Update Ironbank

This MR contains the following updates:

Package	Update	Change
gluon	patch	0.9.2 -> 0.9.7
ironbank/sonatype/nexus/nexus (source)	minor	3.84.0 -> 3.88.0-08
ironbank/sonatype/nexus/nexus (source)	minor	3.84.0-03 -> 3.88.0-08
nxrm-ha	major	84.0.0 -> 88.0.0
registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal (source)	minor	9.5 -> 9.7
registry1.dso.mil/ironbank/sonatype/nexus/nexus (source)	minor	3.84.0-03 -> 3.88.0-08

Complete MR checklist

Assignee

• Followed upgrade instructions outlined in docs/DEVELOPMENT_MAINTENANCE.md
• Update Docs with new/updated steps as needed
• Tested and Validated Changes made with supporting info like logs or screenshots from test pipelines

Add supporting info below

NOTE: Upgrade skipped due to being moved to maintained.. so it will fail as main / previous tag has wrong test-values..

Clean install passing

nexusRepositoryManager (OSS) -> nxrm-ha (OSS) migration successful

Reviewer only

• Tested and Validated changes

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this MR, check this box

---

This MR was automatically generated by Renovate Bot.

Upgrade Notices

Important: New Package Introduction

NXRM-HA (Nexus Repository Manager High Availability) is a new Big Bang package that replaces the legacy nexus-repository-manager addon.

What is NXRM-HA?

NXRM-HA is the official Sonatype-supported Helm chart for deploying Nexus Repository Manager in production environments. This package provides:

• High Availability Support: Deploy Nexus Repository Manager Pro in a highly available, multi-node configuration
• Production-Ready Architecture: Built-in support for external databases (PostgreSQL, AWS RDS) and object storage (S3, Azure Blob)
• Enterprise Features: Full support for Nexus Repository Manager Pro features including clustering, replication, and advanced security
• Active Maintenance: Direct support and updates from Sonatype, ensuring compatibility with the latest Nexus Repository Manager versions
• Improved Scalability: Better resource management and horizontal scaling capabilities

Big Bang Integration Model Change

IMPORTANT: NXRM-HA uses a fundamentally different integration model than the legacy nexus-repository-manager addon. Understanding this change is critical for a successful migration.

How the Legacy Addon Worked

With the old addons.nexusRepositoryManager pattern, the Big Bang umbrella chart was responsible for computing and injecting integration values into the addon chart at deploy time. Big Bang's templates would read your global configuration (domain, istio.*, networkPolicies.*, monitoring.*) and generate the appropriate values for the addon automatically. The addon chart itself had no opinion about Big Bang — it simply received whatever Big Bang passed down.

# Old pattern: Big Bang injected these values automatically at render time
# Users never saw or managed these — Big Bang handled it
domain: {{ .Values.domain }}
istio:
  enabled: {{ .Values.istio.enabled }}
  hardened:
    enabled: {{ .Values.istiod.values.hardened.enabled }}
networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
monitoring:
  enabled: {{ .Values.monitoring.enabled }}

How NXRM-HA Works Now

NXRM-HA is a self-contained package that ships with Big Bang defaults baked directly into its values.yaml. The chart assumes it is being deployed into a Big Bang environment and enables all integrations by default:

• istio.enabled: true with mtls.mode: STRICT and hardened AuthorizationPolicies
• networkPolicies.enabled: true with default-deny and controlled ingress/egress rules
• monitoring.enabled: true with a ServiceMonitor for Prometheus
• routes configured for istio-gateway/public-ingressgateway
• domain: dev.bigbang.mil as the default domain

Big Bang no longer computes or injects these values. The chart owns its own defaults and users are responsible for overriding any values that differ from their Big Bang environment.

What This Means for You

Concern	Action Required
Domain	Override domain if yours differs from dev.bigbang.mil
Istio	Defaults assume Istio is deployed with STRICT mTLS. Set istio.enabled: false if not using Istio
Istio Gateway	Routes reference istio-gateway/public-ingressgateway. Override routes.inbound.nexus.gateways if your gateway differs
Network Policies	Enabled by default with bb-common. Set networkPolicies.enabled: false if not using network policies
Monitoring	Assumes Prometheus in monitoring namespace. Set monitoring.enabled: false if not using monitoring
AuthorizationPolicies	Custom policies reference istio-gateway and monitoring namespaces. Override if your namespace names differ

bb-common Library Chart

NXRM-HA leverages the bb-common Helm library chart for generating network policies and Istio-related resources (AuthorizationPolicies, PeerAuthentication). This replaces the hand-written templates used in the legacy chart. Please refer to this blog post for additional information.

Migration Required

WARNING: Upgrading from the legacy nexus-repository-manager chart to nxrm-ha requires a migration process. This is NOT a simple in-place upgrade.

Before You Upgrade

1. READ THE MIGRATION DOCUMENTATION: Choose the appropriate guide for your license type (see below)
2. PLAN FOR DOWNTIME: The migration process requires a maintenance window
3. BACKUP YOUR DATA: Ensure you have current backups of:
   • Repository data and blob stores
   • Configuration settings
   • Database (if using external database)
4. TEST IN NON-PRODUCTION: Always test the migration process in a development or staging environment first

Key Differences from Legacy Chart

• Deployment Pattern: Uses packages: instead of addons: — the legacy addons.nexusRepositoryManager is replaced by packages.nxrm-ha
• Integration Model: Big Bang defaults are baked into the chart's values.yaml — Big Bang no longer injects them. You are responsible for ensuring your overrides match your environment.
• Resource Names: All resources now use nxrm-ha prefix instead of nexus-repository-manager
• Namespace: Deploys to nxrm-ha namespace by default instead of nexus-repository-manager
• Database Requirement: PostgreSQL is required — embedded H2 is no longer supported in Kubernetes deployments
• Configuration Structure: Upstream Sonatype chart values are nested under the upstream: key

# Legacy nexus-repository-manager pattern (addons)
# Big Bang automatically injected istio, networkPolicies, monitoring, domain
addons:
  nexusRepositoryManager:
    enabled: true
    values:
      image:
        repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus
        tag: 3.88.0-08
      resources:
        requests:
          cpu: "4"
          memory: "4Gi"

# New nxrm-ha pattern (packages)
# Chart ships with Big Bang defaults — override what differs in your environment
packages:
  nxrm-ha:
    enabled: true
    git:
      repo: https://repo1.dso.mil/big-bang/product/maintained/nxrm-ha.git
      path: "./chart"
      tag: "88.0.0-bb.0"
    values:
      domain: example.bigbang.mil  # Override to match your Big Bang domain
      # Upstream Sonatype chart values go under 'upstream' key
      upstream:
        statefulset:
          container:
            image:
              repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus
              nexusTag: 3.88.0-08
            resources:
              requests:
                cpu: "4"
                memory: "4Gi"

Migration Guides

Choose the migration guide based on your Nexus Repository Manager license type and database configuration:

OSS (Open Source) / Development Users

For migrations from Nexus Repository Manager OSS with embedded H2 database:

OSS Migration Guide

This guide covers:

• H2 to PostgreSQL database migration using nexus-db-migrator tool
• Blob data migration between PVCs
• Network policies for cross-namespace PostgreSQL access
• Post-migration repair tasks

Estimated Downtime: 30-60 minutes (depends on data volume)

Pro (Commercial License) / Production Users

For migrations from Nexus Repository Manager Pro with external PostgreSQL:

Pro Migration Guide

This guide covers:

• Chart architecture migration (Deployment to StatefulSet)
• Database credential and admin password configuration
• High availability configuration with Pro license
• S3/Azure blob store configuration

Estimated Downtime: 30-45 minutes

Values Mapping Reference

Configuration	Old Chart Location	New Chart Location
Hostname/Domain	hostname, domain	hostname, domain (unchanged)
Admin Password	custom_admin_password	custom_admin_password (unchanged)
Database Config	Env vars + secrets	nexus.database.host, nexus.database.user, nexus.database.password
Istio	istio.*	istio.* (unchanged)
Network Policies	networkPolicies.*	networkPolicies.* (unchanged)
Monitoring	monitoring.*	monitoring.* (unchanged)
SSO/SAML	sso.*	sso.* (unchanged)
Blob Stores	nexus.blobstores.*	nexus.blobstores.* (unchanged)
Image	image.repository, image.tag	upstream.statefulset.container.image.repository, upstream.statefulset.container.image.nexusTag
Resources	resources.*	upstream.statefulset.container.resources.*
Service Account	serviceAccount.*	upstream.serviceAccount.*
Environment Vars	env.*	upstream.statefulset.container.env.*
Probes	livenessProbe.*, readinessProbe.*	upstream.statefulset.livenessProbe.*, upstream.statefulset.readinessProbe.*

Support

For questions or issues during migration:

• Review the migration documentation linked above
• Check the general documentation for configuration details
• Consult the Sonatype NXRM-HA documentation