chore: remediate password generation on upgrade

purge jobs on completion

chore: remediate password generation on upgrade
purge jobs on completion
5ce0f332 · Grant Duncklee · Kavitha Thulasiraman · 0e1d65e6 · 5ce0f332 · 5ce0f332
Commit 5ce0f332 authored Jun 28, 2021 by Grant Duncklee Committed by Kavitha Thulasiraman Jun 28, 2021
7 changed files
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -55,6 +55,13 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 sonatype-license.lic: {{ .Values.license_key }}
 {{- end -}}

+{{/*
+Return Nexus default admin password
+*/}}
+{{- define "nexus.defaultAdminPassword" -}}
+{{ randAlphaNum 12 }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}

--- a/chart/templates/bigbang/configmap-proxy.yaml
+++ b/chart/templates/bigbang/configmap-proxy.yaml
+{{- if .Values.proxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "nexus.name" . }}-proxy
+  labels: {{- include "nexus.labels" . | nindent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  proxy: {{ .Values.proxy.request | toJson | quote }}
+{{- end }}
+
--- a/chart/templates/bigbang/proxy.yaml
+++ b/chart/templates/bigbang/proxy.yaml
+{{- if .Values.proxy.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+  creationTimestamp: null
+  name: proxy
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      activeDeadlineSeconds: 90
+      {{- with .Values.nexus.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      containers:
+      - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
+        name: proxy
+        command:
+          - sh
+        args:
+          - -c
+          - |
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available"  &&
+            BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
+            # proxy
+            curl -X POST \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/extdirect" \
+                 -H "Content-Type: application/json" \
+                 -d "$PROXY" &&
+            curl -fsI -X POST http://localhost:15020/quitquitquit &&
+            exit
+        env:
+        - name: API_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "nexus.name" . }}-secret
+              key: admin.password
+        - name: PROXY
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-proxy
+              key: proxy
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}
--- a/chart/templates/bigbang/saml.yaml
+++ b/chart/templates/bigbang/saml.yaml
@@ -3,7 +3,8 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  annotations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
  creationTimestamp: null
  name: saml
 spec:

--- a/chart/templates/bigbang/secret.yaml
+++ b/chart/templates/bigbang/secret.yaml
 {{- if .Values.secret.enabled -}}
-{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }}
+
+{{- $nexusAdminPass := (include "nexus.defaultAdminPassword" . | b64enc ) }}
+
+{{- if .Release.IsUpgrade }}
+{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "nexus.name" .) "-secret")) }}
+{{- $nexusAdminPass = (index $adminPassSecret.data "admin.password") }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,7 +19,6 @@ metadata:
      {{- end }}
    {{- end }}
 data:
-  admin.password: {{ randAlphaNum 12 | b64enc | quote }}
+  admin.password: {{ $nexusAdminPass }}
  admin.username: YWRtaW4K
-{{- end}}
-{{- end}}
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -43,6 +43,35 @@ sso:
      - "nx-all"
    roles:
      - "nx-admin"
+proxy:
+  enabled: false
+  request:
+    tid: 1
+    action: coreui_HttpSettings
+    method: update
+    type: rpc
+    data:
+    - userAgentSuffix: ~
+      timeout: ~
+      retries: ~
+      httpEnabled: false
+      httpHost: ~
+      httpPort: ~
+      httpAuthEnabled: ~
+      httpAuthUsername: ~
+      httpAuthPassword: ~
+      httpAuthNtlmHost: ~
+      httpAuthNtlmDomain: ~
+      httpsEnabled: false
+      httpsHost: ~
+      httpsPort: ~
+      httpsAuthEnabled: ~
+      httpsAuthUsername: ~
+      httpsAuthPassword: ~
+      httpsAuthNtlmHost: ~
+      httpsAuthNtlmDomain: ~
+      nonProxyHosts: []
+
 # -- End of BigBang Additions

 ingress:
@@ -85,7 +114,7 @@ nexus:
  properties:
    override: true
    data: {}
-    # data: 
+    # data:
    #   nexus.licenseFile: /nexus-data/sonatype-license.override.lic
    #   nexus.scripts.allowCreation: true
    #   See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager
@@ -207,7 +236,7 @@ persistence:

 tolerations: []

-# # Enable configmap and add data in configmap	
+# # Enable configmap and add data in configmap
 config:
  enabled: false
  mountPath: /sonatype-nexus-conf

--- a/docs/README.md
+++ b/docs/README.md
@@ -28,6 +28,9 @@ on the pod. However, we are generating a random password via `randAlphaNum` and
 method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
 secret to enable programmatic ingestion.

+If you change the admin user's password via the UI you also must update the secret. Failure to do so will result
+in proxy/saml job failures on subsequent upgrades.
+
 Ensure the following is present to enable the randomized Kubernetes password:
 ```bash
 # values.yaml
@@ -44,9 +47,9 @@ secret:
 ```

 ### License
-We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 
+We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64
 encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
-will create a named template and generate the appropriate secret within the namespace. The chart will reference the 
+will create a named template and generate the appropriate secret within the namespace. The chart will reference the
 license via a secret volumeMount to ensure the application starts licensed.

 ### NXRM Dependent Packages