Integrating Root Container Registry with JFrog Artifactory
This guide explains how to configure JFrog Artifactory as a pull-through cache for Root's Container Registry ( cr.root.io), allowing your organization to access Root's remediated container images through your existing Artifactory infrastructure.
Overview
By configuring Artifactory as a remote repository proxy for Root's registry, you can:
- Access Root's vulnerability-remediated images through your standard Artifactory workflows
- Cache images locally for faster subsequent pulls
- Apply your organization's access controls and policies
- Maintain a single source of truth for all container images
Prerequisites
- JFrog Artifactory Pro, Enterprise, or Cloud instance with admin access
- A Root Container Registry account and access token
- Docker client configured to authenticate with your Artifactory instance
Setup Instructions
Step 1: Create a Remote Docker Repository
- Log into your JFrog Platform UI
- Navigate to Administration → Repositories → Repositories
- Click + Add Repositories → Remote Repository
- Select Docker as the package type
Step 2: Configure Repository Settings
Configure the following settings in the Basic tab:
| Field | Value |
|---|---|
| Repository Key | root-containers |
| URL | https://cr.root.io |
Under Credentials, enter:
| Field | Value |
|---|---|
| Username | root |
| Password | Your Root access token |
Step 3: Configure Advanced Settings (Recommended)
In the Advanced tab, consider these settings:
| Setting | Recommended Value | Description |
|---|---|---|
| Store Artifacts Locally | Enabled | Caches pulled images in Artifactory |
| Retrieval Cache Period | 7200 seconds | How long to cache metadata before rechecking upstream |
| Missed Retrieval Cache Period | 1800 seconds | How long to cache "not found" responses |
| Block Mismatching MIME Types | Enabled | Security best practice |
Click Create Remote Repository to save.
Step 4: Test the Configuration
Verify the repository is working by navigating to Application → Artifactory → Artifacts, selecting your root-containers repository, and browsing the available images.
Pulling Images
Once configured, pull Root's remediated images through your Artifactory instance.
Direct Pull
# Authenticate with your Artifactory instance
docker login <your-instance>.jfrog.io
# Pull a remediated image through Artifactory
docker pull <your-instance>.jfrog.io/root-containers/<image>:<tag>Example
If you previously pulled an image directly from Root:
docker pull cr.root.io/library/nginx:1.25-patchedYou would now pull it through Artifactory:
docker pull mycompany.jfrog.io/root-containers/library/nginx:1.25-patchedOptional: Virtual Repository Setup
If your organization uses multiple container registries, you can create a Virtual Repository to aggregate them behind a single URL.
Create a Virtual Repository
- Navigate to Administration → Repositories → Repositories
- Click + Add Repositories → Virtual Repository
- Select Docker as the package type
- Configure:
| Field | Value |
|---|---|
| Repository Key | docker-virtual |
| Repositories | Select root-containers and any other Docker repositories |
| Default Deployment Repository | Your local Docker repository (for pushes) |
Pull Through Virtual Repository
Artifactory will resolve the image from the appropriate underlying repository.
docker pull <your-instance>.jfrog.io/docker-virtual/library/nginx:1.25-patchedKubernetes Integration
To use Root images through Artifactory in Kubernetes, update your image references and ensure your cluster has appropriate pull credentials.
Update Image References
# Before (direct from Root)
spec:
containers:
- name: app
image: cr.root.io/library/nginx:1.25-patched
# After (through Artifactory)
spec:
containers:
- name: app
image: mycompany.jfrog.io/root-containers/library/nginx:1.25-patchedCreate Image Pull Secret
kubectl create secret docker-registry artifactory-pull-secret \
--docker-server=<your-instance>.jfrog.io \
--docker-username=<artifactory-username> \
--docker-password=<artifactory-token> \
--namespace=<your-namespace>Reference the secret in your deployment:
spec:
imagePullSecrets:
- name: artifactory-pull-secretTroubleshooting
Authentication Errors
If you receive 401 Unauthorized errors when pulling images:
- Verify your Root access token is valid and correctly entered in the remote repository credentials
- Ensure the token has not expired
- Test direct access to
cr.root.iowith the same credentials to isolate whether the issue is with Root or Artifactory
Images Not Found
If images appear to be missing:
- Check that the image path matches exactly (Root's registry structure may differ from Docker Hub)
- Verify the remote repository URL is
https://cr.root.io(nothttp://) - Check Artifactory's remote repository logs for upstream errors
Slow Initial Pulls
The first pull of an image will be slower as Artifactory fetches it from Root's registry. Subsequent pulls will be served from Artifactory's cache. To pre-populate the cache, consider using Artifactory's Replication feature.
Support
- For issues with your Root account or access tokens, contact [email protected]
- For Artifactory configuration issues, refer to JFrog's documentation or contact JFrog support
Updated about 2 hours ago