssl rand -hex 16'.

Table 5. Amazon RDS configuration
Parameter label (name)	Default value	Description
Database name (`DatabaseName`)	`artdb`	Name for your Database instance. The name must be unique across all Database instances owned by your AWS account in the current AWS Region. The Database instance identifier is case-insensitive, but is stored as all lowercase (as in "mydbinstance").
Database engine (`DatabaseEngine`)	`Postgres`	Database engine that you want to run, currently locked to Postgres.
Database user (`DatabaseUser`)	`jcradmin`	Login ID for the master user of your Database instance.
Database password (`DatabasePassword`)	`Requires input`	Password for the JFrog Container Registry database user.
Database instance type (`DatabaseInstance`)	`db.m4.large`	Size of the database to be deployed as part of the Quick Start.
Database allocated storage (`DatabaseAllocatedStorage`)	`10`	Size in gigabytes of the available storage for the database instance.
High available database (`MultiAzDatabase`)	`true`	Choose false to create an Amazon RDS instance in a single Availability Zone.

Table 6. EC2/EKS configuration
Parameter label (name)	Default value	Description
Node instance type (`NodeInstanceType`)	`m5.xlarge`	Amazon EC2 instance type for the nodes hosting the Kubernetes pods.
Number of Eks nodes (`NumberOfNodes`)	`1`	Initial number of Eks node instances and NGINX pods to create.
Node EBS volume size (`NodeVolumeSize`)	`200`	Size of EBS volumes for master node instances, in GB.
Kubernetes version (`KubernetesVersion`)	`1.14`	Kubernetes control plane version.

Table 7. AWS Quick Start configuration
Parameter label (name)	Default value	Description
Quick Start S3 bucket name (`QsS3BucketName`)	`aws-quickstart`	S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Quick Start S3 key prefix (`QsS3KeyPrefix`)	`quickstart-jfrog-container-registry/`	S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).
Quick Start S3 bucket region (`QsS3BucketRegion`)	`us-east-1`	AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
Lambda zips bucket name (`LambdaZipsBucketName`)	`Blank string`	[OPTIONAL] The name of the S3 bucket where the Lambda .zip files should be placed. If you leave this parameter blank, an S3 bucket will be created.

Launch into an existing VPC

Table 8. Security configuration
Parameter label (name)	Default value	Description
SSH key name (`KeyPairName`)	`Requires input`	Name of an existing key pair, which allows you to securely connect to your instance after it launches.
Permitted IP range (`AccessCidr`)	`Requires input`	CIDR IP range that is permitted to access Artifactory. We recommend that you set this value to a trusted IP range. For example, you might want to grant only your corporate network access to the software.
Remote access CIDR (`RemoteAccessCidr`)	`Requires input`	Remote CIDR range for allowing SSH into the bastion instance. We recommend that you set this value to a trusted IP range. For example, you might want to grant specific ranges inside your corporate network SSH access.
Additional EKS admin ARNs (`AdditionalEKSAdminArns`)	`Blank string`	[OPTIONAL] Amazon Resource Names (ARNs): a comma-separated list of IAM users and roles to be granted admin access to the EKS cluster.
Kubernetes config KMS context (`KubeConfigKmsContext`)	`JFrogContainerRegistry`	String value used by KMS to encrypt/decrypt Kubernetes configuration file.

Table 9. Network configuration
Parameter label (name)	Default value	Description
VPC ID (`VpcId`)	`Requires input`	ID of your existing VPC (e.g., vpc-0343606e).
VPC CIDR (`VpcCidr`)	`10.0.0.0/16`	CIDR block for the VPC.
Public subnet 1 ID (`PublicSubnet1Id`)	`Requires input`	ID of the public subnet in Availability Zone 1 in your existing VPC (e.g., subnet-z0376dab).
Public subnet 2 ID (`PublicSubnet2Id`)	`Requires input`	ID of the public subnet in Availability Zone 2 in your existing VPC (e.g., subnet-a29c3d84).
Public subnet 3 ID (`PublicSubnet3Id`)	`Requires input`	ID of the public subnet in Availability Zone 3 in your existing VPC (e.g., subnet-a29c3d84).
Private subnet 1 ID (`PrivateSubnet1Id`)	`Requires input`	ID of the private subnet in Availability Zone 1 in your existing VPC (e.g., subnet-a0246dcd).
Private subnet 2 ID (`PrivateSubnet2Id`)	`Requires input`	ID of the private subnet in Availability Zone 2 in your existing VPC (e.g., subnet-b58c3d67).
Private subnet 3 ID (`PrivateSubnet3Id`)	`Requires input`	ID of the private subnet in Availability Zone 3 in your existing VPC (e.g., subnet-b58c3d67).
Private subnet 1 CIDR (`PrivateSubnet1Cidr`)	`10.0.0.0/19`	CIDR of the private subnet in Availability Zone 1 in your existing VPC (e.g., 10.0.0.0/19).
Private subnet 2 CIDR (`PrivateSubnet2Cidr`)	`10.0.32.0/19`	CIDR of the private subnet in Availability Zone 2 in your existing VPC (e.g., 10.0.32.0/19).
Private subnet 3 CIDR (`PrivateSubnet3Cidr`)	`10.0.64.0/19`	CIDR block for private subnet 3 located in Availability Zone 3 in your existing VPC (e.g., 10.0.64.0/19).

Table 10. Bastion configuration
Parameter label (name)	Default value	Description
Bastion instance (`ProvisionBastionHost`)	`Enabled`	Choose Disabled to skip creating a bastion instance. Due to the JFrog Container Registry nodes being created in private subnets, the default setting of Enabled this is highly recommended.
Bastion instance type (`BastionInstanceType`)	`t2.micro`	Size of the bastion instances.
Bastion operating system (`BastionOs`)	`Amazon-Linux2-HVM`	Linux distribution for the Amazon Machine Image (AMI) to be used for the bastion instances.
Bastion root volume size (`BastionRootVolumeSize`)	`10`	Size of the root volume on the bastion instances.
Bastion enable TCP forwarding (`BastionEnableTcpForwarding`)	`true`	Choose whether to enable TCPForwarding via the bootstrapping of the bastion instance or not.
Bastion enable X11 forwarding (`BastionEnableX11Forwarding`)	`false`	Choose true to enable X11 via the bootstrapping of the bastion host. Setting this value to true will enable X Windows over SSH. X11 forwarding can be very useful but it is also a security risk, so we recommend that you keep the default (false) setting unless required.

Table 11. JFrog Container Registry configuration
Parameter label (name)	Default value	Description
JFrog Container Registry version (`JcrVersion`)	`7.7.3`	Version of JFrog Container Registry that you want to deploy into the Quick Start. Please see the release notes to select the version you want to deploy. https://www.jfrog.com/confluence/display/RTF/Release+Notes
Release stage of the product to deploy (`ReleaseStage`)	`GA`	Whether to use the upstream repository that is pre-GA.
Default JCR deployment size (`DefaultDeploymentSize`)	`true`	Choose false to overwrite the standard calculations of memory options to pass Java Options for the deployment If overwriting them, not to over provision the nodes.
JCR deployment size (`DeploymentSize`)	`xSmall`	Configuration settings implemented by the Helm chart. There are currently eight supported sizes. This value is only taken into account if you choose 'false' for DefaultDeploymentSize. 'xxxLarge:' Only applicable to node InstanceType m5.24xlarge or larger - Memory request of 240 GiB, memory limit of 384GiB; CPU request of 64, CPU limit of 96; Java heap size minimum of 192 GB, maximum of 288 GB. 'xxLarge:' Only applicable to node InstanceType m5.16xlarge or larger - Memory request of 160 GiB, memory limit of 256GiB; CPU request of 48, CPU limit of 64; Java heap size minimum of 128 GB, maximum of 192 GB. 'xLarge:' Only applicable to node InstanceType m5.12xlarge or larger - Memory request of 120 GiB, memory limit of 192GiB; CPU request of 32, CPU limit of 48; Java heap size minimum of 96 GB, maximum of 144 GB. 'Large:' Only applicable to node InstanceType m5.8xlarge or larger - Memory request of 80 GiB, memory limit of 128GiB; CPU request of 16, CPU limit of 32; Java heap size minimum of 64 GB, maximum of 96 GB. 'Medium:' Only applicable to node InstanceType m5.4xlarge or larger - Memory request of 42 GiB, memory limit of 64 GiB; CPU request of 8, CPU limit of 16; Java heap size minimum of 32 GB, maximum of 48 GB. 'Small:' Only applicable to node InstanceType m5.2xlarge or larger - Memory request of 20 GiB, memory limit of 32 GiB; CPU request of 4, CPU limit of 8; Java heap size minimum of 16 GB, maximum of 24 GB. 'xSmall:' Only applicable to node InstanceType m5.xlarge or larger - Memory request of 6 GiB, memory limit of 16 GiB; CPU request of 2, CPU limit of 4; Java heap size minimum of 8 GB, maximum of 12 GB. 'xxSmall:' Applicable to all node Instance Types - Memory request of 4 GiB, memory limit of 6 GiB; CPU request of 2, CPU limit of 2; Java heap size of 4 GB.
JCR certificate and secret name (`SmLicenseCertName`)	`Requires input`	Secret name created in AWS Secrets Manager which contains the SSL certificate and certificate key.
Master server key (`MasterKey`)	`Requires input`	Master key for the JFrog Container Registry cluster. Generate a master key by using the command '$openssl rand -hex 16'.

Table 12. Amazon RDS configuration
Parameter label (name)	Default value	Description
Database name (`DatabaseName`)	`artdb`	Name for your database instance. The name must be unique across all database instances owned by your AWS account in the current AWS Region. The database instance identifier is case-insensitive, but is stored as all lowercase (as in "mydbinstance").
Database engine (`DatabaseEngine`)	`Postgres`	Database engine that you want to run, currently locked to Postgres
Database user (`DatabaseUser`)	`jcradmin`	Login ID for the master user of your Database instance.
Database password (`DatabasePassword`)	`Requires input`	Password for the JFrog Container Registry database user.
Database instance type (`DatabaseInstance`)	`db.m4.large`	Size of the database to be deployed as part of the Quick Start.
Database allocated storage (`DatabaseAllocatedStorage`)	`10`	Size in gigabytes of the available storage for the database instance.
High available database (`MultiAzDatabase`)	`true`	Choose false to create an Amazon RDS instance in a single Availability Zone.

Table 13. EC2/EKS configuration
Parameter label (name)	Default value	Description
Node instance type (`NodeInstanceType`)	`m5.xlarge`	Amazon EC2 instance type for the nodes hosting the Kubernetes pods.
Number of Eks nodes (`NumberOfNodes`)	`1`	Initial number of Eks node instances and NGINX pods to create.
Node EBS volume size (`NodeVolumeSize`)	`200`	Size of EBS volumes for master node instances, in GB.
Kubernetes version (`KubernetesVersion`)	`1.14`	The Kubernetes control plane version.

Table 14. AWS Quick Start configuration
Parameter label (name)	Default value	Description
Quick Start S3 bucket name (`QsS3BucketName`)	`aws-quickstart`	S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Quick Start S3 key prefix (`QsS3KeyPrefix`)	`quickstart-jfrog-container-registry/`	S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).
Quick Start S3 bucket region (`QsS3BucketRegion`)	`us-east-1`	AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
Lambda zips bucket name (`LambdaZipsBucketName`)	`Blank string`	[OPTIONAL] The name of the S3 bucket where the Lambda .zip files should be placed. If you leave this parameter blank, an S3 bucket will be created.

On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.
Choose Create stack to deploy the stack.
Monitor the status of the stack. When the status is CREATE_COMPLETE, the Container Registry deployment is ready.
Use the values displayed in the Outputs tab for the stack, as shown in Figure 3, to view the created resources.

Figure 3. Container Registry outputs after successful deployment

Get started with JFrog Container Registry

Connect to Container Registry from JFrogContainerRegistryUrl. You can find JFrogContainerRegistryUrl on the Outputs tab of the Container Registry primary stack. Verify that you can view the login screen. (See Figure 4.)

Figure 4. JFrog Container Registry login screen

If you use a non-CA-signed certificate, you will receive a certificate warning when you attempt to access the page. This happens because the certificate doesn’t match the ELB DNS unless you configure Amazon Route 53.

The default user name and password for Container Registry are admin and password, respectively. Enter your credentials, and choose Login. For more information, see JFrog Users and Groups.

This loads the setup wizard for initial configuration. Choose Get Started. (See Figure 5.)

Figure 5. JFrog Container Registry welcome screen

This Quick Start handles the license key configuration during the deployment, so you are not prompted to activate your license.

Read and accept the End User License Agreement (EULA), and then choose Next. (See Figure 6.)

Figure 6. Accept the EULA

Optionally, sign up for notifications from JFrog. (See Figure 7.)

Figure 7. Sign up for updates from JFrog

Set a secure administrator password for your deployment, and then choose Next (See Figure 8.)

Figure 8. Set administrator password

Optionally, configure the base URL setting. Because this deployment uses a proxy, it’s highly recommended that you update the base URL of Container Registry. Read more about JFrog Platform settings. (See Figure 9.)

Figure 9. Configure proxy settings if required

Optionally, configure proxy settings for remote resources. (See Figure 10.)

Figure 10. Configure proxy settings if required

Select the repositories that you require, and then choose Create. (See Figure 11.)

Figure 11. Select repositories

Choose Finish. (See Figure 12.)

Figure 12. Final wizard screen

Complete the administrative tasks by configuring the following:

Backups save to the local file system and do not persist if the EC2 instance is terminated. It is recommended to create snapshots of the primary instance.

Updating Container Registry

If maintenance must be performed on the stack, ensure that you update the CloudFormation stack rather than updating the infrastructure manually (this also applies to updating Container Registry). The Container Registry version for this Quick Start is 7.0.x.

Choose the root stack, and then choose Update. (See Figure 13.)

Figure 13. Stack list and update button on the CloudFormation console

On the Prerequisite screen, Choose Use current template, and then choose Next. (See Figure 14.)

Figure 14. Update stack, prerequisite information

Find the Container Registry version field by scrolling down. (See Figure 15.)

Figure 15. CloudFormation console update page (before you change the version)

Enter the version number that you want to run. (See Figure 16.)

Figure 16. CloudFormation console update page (after you change the version)

Scroll down, and choose Next. Choose Next again, unless you want to change any other tags or policies. Select the two I acknowledge check boxes, and choose Update stack. (See Figure 17.)

Figure 17. Completing the update process

When you choose Update Stack, Helm takes care of a rolling upgrade. If you want to watch the upgrade, log in to the bastion host and find the BastionIP in the Outputs tab of the base Container Registry core stack. Connect from your local terminal to the bastion host by using SSH, and run the following commands.
```
# To list the deployment
helm ls –-all
# To see currently running pods. Add `watch` to view an update every
2 seconds
kubectl get pods -n jfrog-artifactory
```

Security

By default, the load balancer does not match your certificate. You must configure the DNS according to your organization’s configuration, which is highly recommended for a production deployment.

When you create a new VPC, the private subnet CIDR is automatically provided to the database security group jcr-rds-sg. In the new VPC, the private subnet is accessible only from the public subnet.

When you deploy to an existing VPC, ensure similar rules are followed so that your Container Registry nodes are not accessible directly from the internet. Also, ensure that the private CIDR is correct and locked down. Avoid using 0.0.0.0/0. If the subnet is a public subnet, it will allow your MySQL database to be available from the internet.

Storage

A major difference between running on-premises and on AWS is storage. Because S3 is used, you are charged for what is currently in use rather than what may be allocated onpremises. Ensure to monitor your usage.

FAQ

Q. I provisioned more than one node and cannot access Container Registry. What do I do?

A. In the AWS CloudFormation console, choose Update stack, and reduce the number of nodes to one for the Container Registry primary.

Q. My certificate is out of date. How do I update it?

A. The certificate is handled via Ansible or Helm. In the AWS CloudFormation console, choose Update stack, change the certificate and certificate key values. Then, by rolling restart, update the master node first, and then, one at a time, the secondary nodes. This will rebuild each node with the correct certificate.

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Please make sure to delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information about AWS CloudFormation quotas, see AWS CloudFormation quotas.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

See the AWS Quick Start home page.

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.