jfrog · shahiinn · Apr 13, 2026
diff --git a/helm/templates/configmap-setup.yaml b/helm/templates/configmap-setup.yaml
@@ -53,45 +53,60 @@ data:
     fi
     export JFROG_CREDENTIAL_PROVIDER_BINARY_URL="${JFROG_CREDENTIAL_PROVIDER_BINARY_URL}-${ARCH_SUFFIX}"
 
-    # Pull the jfrog-credential-provider binary
-    echo "Downloading the jfrog-credential-provider binary (${JFROG_CREDENTIAL_PROVIDER_BINARY_URL})"
-    curl -L -f -o ${KUBELET_MOUNT_PATH}${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} "${JFROG_CREDENTIAL_PROVIDER_BINARY_URL}"
-
-    if [[ $? -ne 0 ]]; then
-        echo "Downloading (${JFROG_CREDENTIAL_PROVIDER_BINARY_URL}) failed"
-
-        # Wait and exit to allow pod to restart (ugly yet simple solution for when the cluster DNS service is not ready yet)
-        log "Sleeping for 10 seconds before exiting"
-        sleep 10
-        exit 1
+    # Acquire the jfrog-credential-provider binary (AMI path, download with auth, or anonymous download)
+    if [ -n "${LOCAL_BINARY_HOST_PATH}" ]; then
+        log "Using AMI-baked binary: /local-binary/{{ .name }}-${ARCH_SUFFIX}"
+        cp /local-binary/{{ .name }}-${ARCH_SUFFIX} ${KUBELET_MOUNT_PATH}${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }}
+        if [[ $? -ne 0 ]]; then
+            log "Failed to copy binary from /local-binary/{{ .name }}-${ARCH_SUFFIX}"
+            log "Sleeping for 10 seconds before exiting"
+            sleep 10
+            exit 1
+        fi
     else
-        echo "Successfully downloaded the jfrog-credential-provider binary from Artifactory"
-        # Make the binary executable
-        echo "Making the jfrog-credential-provider binary executable"
-        chmod +x ${KUBELET_MOUNT_PATH}${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }}
-
-        {{- if or (eq $cloudProvider "gcp") (eq $cloudProvider "azure") }}
-        echo "Copying the /etc/${JFROG_CONFIG_FILE}.yaml configuration file to ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.yaml"
-        cp -f "/etc/${JFROG_CONFIG_FILE}.yaml" "${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.yaml"
-        sleep 2 # Wait a bit to ensure the file is copied before proceeding
-        nsenter -t 1 -m -p -- ${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} add-provider-config --yaml --provider-home "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}" --provider-config "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_FILE_NAME}"
-        {{- else if eq $cloudProvider "aws" }}
-        echo "Copying the /etc/${JFROG_CONFIG_FILE}.json configuration file to ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.json"
-        cp -f "/etc/${JFROG_CONFIG_FILE}.json" "${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.json"
-        sleep 2 # Wait a bit to ensure the file is copied before proceeding
-        nsenter -t 1 -m -p -- ${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} add-provider-config --provider-home "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}" --provider-config "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_FILE_NAME}"
-        {{- end }}
+        # Build curl authentication arguments
+        CURL_AUTH_ARGS=()
+        if [ -n "${DOWNLOAD_ACCESS_TOKEN}" ]; then
+            CURL_AUTH_ARGS=(-H "Authorization: Bearer ${DOWNLOAD_ACCESS_TOKEN}")
+        elif [ -n "${DOWNLOAD_USERNAME}" ]; then
+            CURL_AUTH_ARGS=(-u "${DOWNLOAD_USERNAME}:${DOWNLOAD_PASSWORD}")
+        fi
 
+        log "Downloading the jfrog-credential-provider binary (${JFROG_CREDENTIAL_PROVIDER_BINARY_URL})"
+        curl -L -f "${CURL_AUTH_ARGS[@]}" -o ${KUBELET_MOUNT_PATH}${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} "${JFROG_CREDENTIAL_PROVIDER_BINARY_URL}"
 
         if [[ $? -ne 0 ]]; then
-            echo "Updating the kubelet configuration failed"
+            log "Downloading (${JFROG_CREDENTIAL_PROVIDER_BINARY_URL}) failed"
+            log "Sleeping for 10 seconds before exiting"
+            sleep 10
             exit 1
         fi
+    fi
 
-        log "The final ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_PATH}:"
-        cat ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_PATH}
+    log "Successfully acquired the jfrog-credential-provider binary"
+    log "Making the jfrog-credential-provider binary executable"
+    chmod +x ${KUBELET_MOUNT_PATH}${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }}
+
+    {{- if or (eq $cloudProvider "gcp") (eq $cloudProvider "azure") }}
+    echo "Copying the /etc/${JFROG_CONFIG_FILE}.yaml configuration file to ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.yaml"
+    cp -f "/etc/${JFROG_CONFIG_FILE}.yaml" "${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.yaml"
+    sleep 2 # Wait a bit to ensure the file is copied before proceeding
+    nsenter -t 1 -m -p -- ${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} add-provider-config --yaml --provider-home "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}" --provider-config "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_FILE_NAME}"
+    {{- else if eq $cloudProvider "aws" }}
+    echo "Copying the /etc/${JFROG_CONFIG_FILE}.json configuration file to ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.json"
+    cp -f "/etc/${JFROG_CONFIG_FILE}.json" "${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}/${JFROG_CONFIG_FILE}.json"
+    sleep 2 # Wait a bit to ensure the file is copied before proceeding
+    nsenter -t 1 -m -p -- ${JFROG_CREDENTIAL_PROVIDER_BINARY_DIR}/{{ .name }} add-provider-config --provider-home "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_DIR}" --provider-config "${KUBELET_CREDENTIAL_PROVIDER_CONFIG_FILE_NAME}"
+    {{- end }}
+
+    if [[ $? -ne 0 ]]; then
+        echo "Updating the kubelet configuration failed"
+        exit 1
     fi
 
+    log "The final ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_PATH}:"
+    cat ${KUBELET_MOUNT_PATH}${KUBELET_CREDENTIAL_PROVIDER_CONFIG_PATH}
+
     log "Done updating the kubelet config"
 
 

diff --git a/helm/templates/daemonset.yaml b/helm/templates/daemonset.yaml
@@ -41,6 +41,29 @@ spec:
           env:
             - name: JFROG_CREDENTIAL_PROVIDER_BINARY_URL
               value: {{ .Values.downloadUrl | quote }}
+            - name: LOCAL_BINARY_HOST_PATH
+              value: {{ .Values.localBinaryHostPath | quote }}
+            {{- $authSecret := .Values.binaryDownload.auth.existingSecret | default (printf "%s-download-auth" (include "jfrog-credential-provider.fullname" .)) }}
+            {{- if or .Values.binaryDownload.auth.existingSecret .Values.binaryDownload.auth.username .Values.binaryDownload.auth.accessToken }}
+            - name: DOWNLOAD_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $authSecret }}
+                  key: username
+                  optional: true
+            - name: DOWNLOAD_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $authSecret }}
+                  key: password
+                  optional: true
+            - name: DOWNLOAD_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $authSecret }}
+                  key: accessToken
+                  optional: true
+            {{- end }}
           command:
             - /bin/bash
             - -c
@@ -68,6 +91,10 @@ spec:
               subPath: jfrog-provider.yaml
               name: {{ include "jfrog-credential-provider.fullname" . }}-config
             {{- end }}
+            {{- if .Values.localBinaryHostPath }}
+            - name: local-binary
+              mountPath: /local-binary
+            {{- end }}
             {{- if .Values.customVolumeMounts }}
             {{- .Values.customVolumeMounts | nindent 12 }}
             {{- end }}
@@ -109,6 +136,12 @@ spec:
         - name: {{ include "jfrog-credential-provider.fullname" . }}-config
           configMap:
             name: {{ include "jfrog-credential-provider.fullname" . }}-config
+        {{- if .Values.localBinaryHostPath }}
+        - name: local-binary
+          hostPath:
+            path: {{ .Values.localBinaryHostPath }}
+            type: Directory
+        {{- end }}
         {{- if .Values.customVolumes }}
         {{- .Values.customVolumes | nindent 8 }}
         {{- end }}

diff --git a/helm/templates/secret-download-auth.yaml b/helm/templates/secret-download-auth.yaml
@@ -0,0 +1,15 @@
+{{- if and (not .Values.binaryDownload.auth.existingSecret)
+           (or .Values.binaryDownload.auth.username .Values.binaryDownload.auth.accessToken) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "jfrog-credential-provider.fullname" . }}-download-auth
+  namespace: {{ include "jfrog-credential-provider.namespace" . }}
+  labels:
+    {{- include "jfrog-credential-provider.labels" . | nindent 4 }}
+type: Opaque
+data:
+  username: {{ .Values.binaryDownload.auth.username | b64enc }}
+  password: {{ .Values.binaryDownload.auth.password | b64enc }}
+  accessToken: {{ .Values.binaryDownload.auth.accessToken | b64enc }}
+{{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -5,6 +5,29 @@
 # The chart will automatically append the architecture suffix (-amd64 or -arm64)
 downloadUrl: "https://releases.jfrog.io/artifactory/run/jfrog-credentials-provider/1.0.1/jfrog-credential-provider-linux"
 
+# Offline / AMI-baked binary mode.
+# If set, the curl download is skipped entirely. The value must be the directory path on the node
+# (baked into the AMI or placed by node bootstrap) that contains the provider binaries.
+# Expected filenames inside that directory:
+#   jfrog-credential-provider-linux-amd64
+#   jfrog-credential-provider-linux-arm64
+# Example: localBinaryHostPath: "/opt/jfrog-cp"
+localBinaryHostPath: ""
+
+# Authentication for downloading the provider binary from a private Artifactory instance.
+# Leave all fields empty for anonymous/public download (default behaviour).
+binaryDownload:
+  auth:
+    # Name of an existing Kubernetes Secret containing download credentials.
+    # The Secret must have fixed keys: username, password, accessToken.
+    # When set, the inline username/password/accessToken fields below are ignored.
+    existingSecret: ""
+    # Inline credentials — the chart creates a Secret automatically from these values.
+    # Use either username + password  OR  accessToken alone, not both.
+    username: ""
+    password: ""
+    accessToken: ""
+
 # Affinity rules for pod scheduling
 affinity: {}