feat: support for encrypted license

baseline documentation, saml.yaml

CODEOWNERS

-* @kevin.wilder @ariel.shnitzer @grant.duncklee
+#followup and see who else belongs here
\ No newline at end of file
+* @grant.duncklee

README.md

-# Sonatype Nexus
+# Sonatype Nexus Repository Manager (NXRM)
 
 Source of truth for components, artifacts, binaries, etc.
 
-This chart was sourced from
-[Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with
-minimal changes.
+This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes.
 
 ## Prerequisites
-
 - Kubernetes Cluster deployed
 - Kubernetes config installed in ~/.kube/config
 - Helm installed
+- Keycloak (Optional - SSO)
+- Sonatype NXRM License. Required for SAML integration
 
 ## Iron Bank
-
 You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus).
 
 ## Helm
-
-Please reference complete list of providable variables
-[here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
+Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
 
 ```bash
 git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git
 helm install nexus-repository-manager chart
 ```
+
+## BigBang Additions, Comments, and Important Information
+### SAML/SSO Integration
+BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a
+solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO
+integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a
+Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our
+implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation.
+
+Retrieve a list of all available privileges:
+`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"`
+
+### Random Admin Password
+NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The
+problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are
+leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password
+on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This
+method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
+secret to enable programmatic ingestion.
+
+Ensure the following is present to enable the randomized Kubernetes password:
+```bash
+# values.yaml
+nexus:
+  env:
+    - name: NEXUS_SECURITY_RANDOMPASSWORD
+      key: "true"
+...
+secret:
+  enabled: true
+  mountPath: /nexus-data/admin.password
+  subPath: admin.password
+  readOnly: true
+```
+
+### License
+We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 
+encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
+will create a named template and generate the appropriate secret within the namespace. The chart will reference the 
+license via a secret volumeMount to ensure the application starts licensed.

chart/Chart.yaml

-apiVersion: v1
-name: sonatype-nexus
-version: 4.2.0
-appVersion: 3.27.0
-description: Sonatype Nexus is an open source repository manager
+apiVersion: v2
+name: nexus-repository-manager
+
+version: 29.1.0-bb.0
+appVersion: 3.29.0
+
+description: Sonatype Nexus Repository Manager - Universal Binary repository
+
+type: application
+
 keywords:
   - artifacts
   - dependency
@@ -10,16 +15,14 @@ keywords:
   - sonatype
   - nexus
   - repository
+  - quickstart
+  - ci
+  - repository-manager
+  - nexus3
 home: https://www.sonatype.com/nexus-repository-oss
-icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg
+icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
 sources:
   - https://github.com/sonatype/nexus-public
-  - https://github.com/travelaudience/docker-nexus
-  - https://github.com/travelaudience/kubernetes-nexus
-  - https://github.com/travelaudience/docker-nexus-backup
-  - https://github.com/dbccompany/docker-nexus-backup
 maintainers:
-  - name: rjkernick
-    email: rjkernick@gmail.com
-  - name: tsiddique
-    email: tsiddique@live.com
+  - email:  support@sonatype.com
+    name: Sonatype

chart/OWNERS

 approvers:
-- rjkernick
-- tsiddique
 reviewers:
-- rjkernick
-- tsiddique

chart/templates/_helpers.tpl

@@ -51,6 +51,10 @@ app.kubernetes.io/name: {{ include "nexus.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{- define "nexus.licenseKey" -}}
+sonatype-license.lic: {{ .Values.license_key }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}

chart/templates/bigbang/configmap-sso.yaml

+{{- if .Values.sso.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "nexus.name" . }}-sso
+  labels: {{- include "nexus.labels" . | nindent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  idp-metadata: {{ .Values.sso.idp_data | toJson | quote }}
+  #realm: {{ .Values.sso.realm | quote }}
+  realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]'
+  role: {{ .Values.sso.role | toJson | quote }}
+{{- end }}
+

chart/templates/bigbang/license.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "nexus.name" . }}-license
+  labels:
+{{ include "nexus.labels" . | indent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+{{ include "nexus.licenseKey" . | indent 2 }}

chart/templates/bigbang/saml.yaml

+{{- if and .Values.sso.enabled .Values.secret.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+{{ include "nexus.labels" . | indent 4 }}
+  {{- if .Values.nexus.extraLabels }}
+    {{- with .Values.nexus.extraLabels }}
+      {{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- end }}
+  annotations:
+    "helm.sh/hook": post-install
+  creationTimestamp: null
+  name: saml
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      containers:
+      - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
+        name: saml
+        command:
+          - sh
+        args:
+          - -c
+          - |
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available"  &&
+            BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
+            # saml metadata
+            curl -X PUT \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/saml" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$IDP_DATA" &&
+            # realm configuration
+            curl -X PUT \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/realms/active" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$REALM" &&
+            # role creation
+            curl -X POST \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/roles" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$ROLE"
+        env:
+        - name: API_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "nexus.name" . }}-secret
+              key: admin.password
+        - name: IDP_DATA
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: idp-metadata
+        - name: REALM
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: realm
+        - name: ROLE
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: role
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}

chart/templates/deployment.yaml

@@ -24,7 +24,7 @@ spec:
         {{- with .Values.nexus.extraSelectorLabels }}
           {{ toYaml . | indent 6 }}
         {{- end }}
-      {{- end }}      
+      {{- end }}
   template:
     metadata:
       annotations:
@@ -106,6 +106,11 @@ spec:
           volumeMounts:
             - mountPath: /nexus-data
               name: {{ template "nexus.name" . }}-data
+            - mountPath: /nexus-data/etc
+              name: {{ template "nexus.name" . }}-data
+            - mountPath: {{ .Values.license.mountPath }}
+              name: {{ template "nexus.name" . }}-license
+              subPath: {{ .Values.license.subPath }}
             {{- if .Values.config.enabled }}
             - mountPath: {{ .Values.config.mountPath }}
               name: {{ template "nexus.name" . }}-conf
@@ -139,6 +144,12 @@ spec:
           {{- else }}
           emptyDir: {}
           {{- end }}
+        - name: nexus-repository-manager-license
+          secret:
+            secretName: {{ template "nexus.name" . }}-license
+            items:
+            - key: sonatype-license.lic
+              path: sonatype-license.lic
         {{- if .Values.config.enabled }}
         - name: {{ template "nexus.name" . }}-conf
           configMap:

chart/templates/ingress.yaml

-{{- if .Values.ingress.enabled -}}
+{{- if and .Values.ingress.enabled (not .Values.istio.enabled) -}}
 {{- $fullName := include "nexus.fullname" . -}}
 {{- $svcPort := .Values.nexus.nexusPort -}}
 {{- $ingressPath := .Values.ingress.path -}}

chart/values.yaml

-## Overrides for generated resource names
-# namespaceOverride:
+# -- Big Bang Additions
+hostname: bigbang.dev
+istio:
+  enabled: false
+license_key: "test"
+license:
+  mountPath: /nexus-data/sonatype-license.lic
+  subPath: sonatype-license.lic
+sso:
+  enabled: false
+  idp_data:
+    entityId: ""
+    usernameAttribute: ""
+    firstNameAttribute: ""
+    lastNameAttribute: ""
+    emailAttribute: ""
+    groupsAttribute: ""
+    validateResponseSignature: true
+    validateAssertionSignature: true
+    idpMetadata: ''
+  realm:
+    - "NexusAuthenticatingRealm"
+    - "NexusAuthorizingRealm"
+    - "SamlRealm"
+  role:
+    id: "nexus"
+    name: "nexus"
+    description: "nexus group"
+    privileges:
+      - "nx-all"
+    roles:
+      - "nx-admin"
+# -- End of BigBang Additions
+
+global:
+  hosts:
+    name: nexus-repository-manager
+  service:
+    name: nexus-repository-manager
+
+ingress:
+  enabled: true
+  annotations: {kubernetes.io/ingress.class: nginx}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hostPath: /
+  hostRepo: repo.demo
+  tls: []
+    # - secretName: nexus-local-tls
+    #   hosts:
+    #     - nexus.local
+    #     - nexus-docker.local
+    #     - nexus-docker-hosted.local
 
 statefulset:
+  # This is not supported
   enabled: false
-replicaCount: 1
 # By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage.
-deploymentStrategy: {}
-  # rollingUpdate:
-  #   maxSurge: 25%
-  #   maxUnavailable: 25%
-  # type: RollingUpdate
-
-# If enabled, a Job will be launched after the chart is installed to initialize the admin password of your choice
-initAdminPassword:
-  enabled: false
-  # Set this in the instance where default admin password is different
-  defaultPasswordOverride:
-  password: "admin321"
+deploymentStrategy: Recreate
+image:
+  # IB Nexus Image
+  repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus
+  tag: latest
+  pullPolicy: IfNotPresent
 
 nexus:
-  imageName: quay.io/travelaudience/docker-nexus
-  imageTag: 3.27.0
-  imagePullPolicy: IfNotPresent
-  # Uncomment this to scheduler pods on priority
-  # priorityClassName: "high-priority"
+  docker:
+    enabled: false
+    registries: []
+    #  - host: chart.local
+    #    port: 5000
+    #    secretName: registrySecret
   env:
-    - name: INSTALL4J_ADD_VM_PARAMS
-      value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:ActiveProcessorCount=4"
+    - name: install4jAddVmParams
+      value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
     - name: NEXUS_SECURITY_RANDOMPASSWORD
-      value: "false"
+      value: "true"
+  properties:
+    override: true
+    data:
+      nexus.licenseFile: /nexus-data/sonatype-license.lic
+      # nexus.scripts.allowCreation: true
+      # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager
+      #nexus.ldap.env.java.naming.security.authentication: simple
   # nodeSelector:
   #   cloud.google.com/gke-nodepool: default-pool
   resources: {}
@@ -44,40 +97,22 @@ nexus:
       # cpu: 250m
       # memory: 4800Mi
   # The ports should only be changed if the nexus image uses a different port
-  dockerPort: 5003
   nexusPort: 8081
-  additionalPorts: []
-  service:
-    type: NodePort
-    # clusterIP: None
-  # annotations: {}
-    ## When using LoadBalancer service type, use the following AWS certificate from ACM
-    ## https://aws.amazon.com/documentation/acm/
-    # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123"
-    # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https"
-    # service.beta.kubernetes.io/aws-load-balancer-backend-port: "https"
-  ## When using LoadBalancer service type, whitelist these source IP ranges
-  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
-  # loadBalancerSourceRanges:
-  #   - 192.168.1.10/32
-  # labels: {}
-  ## Configures the requested IP on the loadBalancer when using LoadBalancer service type
-  # loadBalancerIP: "192.168.1.10"
-  securityContextEnabled: true
+
   securityContext:
-    fsGroup: 200
+    fsGroup: 2000
   podAnnotations: {}
   livenessProbe:
-    initialDelaySeconds: 300
+    initialDelaySeconds: 30
     periodSeconds: 30
     failureThreshold: 6
-    # timeoutSeconds: 10
+    timeoutSeconds: 10
     path: /
   readinessProbe:
     initialDelaySeconds: 30
     periodSeconds: 30
     failureThreshold: 6
-    # timeoutSeconds: 10
+    timeoutSeconds: 10
     path: /
   # hostAliases allows the modification of the hosts file inside a container
   hostAliases: []
@@ -85,10 +120,49 @@ nexus:
   #   hostnames:
   #   - "example.com"
   #   - "www.example.com"
-  context:
-  # When using nexus it is important that all the files in the data directory have the proper owner configured. Therefore this
-  # value defaults to true to apply chown -R nexus:nexus to the mounted directory at every startup of the container.
-  chownNexusData: true
+
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+deployment:
+  # # Add annotations in deployment to enhance deployment configurations
+  annotations: {}
+  # # Add init containers. e.g. to be used to give specific permissions for nexus-data.
+  # # Add your own init container or uncomment and modify the given example.
+  initContainers:
+  # - name: fmp-volume-permission
+    # image: busybox
+    # imagePullPolicy: IfNotPresent
+    # command: ['chown','-R', '200', '/nexus-data']
+    # volumeMounts:
+      # - name: nexus-data
+        # mountPath: /nexus-data
+  # # Uncomment and modify this to run a command after starting the nexus container.
+  postStart:
+    command:    # '["/bin/sh", "-c", "ls"]'
+  preStart:
+    command:    # '["/bin/rm", "-f", "/path/to/lockfile"]'
+  terminationGracePeriodSeconds: 120
+  additionalContainers:
+  additionalVolumes:
+  additionalVolumeMounts:
+
+service:
+  name: nexus3
+  enabled: true
+  labels: {}
+  annotations: {}
+  serviceType: ClusterIP
+
 
 route:
   enabled: false
@@ -98,37 +172,6 @@ route:
   annotations:
   # path: /docker
 
-nexusProxy:
-  enabled: true
-  # svcName: proxy-svc
-  imageName: quay.io/travelaudience/docker-nexus-proxy
-  imageTag: 2.6.0
-  imagePullPolicy: IfNotPresent
-  port: 8080
-  targetPort: 8080
-  # labels: {}
-  env:
-    nexusDockerHost:
-    nexusHttpHost:
-    enforceHttps: false
-    cloudIamAuthEnabled: false
-## If cloudIamAuthEnabled is set to true uncomment the variables below and remove this line
-  #   clientId: ""
-  #   clientSecret: ""
-  #   organizationId: ""
-  #   redirectUrl: ""
-  #   requiredMembershipVerification: "true"
-  # secrets:
-  #   keystore: ""
-  #   password: ""
-  resources: {}
-    # requests:
-      # cpu: 100m
-      # memory: 256Mi
-    # limits:
-      # cpu: 200m
-      # memory: 512Mi
-
 nexusProxyRoute:
   enabled: false
   labels:
@@ -153,183 +196,29 @@ persistence:
   # pdName: nexus-data-disk
   # fsType: ext4
 
-nexusBackup:
-  enabled: false
-  imageName: dbcc/docker-nexus-backup
-  imageTag: 0.0.1
-  imagePullPolicy: IfNotPresent
-  env:
-    rcloneRemote:
-    targetBucket:
-    nexusAuthorization:
-    # Size of the data chunk to stream to the remote
-    streamingUploadCutoff: "5000000"
-    offlineRepos: "maven-central maven-public maven-releases maven-snapshots"
-    gracePeriod: 60
-  # This should match the value of `initAdminPassword.password` if `initAdminPassword.enabled` is true
-  nexusAdminPassword: "admin123"
-  persistence:
-    enabled: true
-    # existingClaim:
-    # annotations:
-    #  "helm.sh/resource-policy": keep
-    accessMode: ReadWriteOnce
-    # See comment above for information on setting the backup storageClass
-    # storageClass: "-"
-    storageSize: 8Gi
-    # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs.
-    # pdName: nexus-backup-disk
-    # fsType: ext4
-  resources: {}
-    # requests:
-      # cpu: 100m
-      # memory: 256Mi
-    # limits:
-      # cpu: 200m
-      # memory: 512Mi
-  rcloneConfig:
-    rclone.conf: |
-      [AWS]
-      type = s3
-      provider = AWS
-      env_auth = true
-      region = us-east-1
-      acl = authenticated-read
-
-nexusCloudiam:
-  enabled: false
-  persistence:
-    enabled: true
-    # existingClaim:
-    # annotations:
-    #  "helm.sh/resource-policy": keep
-    accessMode: ReadWriteOnce
-    # See comment above for information on setting the backup storageClass
-    # storageClass: "-"
-    storageSize: 1Mi
-    # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs.
-    # pdName: nexus-cloudiam-path
-    # fsType: ext4
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-  annotations: {}
-
-rbac:
-  create: false
-  roleRef: {}
-  annotations: {}
-
-ingress:
-  enabled: false
-  path: /
-  labels: {}
-  annotations: {}
-  # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173.
-  # kubernetes.io/ingress.allow-http: true
-  # kubernetes.io/ingress.class: gce
-  # kubernetes.io/ingress.global-static-ip-name: ""
-  # kubernetes.io/tls-acme: true
-  tls:
-    enabled: true
-    secretName: nexus-tls
-  # Specify custom rules in addition to or instead of the nexus-proxy rules
-  rules:
-  # - host: http://nexus.127.0.0.1.nip.io
-  #   http:
-  #     paths:
-  #     - backend:
-  #         serviceName: additional-svc
-  #         servicePort: 80
-
-ingressDocker:
-  enabled: false
-  path: /
-  labels: {}
-  annotations: {}
-  # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173.
-  # kubernetes.io/ingress.allow-http: true
-  # kubernetes.io/ingress.class: gce
-  # kubernetes.io/ingress.global-static-ip-name: ""
-  # kubernetes.io/tls-acme: true
-  tls:
-    enabled: true
-    secretName: nexus-tls
-  # Specify custom rules in addition to or instead of the nexus-proxy rules
-  rules:
-  # - host: http://nexus.127.0.0.1.nip.io
-  #   http:
-  #     paths:
-  #     - backend:
-  #         serviceName: additional-svc
-  #         servicePort: 80
-
-affinity: {}
-
 tolerations: []
 
-# # Enable configmap and add data in configmap
+# # Enable configmap and add data in configmap	
 config:
   enabled: false
   mountPath: /sonatype-nexus-conf
-  data:
-
-deployment:
-  # # Add annotations in deployment to enhance deployment configurations
-  annotations: {}
-  # # Add init containers. e.g. to be used to give specific permissions for nexus-data.
-  # # Add your own init container or uncomment and modify the given example.
-  initContainers:
-  # - name: fmp-volume-permission
-    # image: busybox
-    # imagePullPolicy: IfNotPresent
-    # command: ['chown','-R', '200', '/nexus-data']
-    # volumeMounts:
-      # - name: nexus-data
-        # mountPath: /nexus-data
-  # # Uncomment and modify this to run a command after starting the nexus container.
-  postStart:
-    command:    # '["/bin/sh", "-c", "ls"]'
-    # # Enable nexus scripts settings, disabled by default for versions >= 3.21.2
-    # command:    '["/bin/sh", "-c", "if [[ -z $(grep ^nexus.scripts.allowCreation=true /nexus-data/etc/nexus.properties) ]];then echo nexus.scripts.allowCreation=true >> /nexus-data/etc/nexus.properties;fi"]'
-
-  additionalContainers:
-  additionalVolumes:
-  additionalVolumeMounts:
+  data: []
 
 # # To use an additional secret, set enable to true and add data
 secret:
-  enabled: false
-  mountPath: /etc/secret-volume
+  enabled: true
+  mountPath: /nexus-data/admin.password
+  subPath: admin.password
   readOnly: true
-  data:
 
-# # To use an additional service, set enable to true
-service:
-  type: ClusterIP
-  # name: additional-svc
-  enabled: false
-  labels: {}
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
   annotations: {}
-  ports:
-  - name: nexus-service
-    targetPort: 80
-    port: 80
-  ## Configures the requested IP on the loadBalancer when using LoadBalancer service type
-  # loadBalancerIP: "192.168.1.10"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
 
-additionalConfigMaps: []
-#  - name: maven-central
-#    labels:
-#      nexus-type: repository
-#    data:
-#      recipe: 'MavenProxy'
-#      remoteUrl: 'https://repo.maven.apache.org/maven2/'
-#      blobStoreName: 'default'
-#      strictContentTypeValidation: 'true'
-#      versionPolicy: 'RELEASE'
-#      layoutPolicy: 'STRICT'
+psp:
+  create: false