JFrog Distribution serves as a centralized platform for efficient software release distribution. It plays a pivotal role in the JFrog Enterprise+ suite, overseeing Release Bundles and their distribution workflows, encompassing release content, access permissions, and destination preferences.
The distribution offers a secure and organized environment for disseminating release binaries to numerous remote sites while facilitating seamless updates when new release iterations are generated. As a key step in the release process, target destinations rigorously validate release bundles to guarantee proper signing and safety for end-users.
There are two steps which are involved in distributing the release bundles from the main Artifactory to the registered JPD’s.
1. Creation of the Release Bundle.
2. Distribution of the Release bundles.
Both of the following can be done using a REST API and can be added to automation.
JFrog Distribution enhances the security of release bundle delivery through the utilization of a preconfigured GPG Key. Each release bundle that is distributed to an Artifactory Edge Node is signed with this GPG key, adding an extra layer of safeguarding to the bundle's contents. During the signing process of the release bundle, Distribution instructs Artifactory to duplicate the bundle's contents into a dedicated, isolated release-bundles repository.
Creation of GPC key for signing the release bundles:
Create a GPG key, follow the instructions provided in this article (If the GPG key pair is created using a passphrase, please be sure to copy the passphrase for keepsake as it will be required by JFrog Distribution for signing the Release Bundle.)
Upload the GPG key to distribution and also to Artifactory HOME and edge nodes.
Use the REST API to UploadGPGSigningKeyforDistribution .
Deploy the generated GPG public key on the source Artifactory and Artifactory Edge node. The public key will be stored under Administration | Services | Artifactory | Security | Keys Management | Public Keys on the source Artifactory and Artifactory Edge node.
1. As a next step, Using REST API Create a Release Bundle version.
curl -u user:password -H "Accept: application/json" -H "Content-Type: application/json" -H "X-GPG-PASSPHRASE: keysPassphrase" -X POST "http://ARTIFACTORY_SERVER_HOSTNAME:8082/distribution/api/v1/release_bundle" -T createbundle.json
Example createbundle.json file:
{ "name":"testing", "version":"1.0.0", "description":"", "dry_run":false, "spec":{ "queries":[ { "aql":"items.find({\"$and\":[{\"$or\":[{\"repo\":{\"$eq\":\"<demo-local>\"}}]}]}).include(\"sha256\",\"updated\",\"modified_by\",\"created\",\"id\",\"original_md5\",\"depth\",\"actual_sha1\",\"property.value\",\"modified\",\"property.key\",\"actual_md5\",\"created_by\",\"type\",\"name\",\"repo\",\"original_sha1\",\"size\",\"path\")", "query_name":"query-1", "release_bundle_query_fields":{ "repositories":[ "<demo-local>" ] } } ] }, "sign_immediately":true }
2. Once the release bundle is created, the next step will be to distribute it to the registered JPD’s (Edge nodes) using this REST API.
curl -u user:password -H "Content-Type: application/json" -X POST "http://ARTIFACTORY_SERVER_HOSTNAME:8082/distribution/api/v1/distribution/name/version" -T distribute.json
Example distribute.json file
Note: You can get this site and city name information under the Registered JPD’s under Platform deployment.
{ "dry_run": false, "auto_create_missing_repositories": true, "distribution_rules": [ { "site_name": "jpd1", "city_name": "chennai" } ] }
By following these steps using REST API’s, we can avoid the dependency on UI and automate the signing, creation, and distribution of release bundles.