Note:
JFrog Registry Operator introduces a Kubernetes kubelet credential provider for Amazon EKS, Azure AKS, and Google GKE. This provider enables seamless, passwordless authentication with JFrog Artifactory for container image pulls, removing the need for manual image pull secret management.
For more details, see JFrog Credentials Provider.
Follow the official documentation for detailed instructions on detailed information and AWS configuration required to run the JFrog Registry Operator.
The integration of AWS Assume Role and JFrog Access presents a powerful solution that enables AWS Identity and Access Management (IAM) users to temporarily assume permissions to perform actions in a secure and controlled manner. The solution enhances Kubernetes Secrets Management by automating token rotation, enhancing access controls, and seamlessly integrating JFrog Artifactory into the AWS environment
The following diagram shows the basic architecture of how AssumeRole integrates with JFrog Access to provide enhanced access control:
If you are interested in making the move from vulnerable manual secret handling to secure automated secret management, then your journey towards a more secure and seamless containerized future begins here.
For the complete walkthrough, see the step-by-step installation and configuration guide.
Pick the authentication mode that matches your cluster setup:
| Mode | When to use | Setup guide |
|---|---|---|
| EKS Pod Identity | Recommended for new EKS clusters using the EKS Pod Identity Agent | Pod Identity setup |
| EKS Web Identity (IRSA) | Existing clusters using IAM Roles for Service Accounts (OIDC) | IRSA setup |
You have two ways to install the operator. Pick one.
A single Terraform module provisions the IAM role, policies, and the JFrog Registry Operator end-to-end.
- Guide: Terraform approach documentation
- Best for: greenfield environments where you want everything provisioned as code.
Configure the cluster yourself, then install the operator. Follow these steps in order:
- Configure the EKS cluster with the AWS policy and IAM role
- Configure the JFrog Platform for passwordless access to EKS
- Install the Registry Operator using either:
- The official EKS installation guide, or
- The Helm chart instructions below (skip this if you already installed via the AssumeRole setup above).
# Get the latest [Helm release](https://github.com/helm/helm#install) Note: (only V3 is supported)
# before installing JFrog helm charts, you need to add the [JFrog helm repository](https://charts.jfrog.io) to your helm client.
helm repo add jfrog https://charts.jfrog.io
# update the helm repo
helm repo update
# decide on the namespace and kubernetes service account name you will want to create
export SERVICE_ACCOUNT_NAME="<service account name>"
# Support for external service accounts has also been added. Users can now utilize an external service account; for this, follow the multi-user installation details relevant to external service accounts.
# Setting SERVICE_ACCOUNT_NAME and ANNOTATIONS is optional for multi-user installations, available from release version 2.1.x.
export ANNOTATIONS="<Role annotation for service account>" # Example: eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/jfrog-operator-role
export NAMESPACE="jfrog-operator"
# Install or Upgrade CRD
For Cluster scope:
kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_cluster_scope.yaml
For Namespace scope:
kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_namespaced_scope.yaml
# Install JFrog secret rotator operator
helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set serviceAccount.annotations=${ANNOTATIONS} --namespace ${NAMESPACE} --create-namespace# In a multi-user scenario, please create all service accounts using the role ARN as an annotation via the Helm chart. This will also update the ClusterRole to grant the necessary permissions to each specific service account.
# Create a custom-values.yaml file with service account details and then install operator.
exchangedServiceAccounts:
- name: "sample-service-account"
namespace: "<NAMESPACE>"
annotations:
eks.amazonaws.com/role-arn: < role arn >
helm upgrade --install secretrotator jfrog/jfrog-registry-operator --create-namespace -f custom-values.yaml -n ${NAMESPACE}
Important Note: After this, you can use the service account name and namespace in custom resources. You may install multiple custom resources with different service account details.
Example:
serviceAccount:
name: "sample-service-account"
namespace: "<NAMESPACE>"
Once operator is in running state, configure artifactoryUrl, refreshTime, namespaceSelector, serviceAccount, generatedSecrets, artifactorySubdomains and secretMetadata in secretrotator.yaml
Sample Manifest:
apiVersion: apps.jfrog.com/v1alpha1
kind: SecretRotator
metadata:
labels:
app.kubernetes.io/name: secretrotators.apps.jfrog.com
app.kubernetes.io/instance: secretrotator
app.kubernetes.io/created-by: artifactory-secrets-rotator
name: secretrotator
spec:
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: jfrog-operator
generatedSecrets:
- secretName: token-imagepull-secret
secretType: docker
# - secretName: token-generic-secret
# secretType: generic
artifactoryUrl: "artifactory.example.com"
authType: webIdentity #auto, podIdentity
# artifactorySubdomains: []
refreshTime: 30m
# serviceAccount: # The default name and namespace will be the operator’s service account name and namespace
# name: ""
# namespace: ""
secretMetadata:
annotations:
annotationKey: annotationValue
labels:
labelName: labelValue
security:
enabled: false
secretNamespace:
## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret
certificateSecretName:
insecureSkipVerify: false
Note: Currently spec.secretName is supported but going forward this will be deprecated soon.
Apply the secretrotator mainfest:
kubectl apply -f /charts/jfrog-registry-operator/examples/secretrotator.yaml -n ${NAMESPACE}
# Uninstall the secretrotator using the following command
helm uninstall secretrotator -n ${NAMESPACE}
# Uninstall the secretrotator object (path should be pointing to the secretrotator.yaml)
kubectl delete -f secretrotator.yaml -n ${NAMESPACE}
# Remove the CRD from the cluster
kubectl delete crd secretrotators.apps.jfrog.com# update the helm repo
helm repo update
# Upgarde
For Cluster scope:
kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_cluster_scope.yaml
For Namespace scope:
kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_namespaced_scope.yaml
# Uninstall the secretrotator using the following command
helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set serviceAccount.annotations=${ANNOTATIONS} --namespace ${NAMESPACE} --create-namespace# For secrets in your namespace
kubectl get secrets -n ${NAMESPACE}
# For operator pod in your namespace
kubectl get po -n ${NAMESPACE}
# For SecretRotator
kubectl get SecretRotatorFollow monitoring setup docs.
Please help us improve JFrog Registry Operator by reporting issues you encounter.
We welcome pull requests from the community. To help us improve this project, please read our Contribution guide.


