From 5ce0f3328317a5e553bbdfd6f0475330b39d3b2f Mon Sep 17 00:00:00 2001
From: Grant Duncklee <grant.duncklee@braingu.com>
Date: Mon, 28 Jun 2021 14:21:05 +0000
Subject: [PATCH] chore: remediate password generation on upgrade

purge jobs on completion
---
 chart/templates/_helpers.tpl                 |  7 +++
 chart/templates/bigbang/configmap-proxy.yaml | 15 ++++++
 chart/templates/bigbang/proxy.yaml           | 52 ++++++++++++++++++++
 chart/templates/bigbang/saml.yaml            |  3 +-
 chart/templates/bigbang/secret.yaml          | 14 ++++--
 chart/values.yaml                            | 33 ++++++++++++-
 docs/README.md                               |  7 ++-
 7 files changed, 122 insertions(+), 9 deletions(-)
 create mode 100644 chart/templates/bigbang/configmap-proxy.yaml
 create mode 100644 chart/templates/bigbang/proxy.yaml

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 0a209ed..8bd9104 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -55,6 +55,13 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 sonatype-license.lic: {{ .Values.license_key }}
 {{- end -}}
 
+{{/*
+Return Nexus default admin password
+*/}}
+{{- define "nexus.defaultAdminPassword" -}}
+{{ randAlphaNum 12 }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}
diff --git a/chart/templates/bigbang/configmap-proxy.yaml b/chart/templates/bigbang/configmap-proxy.yaml
new file mode 100644
index 0000000..e3bdc66
--- /dev/null
+++ b/chart/templates/bigbang/configmap-proxy.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.proxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "nexus.name" . }}-proxy
+  labels: {{- include "nexus.labels" . | nindent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  proxy: {{ .Values.proxy.request | toJson | quote }}
+{{- end }}
+
diff --git a/chart/templates/bigbang/proxy.yaml b/chart/templates/bigbang/proxy.yaml
new file mode 100644
index 0000000..3729a12
--- /dev/null
+++ b/chart/templates/bigbang/proxy.yaml
@@ -0,0 +1,52 @@
+{{- if .Values.proxy.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+  creationTimestamp: null
+  name: proxy
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      activeDeadlineSeconds: 90
+      {{- with .Values.nexus.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      containers:
+      - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
+        name: proxy
+        command:
+          - sh
+        args:
+          - -c
+          - |
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available"  &&
+            BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
+            # proxy
+            curl -X POST \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/extdirect" \
+                 -H "Content-Type: application/json" \
+                 -d "$PROXY" &&
+            curl -fsI -X POST http://localhost:15020/quitquitquit &&
+            exit
+        env:
+        - name: API_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "nexus.name" . }}-secret
+              key: admin.password
+        - name: PROXY
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-proxy
+              key: proxy
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}
diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml
index a03b1ab..3224f3a 100644
--- a/chart/templates/bigbang/saml.yaml
+++ b/chart/templates/bigbang/saml.yaml
@@ -3,7 +3,8 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   annotations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
   creationTimestamp: null
   name: saml
 spec:
diff --git a/chart/templates/bigbang/secret.yaml b/chart/templates/bigbang/secret.yaml
index 6195fea..78c07b3 100644
--- a/chart/templates/bigbang/secret.yaml
+++ b/chart/templates/bigbang/secret.yaml
@@ -1,5 +1,12 @@
 {{- if .Values.secret.enabled -}}
-{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }}
+
+{{- $nexusAdminPass := (include "nexus.defaultAdminPassword" . | b64enc ) }}
+
+{{- if .Release.IsUpgrade }}
+{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "nexus.name" .) "-secret")) }}
+{{- $nexusAdminPass = (index $adminPassSecret.data "admin.password") }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,7 +19,6 @@ metadata:
       {{- end }}
     {{- end }}
 data:
-  admin.password: {{ randAlphaNum 12 | b64enc | quote }}
+  admin.password: {{ $nexusAdminPass }}
   admin.username: YWRtaW4K
-{{- end}}
-{{- end}}
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 0519dec..c1b5038 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -43,6 +43,35 @@ sso:
       - "nx-all"
     roles:
       - "nx-admin"
+proxy:
+  enabled: false
+  request:
+    tid: 1
+    action: coreui_HttpSettings
+    method: update
+    type: rpc
+    data:
+    - userAgentSuffix: ~
+      timeout: ~
+      retries: ~
+      httpEnabled: false
+      httpHost: ~
+      httpPort: ~
+      httpAuthEnabled: ~
+      httpAuthUsername: ~
+      httpAuthPassword: ~
+      httpAuthNtlmHost: ~
+      httpAuthNtlmDomain: ~
+      httpsEnabled: false
+      httpsHost: ~
+      httpsPort: ~
+      httpsAuthEnabled: ~
+      httpsAuthUsername: ~
+      httpsAuthPassword: ~
+      httpsAuthNtlmHost: ~
+      httpsAuthNtlmDomain: ~
+      nonProxyHosts: []
+
 # -- End of BigBang Additions
 
 ingress:
@@ -85,7 +114,7 @@ nexus:
   properties:
     override: true
     data: {}
-    # data: 
+    # data:
     #   nexus.licenseFile: /nexus-data/sonatype-license.override.lic
     #   nexus.scripts.allowCreation: true
     #   See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager
@@ -207,7 +236,7 @@ persistence:
 
 tolerations: []
 
-# # Enable configmap and add data in configmap	
+# # Enable configmap and add data in configmap
 config:
   enabled: false
   mountPath: /sonatype-nexus-conf
diff --git a/docs/README.md b/docs/README.md
index f734a30..5940712 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -28,6 +28,9 @@ on the pod. However, we are generating a random password via `randAlphaNum` and
 method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
 secret to enable programmatic ingestion.
 
+If you change the admin user's password via the UI you also must update the secret. Failure to do so will result
+in proxy/saml job failures on subsequent upgrades.
+
 Ensure the following is present to enable the randomized Kubernetes password:
 ```bash
 # values.yaml
@@ -44,9 +47,9 @@ secret:
 ```
 
 ### License
-We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 
+We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64
 encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
-will create a named template and generate the appropriate secret within the namespace. The chart will reference the 
+will create a named template and generate the appropriate secret within the namespace. The chart will reference the
 license via a secret volumeMount to ensure the application starts licensed.
 
 ### NXRM Dependent Packages
-- 
GitLab