UNCLASSIFIED

Commit 393aeaae authored by Grant Duncklee's avatar Grant Duncklee
Browse files

feat: support for encrypted license

baseline documentation, saml.yaml
parent 50813aec
* @kevin.wilder @ariel.shnitzer @grant.duncklee #followup and see who else belongs here
\ No newline at end of file * @grant.duncklee
# Sonatype Nexus # Sonatype Nexus Repository Manager (NXRM)
Source of truth for components, artifacts, binaries, etc. Source of truth for components, artifacts, binaries, etc.
This chart was sourced from This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes.
[Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with
minimal changes.
## Prerequisites ## Prerequisites
- Kubernetes Cluster deployed - Kubernetes Cluster deployed
- Kubernetes config installed in ~/.kube/config - Kubernetes config installed in ~/.kube/config
- Helm installed - Helm installed
- Keycloak (Optional - SSO)
- Sonatype NXRM License. Required for SAML integration
## Iron Bank ## Iron Bank
You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus).
## Helm ## Helm
Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
Please reference complete list of providable variables
[here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
```bash ```bash
git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git
helm install nexus-repository-manager chart helm install nexus-repository-manager chart
``` ```
## BigBang Additions, Comments, and Important Information
### SAML/SSO Integration
BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a
solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO
integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a
Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our
implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation.
Retrieve a list of all available privileges:
`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"`
### Random Admin Password
NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The
problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are
leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password
on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This
method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
secret to enable programmatic ingestion.
Ensure the following is present to enable the randomized Kubernetes password:
```bash
# values.yaml
nexus:
env:
- name: NEXUS_SECURITY_RANDOMPASSWORD
key: "true"
...
secret:
enabled: true
mountPath: /nexus-data/admin.password
subPath: admin.password
readOnly: true
```
### License
We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64
encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
will create a named template and generate the appropriate secret within the namespace. The chart will reference the
license via a secret volumeMount to ensure the application starts licensed.
apiVersion: v1 apiVersion: v2
name: sonatype-nexus name: nexus-repository-manager
version: 4.2.0
appVersion: 3.27.0 version: 29.1.0-bb.0
description: Sonatype Nexus is an open source repository manager appVersion: 3.29.0
description: Sonatype Nexus Repository Manager - Universal Binary repository
type: application
keywords: keywords:
- artifacts - artifacts
- dependency - dependency
...@@ -10,16 +15,14 @@ keywords: ...@@ -10,16 +15,14 @@ keywords:
- sonatype - sonatype
- nexus - nexus
- repository - repository
- quickstart
- ci
- repository-manager
- nexus3
home: https://www.sonatype.com/nexus-repository-oss home: https://www.sonatype.com/nexus-repository-oss
icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
sources: sources:
- https://github.com/sonatype/nexus-public - https://github.com/sonatype/nexus-public
- https://github.com/travelaudience/docker-nexus
- https://github.com/travelaudience/kubernetes-nexus
- https://github.com/travelaudience/docker-nexus-backup
- https://github.com/dbccompany/docker-nexus-backup
maintainers: maintainers:
- name: rjkernick - email: support@sonatype.com
email: rjkernick@gmail.com name: Sonatype
- name: tsiddique
email: tsiddique@live.com
approvers: approvers:
- rjkernick
- tsiddique
reviewers: reviewers:
- rjkernick
- tsiddique
This diff is collapsed.
...@@ -51,6 +51,10 @@ app.kubernetes.io/name: {{ include "nexus.name" . }} ...@@ -51,6 +51,10 @@ app.kubernetes.io/name: {{ include "nexus.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "nexus.licenseKey" -}}
sonatype-license.lic: {{ .Values.license_key }}
{{- end -}}
{{/* {{/*
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
......
{{- if .Values.sso.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "nexus.name" . }}-sso
labels: {{- include "nexus.labels" . | nindent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
data:
idp-metadata: {{ .Values.sso.idp_data | toJson | quote }}
#realm: {{ .Values.sso.realm | quote }}
realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]'
role: {{ .Values.sso.role | toJson | quote }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "nexus.name" . }}-license
labels:
{{ include "nexus.labels" . | indent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
data:
{{ include "nexus.licenseKey" . | indent 2 }}
{{- if and .Values.sso.enabled .Values.secret.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
labels:
{{ include "nexus.labels" . | indent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
annotations:
"helm.sh/hook": post-install
creationTimestamp: null
name: saml
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
name: saml
command:
- sh
args:
- -c
- |
until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available" &&
BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
# saml metadata
curl -X PUT \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/saml" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$IDP_DATA" &&
# realm configuration
curl -X PUT \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/realms/active" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$REALM" &&
# role creation
curl -X POST \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/roles" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$ROLE"
env:
- name: API_CREDENTIALS
valueFrom:
secretKeyRef:
name: {{ template "nexus.name" . }}-secret
key: admin.password
- name: IDP_DATA
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: idp-metadata
- name: REALM
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: realm
- name: ROLE
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: role
resources: {}
restartPolicy: Never
status: {}
{{- end }}
...@@ -24,7 +24,7 @@ spec: ...@@ -24,7 +24,7 @@ spec:
{{- with .Values.nexus.extraSelectorLabels }} {{- with .Values.nexus.extraSelectorLabels }}
{{ toYaml . | indent 6 }} {{ toYaml . | indent 6 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
template: template:
metadata: metadata:
annotations: annotations:
...@@ -106,6 +106,11 @@ spec: ...@@ -106,6 +106,11 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /nexus-data - mountPath: /nexus-data
name: {{ template "nexus.name" . }}-data name: {{ template "nexus.name" . }}-data
- mountPath: /nexus-data/etc
name: {{ template "nexus.name" . }}-data
- mountPath: {{ .Values.license.mountPath }}
name: {{ template "nexus.name" . }}-license
subPath: {{ .Values.license.subPath }}
{{- if .Values.config.enabled }} {{- if .Values.config.enabled }}
- mountPath: {{ .Values.config.mountPath }} - mountPath: {{ .Values.config.mountPath }}
name: {{ template "nexus.name" . }}-conf name: {{ template "nexus.name" . }}-conf
...@@ -139,6 +144,12 @@ spec: ...@@ -139,6 +144,12 @@ spec:
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
- name: nexus-repository-manager-license
secret:
secretName: {{ template "nexus.name" . }}-license
items:
- key: sonatype-license.lic
path: sonatype-license.lic
{{- if .Values.config.enabled }} {{- if .Values.config.enabled }}
- name: {{ template "nexus.name" . }}-conf - name: {{ template "nexus.name" . }}-conf
configMap: configMap:
......
{{- if .Values.ingress.enabled -}} {{- if and .Values.ingress.enabled (not .Values.istio.enabled) -}}
{{- $fullName := include "nexus.fullname" . -}} {{- $fullName := include "nexus.fullname" . -}}
{{- $svcPort := .Values.nexus.nexusPort -}} {{- $svcPort := .Values.nexus.nexusPort -}}
{{- $ingressPath := .Values.ingress.path -}} {{- $ingressPath := .Values.ingress.path -}}
......
## Overrides for generated resource names # -- Big Bang Additions
# namespaceOverride: hostname: bigbang.dev
istio:
enabled: false
license_key: "test"
license:
mountPath: /nexus-data/sonatype-license.lic
subPath: sonatype-license.lic
sso:
enabled: false
idp_data:
entityId: ""
usernameAttribute: ""
firstNameAttribute: ""
lastNameAttribute: ""
emailAttribute: ""
groupsAttribute: ""
validateResponseSignature: true
validateAssertionSignature: true
idpMetadata: ''
realm:
- "NexusAuthenticatingRealm"
- "NexusAuthorizingRealm"
- "SamlRealm"
role:
id: "nexus"
name: "nexus"
description: "nexus group"
privileges:
- "nx-all"
roles:
- "nx-admin"
# -- End of BigBang Additions
global:
hosts:
name: nexus-repository-manager
service:
name: nexus-repository-manager
ingress:
enabled: true
annotations: {kubernetes.io/ingress.class: nginx}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hostPath: /
hostRepo: repo.demo
tls: []
# - secretName: nexus-local-tls
# hosts:
# - nexus.local
# - nexus-docker.local
# - nexus-docker-hosted.local
statefulset: statefulset:
# This is not supported
enabled: false enabled: false
replicaCount: 1
# By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage. # By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage.
deploymentStrategy: {} deploymentStrategy: Recreate
# rollingUpdate: image:
# maxSurge: 25% # IB Nexus Image
# maxUnavailable: 25% repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus
# type: RollingUpdate tag: latest
pullPolicy: IfNotPresent
# If enabled, a Job will be launched after the chart is installed to initialize the admin password of your choice
initAdminPassword:
enabled: false
# Set this in the instance where default admin password is different
defaultPasswordOverride:
password: "admin321"
nexus: nexus:
imageName: quay.io/travelaudience/docker-nexus docker:
imageTag: 3.27.0 enabled: false
imagePullPolicy: IfNotPresent registries: []
# Uncomment this to scheduler pods on priority # - host: chart.local
# priorityClassName: "high-priority" # port: 5000
# secretName: registrySecret
env: env:
- name: INSTALL4J_ADD_VM_PARAMS - name: install4jAddVmParams
value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:ActiveProcessorCount=4" value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
- name: NEXUS_SECURITY_RANDOMPASSWORD - name: NEXUS_SECURITY_RANDOMPASSWORD
value: "false" value: "true"
properties:
override: true
data:
nexus.licenseFile: /nexus-data/sonatype-license.lic
# nexus.scripts.allowCreation: true
# See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager
#nexus.ldap.env.java.naming.security.authentication: simple
# nodeSelector: # nodeSelector:
# cloud.google.com/gke-nodepool: default-pool # cloud.google.com/gke-nodepool: default-pool
resources: {} resources: {}
...@@ -44,40 +97,22 @@ nexus: ...@@ -44,40 +97,22 @@ nexus:
# cpu: 250m # cpu: 250m
# memory: 4800Mi # memory: 4800Mi
# The ports should only be changed if the nexus image uses a different port # The ports should only be changed if the nexus image uses a different port
dockerPort: 5003
nexusPort: 8081 nexusPort: 8081
additionalPorts: []
service:
type: NodePort
# clusterIP: None
# annotations: {}
## When using LoadBalancer service type, use the following AWS certificate from ACM
## https://aws.amazon.com/documentation/acm/
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123"
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https"
# service.beta.kubernetes.io/aws-load-balancer-backend-port: "https"
## When using LoadBalancer service type, whitelist these source IP ranges
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
# loadBalancerSourceRanges:
# - 192.168.1.10/32
# labels: {}
## Configures the requested IP on the loadBalancer when using LoadBalancer service type
# loadBalancerIP: "192.168.1.10"
securityContextEnabled: true
securityContext: securityContext:
fsGroup: 200 fsGroup: 2000
podAnnotations: {} podAnnotations: {}
livenessProbe: livenessProbe:
initialDelaySeconds: 300 initialDelaySeconds: 30
periodSeconds: 30 periodSeconds: 30
failureThreshold: 6 failureThreshold: 6
# timeoutSeconds: 10 timeoutSeconds: 10
path: / path: /
readinessProbe: readinessProbe:
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 30 periodSeconds: 30
failureThreshold: 6 failureThreshold: 6
# timeoutSeconds: 10 timeoutSeconds: 10
path: / path: /
# hostAliases allows the modification of the hosts file inside a container # hostAliases allows the modification of the hosts file inside a container
hostAliases: [] hostAliases: []
...@@ -85,10 +120,49 @@ nexus: ...@@ -85,10 +120,49 @@ nexus:
# hostnames: # hostnames:
# - "example.com" # - "example.com"
# - "www.example.com" # - "www.example.com"
context:
# When using nexus it is important that all the files in the data directory have the proper owner configured. Therefore this
# value defaults to true to apply chown -R nexus:nexus to the mounted directory at every startup of the container. imagePullSecrets: []
chownNexusData: true nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
deployment:
# # Add annotations in deployment to enhance deployment configurations
annotations: {}
# # Add init containers. e.g. to be used to give specific permissions for nexus-data.
# # Add your own init container or uncomment and modify the given example.
initContainers:
# - name: fmp-volume-permission
# image: busybox
# imagePullPolicy: IfNotPresent
# command: ['chown','-R', '200', '/nexus-data']
# volumeMounts:
# - name: nexus-data
# mountPath: /nexus-data
# # Uncomment and modify this to run a command after starting the nexus container.
postStart:
command: # '["/bin/sh", "-c", "ls"]'
preStart:
command: # '["/bin/rm", "-f", "/path/to/lockfile"]'
terminationGracePeriodSeconds: 120
additionalContainers:
additionalVolumes:
additionalVolumeMounts:
service:
name: nexus3
enabled: true
labels: {}
annotations: {}
serviceType: ClusterIP
route: route:
enabled: false enabled: false
...@@ -98,37 +172,6 @@ route: ...@@ -98,37 +172,6 @@ route:
annotations: annotations:
# path: /docker # path: /docker
nexusProxy:
enabled: true
# svcName: proxy-svc
imageName: quay.io/travelaudience/docker-nexus-proxy
imageTag: 2.6.0
imagePullPolicy: IfNotPresent
port: 8080
targetPort: 8080
# labels: {}
env:
nexusDockerHost:
nexusHttpHost:
enforceHttps: false
cloudIamAuthEnabled: false
## If cloudIamAuthEnabled is set to true uncomment the variables below and remove this line
# clientId: ""
# clientSecret: ""
# organizationId: ""
# redirectUrl: ""
# requiredMembershipVerification: "true"
# secrets:
# keystore: ""
# password: ""
resources: {}
# requests:
# cpu: 100m
# memory: 256Mi
# limits:
# cpu: 200m
# memory: 512Mi
nexusProxyRoute: nexusProxyRoute:
enabled: false enabled: false
labels: labels:
...@@ -153,183 +196,29 @@ persistence: ...@@ -153,183 +196,29 @@ persistence:
# pdName: nexus-data-disk # pdName: nexus-data-disk
# fsType: ext4 # fsType: ext4
nexusBackup:
enabled: false
imageName: dbcc/docker-nexus-backup
imageTag: 0.0.1
imagePullPolicy: IfNotPresent
env:
rcloneRemote:
targetBucket:
nexusAuthorization:
# Size of the data chunk to stream to the remote
streamingUploadCutoff: "5000000"
offlineRepos: "maven-central maven-public maven-releases maven-snapshots"
gracePeriod: 60
# This should match the value of `initAdminPassword.password` if `initAdminPassword.enabled` is true
nexusAdminPassword: "admin123"
persistence:
enabled: true
# existingClaim:
# annotations:
# "helm.sh/resource-policy": keep
accessMode: ReadWriteOnce
# See comment above for information on setting the backup storageClass
# storageClass: "-"
storageSize: 8Gi
# If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs.
# pdName: nexus-backup-disk
# fsType: ext4
resources: {}
# requests:
# cpu: 100m
# memory: 256Mi
# limits:
# cpu: 200m
# memory: 512Mi
rcloneConfig:
rclone.conf: |
[AWS]
type = s3
provider = AWS
env_auth = true
region = us-east-1
acl = authenticated-read
nexusCloudiam:
enabled: false
persistence:
enabled: true
# existingClaim:
# annotations:
# "helm.sh/resource-policy": keep
accessMode: ReadWriteOnce
# See comment above for information on setting the backup storageClass
# storageClass: "-"
storageSize: 1Mi
# If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs.
# pdName: nexus-cloudiam-path
# fsType: ext4
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
annotations: {}
rbac:
create: false
roleRef: {}
annotations: {}
ingress:
enabled: false
path: /
labels: {}
annotations: {}
# # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173.
# kubernetes.io/ingress.allow-http: true
# kubernetes.io/ingress.class: gce
# kubernetes.io/ingress.global-static-ip-name: ""
# kubernetes.io/tls-acme: true
tls:
enabled: true
secretName: nexus-tls
# Specify custom rules in addition to or instead of the nexus-proxy rules
rules:
# - host: http://nexus.127.0.0.1.nip.io
# http:
# paths:
# - backend:
# serviceName: additional-svc
# servicePort: 80
ingressDocker:
enabled: false
path: /
labels: {}
annotations: {}
# # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173.
# kubernetes.io/ingress.allow-http: true
# kubernetes.io/ingress.class: gce
# kubernetes.io/ingress.global-static-ip-name: ""
# kubernetes.io/tls-acme: true
tls:
enabled: true
secretName: nexus-tls
# Specify custom rules in addition to or instead of the nexus-proxy rules
rules:
# - host: http://nexus.127.0.0.1.nip.io
# http:
# paths:
# - backend:
# serviceName: additional-svc
# servicePort: 80
affinity: {}
tolerations: [] tolerations: []
# # Enable configmap and add data in configmap # # Enable configmap and add data in configmap
config: config:
enabled: false enabled: false
mountPath: /sonatype-nexus-conf mountPath: /sonatype-nexus-conf
data: data: []
deployment:
# # Add annotations in deployment to enhance deployment configurations
annotations: {}
# # Add init containers. e.g. to be used to give specific permissions for nexus-data.
# # Add your own init container or uncomment and modify the given example.
initContainers:
# - name: fmp-volume-permission
# image: busybox
# imagePullPolicy: IfNotPresent
# command: ['chown','-R', '200', '/nexus-data']
# volumeMounts:
# - name: nexus-data
# mountPath: /nexus-data
# # Uncomment and modify this to run a command after starting the nexus container.
postStart:
command: # '["/bin/sh", "-c", "ls"]'
# # Enable nexus scripts settings, disabled by default for versions >= 3.21.2
# command: '["/bin/sh", "-c", "if [[ -z $(grep ^nexus.scripts.allowCreation=true /nexus-data/etc/nexus.properties) ]];then echo nexus.scripts.allowCreation=true >> /nexus-data/etc/nexus.properties;fi"]'
additionalContainers:
additionalVolumes:
additionalVolumeMounts:
# # To use an additional secret, set enable to true and add data # # To use an additional secret, set enable to true and add data
secret: secret:
enabled: false enabled: true
mountPath: /etc/secret-volume mountPath: /nexus-data/admin.password
subPath: admin.password
readOnly: true readOnly: true
data:
# # To use an additional service, set enable to true serviceAccount:
service: # Specifies whether a service account should be created
type: ClusterIP create: true
# name: additional-svc # Annotations to add to the service account
enabled: false
labels: {}
annotations: {} annotations: {}
ports: # The name of the service account to use.
- name: nexus-service # If not set and create is true, a name is generated using the fullname template
targetPort: 80 name: ""
port: 80
## Configures the requested IP on the loadBalancer when using LoadBalancer service type
# loadBalancerIP: "192.168.1.10"
additionalConfigMaps: [] psp:
# - name: maven-central create: false
# labels:
# nexus-type: repository
# data:
# recipe: 'MavenProxy'
# remoteUrl: 'https://repo.maven.apache.org/maven2/'
# blobStoreName: 'default'
# strictContentTypeValidation: 'true'
# versionPolicy: 'RELEASE'
# layoutPolicy: 'STRICT'
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment