Java and JVM library consumption in a large organization is typically managed by
a repository manager. Commonly used repository manager applications are
Cloudsmith, Google Artifact Registry, JFrog
Artifactory, and Sonatype Nexus
Repository. The
repository manager acts as a single point of access for developers and
development tools to retrieve the required libraries.
At a high level, adopting the use of Chainguard Libraries consists of the
following steps:
Add Chainguard Libraries as a remote repository for library retrieval.
Configure the Chainguard Libraries repository as the first choice for any
library access. This ensures that any future requests of new libraries access
the version supplied by Chainguard. Typically this is accomplished by creating a
group repository or virtual repository that combines the repository with other
external and internal repositories.
Additional steps depend on the desired insights and can include the following
optional measures:
Remove all cached artifacts in the proxy repository of Maven Central and other
repositories. This step allows you to validate which libraries are not
available from Chainguard Libraries and proceed with potential next steps with
Chainguard and your own development efforts.
Remove any repositories that are no longer desired or necessary. Depending on
your library requirements this step can result in removal of some proxy
repositories or even removal of all proxy repositories.
Adopting the use of a repository manager is the recommended approach, however if
your organization does not use a repository manager, you can still use
Chainguard Libraries. All access to the Chainguard libraries repository is then
distributed across all your build platforms and therefore more complex to
configure and control.
Use the following steps to add a repository with the Maven Central Repository
and the Chainguard Libraries for Java repository as Maven upstream repositories.
Configure a java-all repository:
Log in as a user with administrator privileges.
Select the Repositories tab near the top of the screen.
On the Repositories page, click the + New repository button.
Enter the name java-all for your new repository. The name should
include java to identify the ecosystem. This convention helps
avoid confusion since repositories in Cloudsmith are multi-format.
Select a storage region that is appropriate for your organization and
infrastructure.
Press + Create Repository.
Configure an upstream proxy for the Maven Central Repository:
Click the name of the new java-public repository on the repositories
page to configure it.
Access the Upstreams tab and click + Add Upstream Proxy.
Configure an upstream proxy with the format Maven and the following details:
Configure another upstream proxy with the following details
Namejava-public
Priority2
Upstream URLhttps://repo1.maven.org/maven2/
ModeCache and Proxy
Press Create Upstream Proxy.
Configure an upstream proxy for the Chainguard Libraries for Java repository:
Click the name of the new java-chainguard repository on the repositories
page to configure it.
Access the Upstreams tab and click + Add Upstream Proxy.
Configure an upstream proxy with the format Maven and the following details:
Use this setup for initial testing with Chainguard Libraries for Java. For
production usage, add the java-chainguard upstream proxy to your production
repository.
Build tool access
The following steps allow you to determine the URL and authentication details
for accessing the repository:
Select the Packages tab.
Press Push/Pull Packages.
Choose the format Maven.
Copy the value in the <url> tag from the XML snippet with the
<repositories> entry. For example,
https://dl.cloudsmith.io/basic/exampleorg/java-all/maven/ with exampleorg
replaced with the name of your organization. Note that the name of the
repository java-all as well as maven as identifier for the format are
part of the URL.
Copy the username and password values block from the second code snippet for
authentication after choosing the desired authentication of Default or
API Key.
Choose a different format and the equivalent sections if you are using another
build tools such as Gradle.
Use the URL of the repository, the username, and the password for the server
authentication block in the build
configuration. and build a firs
test project. In a working setup all libraries retrieved from Chainguard are
tagged with the name of the upstream proxy.
Google Artifact Registry
Google Artifact Registry supports
the Maven format for hosting artifacts in Standard repositories and proxying
artifacts from public repositories in Remote repositories. Use Virtual
repositories to combine them for consumption with Maven and other build tools.
Use the Java package documentation for Google Artifact
Registry as the starting
point for more details.
Initial configuration
Use the following steps to add the Maven Central Repository and the Chainguard
Libraries for Java repository as remote repositories and combine them as a
virtual repository:
Log in to the Google Cloud console as a user with administrator privileges.
Navigate to your project and find the Artifact Registry with the search.
Activate Artifact Registry if necessary.
Navigate to your project and find the Secret Manager with the search.
Use the Password from chainctl output to set the Secret value.
Press Create secret.
Navigate to Artifact Registry and select Repositories in the left hand
navigation under the Artifact Registry label to configure a remote
repository for the Maven Central Repository:
Press Create a Repository or the + button.
Set the Name to java-public.
Set the Format to Maven.
Select Remote for the Mode.
Select Maven Central for the Remote repository source.
Choose a suitable Region for your development in Location type.
Press Create.
Configure a remote repository for the Chainguard Libraries for Java repository:
Press the + button to add another repository.
Set the Name to java-chainguard.
Set the Format to Maven.
Select Remote for the Mode.
Select Custom for the Remote repository source.
Set the URL for the Custom repository to https://libraries.cgr.dev/java/.
Select Authenticated in Remote repository authentication mode.
Select the chainguard-libraries-java secret in the list for the Secret input.
Choose the same suitable Region for your development in Location type
as configured for the java-public repository.
Press Create.
Combine the two repositories in a new virtual repository:
Press the + button to add another repository.
Set the Name to java-all.
Set the Format to Maven.
Select Virtual for the Mode.
Press Add upstream repository in Virtual upstream repositories.
Use the Browse button to locate and select the java-chainguard
repository as Repository 1 and set the Policy name 1 to
java-chainguard.
Use the Browse button to locate and select the java-public repository
as Repository 1 and set the Policy name 1 to java-public.
Press Add upstream repository in Virtual upstream repositories.
Set the Priority value for the java-chainguard policy name to a higher
value than the java-public priority value.
Choose the same suitable Region for your development in Location type
as configured for the java-public repository.
Press Create.
Build tool access
The following steps allow you to configure your build tool for accessing the
repository:
Navigate to Artifact Registry and select Repositories in the left hand
navigation under the Artifact Registry label.
Click on the java-all repository name in the list of repositories.
Press the Setup instructions button and follow the documentation. Note
that you must add the extension
com.google.cloud.artifactregistry:artifactregistry-maven-wagon to each
project.
In a working setup, the chainguard remote repository contains all artifacts
retrieved from Chainguard.
Use the following steps to add the Maven Central Repository and the Chainguard
Libraries for Java repository as remote repositories and combine them as a
virtual repository:
Log in as a user with administrator privileges.
Press Administration in the top navigation bar.
Select Repositories in the left hand navigation.
Configure a remote repository for the Maven Central Repository:
Press Create a Repository and choose the Remote option.
Select Maven as the Package type.
Set the Repository Key to java-public.
Set the URL to https://repo1.maven.org/maven2/ .
Deactivate Maven Settings - Handle Snapshots.
Press Create Remote Repository.
Configure a remote repository for the Chainguard Libraries for Java repository:
Press Create a Repository and choose the Remote option.
Access the Advanced configuration tab and deactivate the Block
Mismatching Mime Types setting in the Others section.
Press Create Remote Repository.
Combine the two repositories in a new virtual repository:
Press Create a Repository and choose the Virtual option.
Set the Repository Key to java-all.
Scroll down to the Repositories section
Add the java-chainguard and java-public repositories. Ensure the
java-chainguard repository is the first in the displayed list. Use the icon
on the right of the repository name to drag and drop repositories into the
desired position.
Press Create Virtual Repository.
Use this setup for initial testing with Chainguard Libraries for Java. For
production usage add the java-chainguard repository to your production virtual
repository.
Build tool access
The following steps allow you to determine the URL and authentication details
for accessing the repository:
Press Administration in the top navigation bar.
Select Repositories in the left hand navigation.
Select the Virtual tab in the repositories view.
Locate the chainguard-maven* repository.
Hover over the row and click the … in the last column on the right.
Select Set Me Up in the dialog.
Press Generate Token & Create Instructions
Copy the generated token value to use as the password for authentication.
Press Generate Settings.
Copy the value from a url field. The are all identical. For example,
https://exampleorg.jfrog.io/artifactory/java-all/ with exampleorg
replaced with the name of your organization.
Use the URL of the virtual repository in the build
configuration and build a first
test project. In a working setup the chainguard remote repository contains all
libraries retrieved from Chainguard.
Sonatype Nexus Repository
Sonatype Nexus
Repository
includes a maven-public repository group out of the box. It groups access to
the Maven Central Repository from the maven-central repository with the
internal maven-releases and maven-snapshot repositories. Refer to the Maven
Repositories documentation for
Nexus for more
information.
If you are using this group, you can add a proxy repository for Chainguard
Libraries for Java repository for production use.
Initial configuration
For initial testing and adoption it is advised to create a separate proxy
repository for the Maven Central Repository, a separate proxy repository
Chainguard Libraries for Java repository, and a separate repository group:
Log in as a user with administrator privileges.
Access the Server administration and configuration section with the gear
icon in the top navigation bar.
Configure a remote repository for the Maven Central Repository:
Select Repository - Repositories in the left hand navigation.
Press Create repository.
Select the maven2 (proxy) recipe.
Provide a new name java-public.
Ensure Maven 2 - Version policy is set to Release.
In the Proxy - Remote storage input add the URL https://repo1.maven.org/maven2/.
Press Create repository.
Configure a remote repository for the Chainguard Libraries for Java repository:
Select Repository - Repositories in the left hand navigation.
Press Create repository.
Select the maven2 (proxy) recipe.
Provide a new name java-chainguard.
Ensure Maven 2 - Version policy is set to Release.
In the Proxy - Remote storage input add the URL https://libraries.cgr.dev/java/.
Combine a new repository group and add the two repositories:
Select Repository - Repositories in the left hand navigation.
Press Create repository.
Select the maven2 (group) recipe.
Provide a new name java-all.
In the section Group - Member repositories, move the new repositories
java-public and java-chainguard to the right and move the
java-chainguard repository to the top of the list with the arrow control.
Build tool access
The following steps allow you to determine the URL and authentication details
for accessing the repository:
Click Browse in the Welcome view or the browse icon (cube) in the top
navigation bar.
Locate the URL column for the java-all repository group and press
copy. For example, https://repo.example.com/repository/java-all/ with
repo.example.com replaced with the hostname of you repository manager.
Copy the URL in the dialog.
Use your configured username and password unless Security - Anonymous
Access - Access - Allow anonymous users to access the server is
activated. Details vary based on your configured authentication system.
Use the URL of the repository group, such as
https://repo.example.com/repository/java-all/ or
https://repo.example.com/repository/maven-public/ in the build
configuration and build a first
test project. In a working setup the java-chainguard proxy repository contains
all libraries retrieved from Chainguard.