chore: remediate password generation on upgrade

purge jobs on completion

chart/templates/_helpers.tpl

@@ -55,6 +55,13 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 sonatype-license.lic: {{ .Values.license_key }}
 {{- end -}}
 
+{{/*
+Return Nexus default admin password
+*/}}
+{{- define "nexus.defaultAdminPassword" -}}
+{{ randAlphaNum 12 }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}

chart/templates/bigbang/configmap-proxy.yaml

+{{- if .Values.proxy.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "nexus.name" . }}-proxy
+  labels: {{- include "nexus.labels" . | nindent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  proxy: {{ .Values.proxy.request | toJson | quote }}
+{{- end }}
+

chart/templates/bigbang/proxy.yaml

+{{- if .Values.proxy.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+  creationTimestamp: null
+  name: proxy
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      activeDeadlineSeconds: 90
+      {{- with .Values.nexus.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      containers:
+      - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
+        name: proxy
+        command:
+          - sh
+        args:
+          - -c
+          - |
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available"  &&
+            BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
+            # proxy
+            curl -X POST \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/extdirect" \
+                 -H "Content-Type: application/json" \
+                 -d "$PROXY" &&
+            curl -fsI -X POST http://localhost:15020/quitquitquit &&
+            exit
+        env:
+        - name: API_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "nexus.name" . }}-secret
+              key: admin.password
+        - name: PROXY
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-proxy
+              key: proxy
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}

chart/templates/bigbang/saml.yaml

@@ -3,7 +3,8 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   annotations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
   creationTimestamp: null
   name: saml
 spec:

chart/templates/bigbang/secret.yaml

 {{- if .Values.secret.enabled -}}
-{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }}
+
+{{- $nexusAdminPass := (include "nexus.defaultAdminPassword" . | b64enc ) }}
+
+{{- if .Release.IsUpgrade }}
+{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "nexus.name" .) "-secret")) }}
+{{- $nexusAdminPass = (index $adminPassSecret.data "admin.password") }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,7 +19,6 @@ metadata:
       {{- end }}
     {{- end }}
 data:
-  admin.password: {{ randAlphaNum 12 | b64enc | quote }}
+  admin.password: {{ $nexusAdminPass }}
   admin.username: YWRtaW4K
-{{- end}}
-{{- end}}
+{{- end }}

chart/values.yaml

@@ -43,6 +43,35 @@ sso:
       - "nx-all"
     roles:
       - "nx-admin"
+proxy:
+  enabled: false
+  request:
+    tid: 1
+    action: coreui_HttpSettings
+    method: update
+    type: rpc
+    data:
+    - userAgentSuffix: ~
+      timeout: ~
+      retries: ~
+      httpEnabled: false
+      httpHost: ~
+      httpPort: ~
+      httpAuthEnabled: ~
+      httpAuthUsername: ~
+      httpAuthPassword: ~
+      httpAuthNtlmHost: ~
+      httpAuthNtlmDomain: ~
+      httpsEnabled: false
+      httpsHost: ~
+      httpsPort: ~
+      httpsAuthEnabled: ~
+      httpsAuthUsername: ~
+      httpsAuthPassword: ~
+      httpsAuthNtlmHost: ~
+      httpsAuthNtlmDomain: ~
+      nonProxyHosts: []
+
 # -- End of BigBang Additions
 
 ingress:

docs/README.md

@@ -28,6 +28,9 @@ on the pod. However, we are generating a random password via `randAlphaNum` and
 method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
 secret to enable programmatic ingestion.
 
+If you change the admin user's password via the UI you also must update the secret. Failure to do so will result
+in proxy/saml job failures on subsequent upgrades.
+
 Ensure the following is present to enable the randomized Kubernetes password:
 ```bash
 # values.yaml