diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 2f04be15da8cc085f7e1e2a9924b536af005ba0e..c678ca374b9bc7d31309c3becaadbf7db4d279c9 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -43,6 +43,10 @@ spec: {{- if .Values.nexus.nodeSelector }} nodeSelector: {{ toYaml .Values.nexus.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.nexus.affinity }} + affinity: +{{ toYaml .Values.nexus.affinity | indent 8 }} {{- end }} {{- if .Values.nexus.hostAliases }} hostAliases: diff --git a/chart/values.yaml b/chart/values.yaml index 4bce23fd0e790fc198eafc351495d11788d56ab5..831ed14596d357ee6fc81ff1ada76a100f0c4689 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -80,8 +80,9 @@ nexus: # nexus.scripts.allowCreation: true # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager # nexus.ldap.env.java.naming.security.authentication: simple - # nodeSelector: + nodeSelector: {} # cloud.google.com/gke-nodepool: default-pool + affinity: {} resources: {} # requests: ## Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000000000000000000000000000000000000..f734a30d48793b489a7eaf8f8389fc34525bed3d --- /dev/null +++ b/docs/README.md @@ -0,0 +1,53 @@ +# Sonatype Nexus Repository Manager (NXRM) Documentation + +## Table of Contents +- [NXRM SSO Integration](docs/keycloak.md) +- [NXRM High Availability](docs/general.md#high-availability) +- [NXRM Storage](docs/general.md#storage) +- [NXRM Database](docs/general.md#database) +- [NXRM Dependent Packages](#nxrm-dependent-packages) +- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information) + +## Iron Bank +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). + +## Helm +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) + +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart +``` +## BigBang Additions, Comments, and Important Information + +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. + +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` + +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. + +### NXRM Dependent Packages +Nexus IQ Server requires Nexus Repository Manager.