Cloudsmith Integration with Codefresh

Codefresh is a CI/CD platform designed for Kubernetes and modern microservices, offering streamlined workflows for building, testing, and deploying applications with integrated Docker, Helm, and Kubernetes support.

Cloudsmith can seamlessly work with Codefresh to authenticate, consume, and publish artifacts from Cloudsmith in your Codefresh CI/CD pipelines.

Prerequisites:

• Cloudsmith Account: Ensure you have an active Cloudsmith account with a repository where your artifacts will be stored.
• Codefresh Account: Ensure you have an active Codefresh account.
• Kubernetes Cluster: A Kubernetes cluster where you can deploy your applications.

Artifact management with Cloudsmith and Codefresh

You can manage artifacts between Cloudsmith and Codefresh in several ways:

• Uploading Packages:
  • Use the Cloudsmith Command-Line Interface.
  • Use native package management tools such as Docker, pip gem or cargo.
  • Use Codefresh’s native Docker build and push steps for containerized workflows.
• Deploying Artifacts: Deploy Docker images and Helm charts stored in Cloudsmith repositories directly from Codefresh pipelines.

Authentication Options

• API Key: You can authenticate to Cloudsmith using an API key stored in Codefresh.
• OIDC Authentication: Alternatively, set up Codefresh as an OIDC provider to authenticate dynamically without manual credential management.

Adding Your Cloudsmith API Key in Codefresh

Steps to add encrypted variables in your Codefresh pipelines:

1. Open your Codefresh pipeline and go to the Settings tab.
2. Click on Environment Variables and select Add New Variable.
3. Provide a name (e.g., CLOUDSMITH_API_KEY), input the value, and toggle Encrypt Value to ensure it's secure.
4. You can reference the secret in your pipeline YAML like this: ${{CLOUDSMITH_API_KEY}}.

For more security options, Codefresh offers a Vault plugin from the Step Marketplace to handle key-value pairs dynamically. Refer to Vault Secrets in the Pipeline for more details.

Setup OIDC

To authenticate securely, set up Codefresh as an OIDC provider for Cloudsmith.

📘

OIDC Authentication

Codefresh does not support OIDC for Docker integrations natively. You can use OIDC for freestyle steps when using the Hybrid Runtime, which allows access to the Docker Daemon. From there, you can manually log in to Docker, build your image, and push it to Cloudsmith. However, this means you will not be able to use the built-in build and push steps provided by Codefresh. Instead, you'll need to handle the authentication and image operations within freestyle steps.

Add Codefresh as OIDC identity provider in Cloudsmith

Set up Codefresh as an OIDC provider for Cloudsmith. This allows your Codefresh pipelines to request Cloudsmith API tokens dynamically, without manual credential management.

1. Create a Service Account in Cloudsmith (required for OIDC to work with Cloudsmith).
2. Configure OpenID Connect in Cloudsmith:
   • Provider URL: https://oidc.codefresh.io
   • Claims: For example add your Codefresh account ID to restrict access. For more information on claims consult the Codefresh documentation.
   • Assign the service account you created earlier.

Obtain OIDC ID token from OIDC provider

Obtain the ID token from the Codefresh OIDC provider by using the obtain-oidc-id-token Marketplace step.

Add the step to your Codefresh pipeline’s workflow.

version: '1.0'  
steps:  
obtain_id_token:  
  title: Obtain ID Token  
  type: obtain-oidc-id-token

For more details, refer to the Cloudsmith OIDC documentation and Codefresh OIDC documentation.

Example Pipeline: Publish a Python Package to Cloudsmith

This example demonstrates how to authenticate and publish a Python package to Cloudsmith using OIDC in a Codefresh pipeline::

version: "1.0"
steps:
  obtain_id_token:
    title: "Obtain ID Token"
    type: obtain-oidc-id-token

  authenticate_with_cloudsmith:
    title: "Authenticate with Cloudsmith"
    image: "curlimages/curl:7.82.0"
    commands:
      - echo "Installing jq"
      - apk add --no-cache jq
      - |
        cloudsmith_token=$(curl -X POST -H "Content-Type: application/json" \
        -d "{\"oidc_token\":\"$ID_TOKEN\", \"service_slug\":\"${{CS_SERVICE_USER_NAME}}\"}" \
        https://api.cloudsmith.io/openid/${{CS_ORG}}/ | jq -r '.token')

        echo "Setting PIP_INDEX_URL with the obtained Cloudsmith token"
        export PIP_INDEX_URL="https://token:[email protected]/basic/${{CS_ORG}}/${{CS_REPO}}/python/simple/"
        cf_export PIP_INDEX_URL=$PIP_INDEX_URL

Replace CS_SERVICE_USER_NAME, CS_ORG, and CS_REPO with your service account, organization, and repository details. You can store these values as environment variables within your Codefresh pipeline.

Adding Cloudsmith as a Docker Registry in Codefresh

To add Cloudsmith as a Docker registry to Codefresh:

• Go to settings and select Pipeline Integrations
• Select Docker Registries and then click Add Registry Provider.
• Select Other Registries
• Define the following:
  • Registry name: A unique name for this configuration.
  • Username: Your Cloudsmith username.
  • Password: Your Cloudsmith API Key or password.
  • Domain: docker.cloudsmith.io
  • Prefix: For a Cloudsmith organziation followed by the repository e.g.CS_ORGANIZATION/CS_REPOSITORY

For more information consult the Docker Registry or Codefresh documentation.

Adding Cloudsmith Helm Repository in Codefresh

• Navigate to Helm Charts in CodeFresh:
  • In Codefresh, go to Artifacts > Helm Charts.
• Add Existing Helm Repository:
  • Click on Add Existing Helm Repository.
  • Repository Name: Enter a unique name (e.g., Cloudsmith Helm).
  • Repository URL:
    https://dl.cloudsmith.io/basic/OWNER/REPOSITORY/helm/charts/
    • Replace [OWNER] and [REPOSITORY] with your Cloudsmith organization and repository.
  • HELMREPO_PASSWORD
    • Add your Cloudsmith API token.
  • HELMREPO_USERNAME
    • Add your Cloudsmith username.
• Save the Repository.

Deploying Artifacts from Cloudsmith Using Codefresh

Codefresh offers several ways to deploy your Docker images and Helm charts to your Kubernetes cluster using artifacts stored in Cloudsmith:

• Using the Codefresh GUI to deploy to Kubernetes on demand.
  • Select Docker images from your connected Cloudsmith Docker registry.
  • Deploy Helm charts from your added Cloudsmith Helm repository.
• Deploying to Kubernetes from a Codefresh pipeline.
  • Reference Docker images stored in Cloudsmith in your pipeline steps.
  • Use the Helm step in your pipeline to deploy charts from your Cloudsmith Helm repository.
• Using the Kubernetes templating cf-deploy-kubernetes.
• Using custom kubectl commands in your Codefresh pipelines.
  • Execute kubectl commands within your pipeline, referencing artifacts from Cloudsmith.
• Using Helm deployment to Kubernetes.
• Utilizing GitOps with Argo CD:
  Integrate Argo CD with Codefresh for advanced GitOps deployments, using Cloudsmith as your artifact source.

For detailed instructions, refer to the Codefresh documentation on deployments.

Best Practices

• Use OIDC: For authentication, prefer OIDC over API keys for better security.
• Secure Credentials: Store sensitive information securely using Codefresh's encrypted variables or secret management features.
• Automate Deployments: Leverage Codefresh pipelines and GitOps practices to automate deployment steps, reducing manual intervention.
• Monitor Deployments: Use Codefresh's dashboards and integration with Argo CD to monitor deployment status and health.
• Follow GitOps Principles: Maintain your deployment manifests in Git repositories for version control and traceability.

Additional Resources

Cloudsmith Documentation:

• Helm Chart Repository
• Docker Registry
• OpenID Connect
• ArgoCD
• Octopus Deploy