diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..6e9f482a7f7c3e86dc8e81d263dacbbd608c2f81 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,4 @@ +include: + - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' + ref: master + file: '/templates/package-tests.yml' diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000000000000000000000000000000000000..4dc68c6ff8e4ba0e0e4e14d5025b38d958d9c3b0 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,2 @@ +# Changelog + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000000000000000000000000000000000000..dd0eebafda65aad7b2609040a77ebf9212e2f3fc --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,22 @@ +# Contributing + +Thanks for contributing to this repository! + +This repository follows the following conventions: + +* [Semantic Versioning](https://semver.org/) +* [Keep a Changelog](https://keepachangelog.com/) +* [Conventional Commits](https://www.conventionalcommits.org/) + +Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters. + +To contribute a change: + +1. Create a branch on the cloned repository +2. Make the changes in code. +3. Write tests using [cypress](https://www.cypress.io) and [Conftest](https://conftest.dev) +4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated. +5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR. +6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `main` branch. +7. Wait for a maintainer of the repository (see CODEOWNERS) to approve. +8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit. diff --git a/README.md b/README.md index ed90302a1a65617e108cf3316331e034aeaaa2a8..f734a30d48793b489a7eaf8f8389fc34525bed3d 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,53 @@ -# Nexus -This is a fork of the upstream Helm charts for installing Nexus Artifactor Repository Pro (i.e. Licenced Paid Version) +# Sonatype Nexus Repository Manager (NXRM) Documentation -## Originally sourced from upstream, and minimially modified. -Steps performed: -``` -kpt pkg get https://github.com/Oteemo/charts.git/charts/sonatype-nexus@sonatype-nexus-4.2.0 chart/ +## Table of Contents +- [NXRM SSO Integration](docs/keycloak.md) +- [NXRM High Availability](docs/general.md#high-availability) +- [NXRM Storage](docs/general.md#storage) +- [NXRM Database](docs/general.md#database) +- [NXRM Dependent Packages](#nxrm-dependent-packages) +- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information) + +## Iron Bank +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). + +## Helm +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) + +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart ``` +## BigBang Additions, Comments, and Important Information -## Upstream Changes +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. -* TODO: no diff from upstream yet +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` -## Iron Bank +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. -You can `pull` the registry1 images for: -* Nexus [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus) -* Nexus IQ Server [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus-iq-server%2Fnexus-iq-server) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus-iq-server) +### NXRM Dependent Packages +Nexus IQ Server requires Nexus Repository Manager. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index e622d06181b625115f3b0f6009f6769b4adf11de..735e91a7e3f27270e56b3bce3ad396ec1d4085d5 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,8 +1,9 @@ -apiVersion: v1 -name: sonatype-nexus -version: 4.2.0-bb.0 -appVersion: 3.27.0 -description: Sonatype Nexus is an open source repository manager +apiVersion: v2 +name: nexus-repository-manager +version: 29.1.0-bb.1 +appVersion: 3.29.0 +description: Sonatype Nexus Repository Manager - Universal Binary repository +type: application keywords: - artifacts - dependency @@ -10,16 +11,14 @@ keywords: - sonatype - nexus - repository + - quickstart + - ci + - repository-manager + - nexus3 home: https://www.sonatype.com/nexus-repository-oss -icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg +icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg sources: - https://github.com/sonatype/nexus-public - - https://github.com/travelaudience/docker-nexus - - https://github.com/travelaudience/kubernetes-nexus - - https://github.com/travelaudience/docker-nexus-backup - - https://github.com/dbccompany/docker-nexus-backup maintainers: - - name: rjkernick - email: rjkernick@gmail.com - - name: tsiddique - email: tsiddique@live.com + - email: support@sonatype.com + name: Sonatype diff --git a/chart/OWNERS b/chart/OWNERS index 30775e3acefd267b7058bf27da73d47e4bc976a0..274fdf33be8d05e861e3bcb633e0d12461c8835e 100644 --- a/chart/OWNERS +++ b/chart/OWNERS @@ -1,6 +1,2 @@ approvers: -- rjkernick -- tsiddique reviewers: -- rjkernick -- tsiddique diff --git a/chart/README.md b/chart/README.md deleted file mode 100644 index c1acb03ad95f6b2cc8d0e1f69d396ff5cbd56f46..0000000000000000000000000000000000000000 --- a/chart/README.md +++ /dev/null @@ -1,350 +0,0 @@ -# Nexus - -[Nexus OSS](https://www.sonatype.com/nexus-repository-oss) is a free open source repository manager. It supports a wide range of package formats and it's used by hundreds of tech companies. - -## Introduction - -This chart bootstraps a Nexus OSS deployment on a cluster using Helm. -This setup is best configured in [GCP](https://cloud.google.com/) since: - -- [google cloud storage](https://cloud.google.com/storage/) is used for backups -- [NEW: Rclone](https://rclone.org/) it uses Rclone to create backups, basically compatible with all the major clouds. -- [GCE Ingress controller](https://github.com/kubernetes/ingress/blob/master/docs/faq/gce.md) is used for using a pre-allocated static IP in GCE. - -There is also the option of using a [proxy for Nexus](https://github.com/travelaudience/nexus-proxy) that authenticates Nexus against an external identity provider (only GCP IAM at the moment) which is **disabled** by default. - -## Prerequisites - -- Kubernetes 1.15+ with Beta APIs enabled -- PV provisioner support in the underlying infrastructure -- [Fulfill Nexus kubernetes requirements](https://github.com/travelaudience/kubernetes-nexus#pre-requisites) - -### With GCP IAM enabled - -All the [Prerequisites](#Prerequisites) should be in place, plus: - -- [Fulfill GCP IAM requirements](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#pre-requisites) - -## Testing the Chart - -To test the chart: - -```bash -helm install --dry-run --debug ./ -``` - -To test the chart with your own values: - -```bash -helm install --dry-run --debug -f my_values.yaml ./ -``` - -## Installing the Chart - -To install the chart: - -```bash -helm repo add oteemocharts https://oteemo.github.io/charts -helm install sonatype-nexus oteemocharts/sonatype-nexus -``` - -The above command deploys Nexus on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -The default login is admin/admin123 - -## Uninstalling the Chart - -To uninstall/delete the deployment: - -```bash -$ helm list -NAME REVISION UPDATED STATUS CHART NAMESPACE -plinking-gopher 1 Fri Sep 1 13:19:50 2017 DEPLOYED sonatype-nexus-0.1.0 default -$ helm delete plinking-gopher -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Official Nexus image vs TravelAudience - -There are known issues with backups on the official image. If you want to swap in the official image, just override the values when installing the chart. Please note that backups will not work as expected with the official image. - -- [https://issues.sonatype.org/browse/NEXUS-23442](https://issues.sonatype.org/browse/NEXUS-23442) -- [https://github.com/travelaudience/docker-nexus](https://github.com/travelaudience/docker-nexus) - -## Configuration - -The following table lists the configurable parameters of the Nexus chart and their default values. - -| Parameter | Description | Default | -| ------------------------------------------------------------ | ---------------------------------- | ----------------------------------------| -| `namespaceOverride` | Override for namespace | `nil` | -| `statefulset.enabled` | Use statefulset instead of deployment | `false` | -| `replicaCount` | Number of Nexus service replicas | `1` | -| `deploymentStrategy` | Deployment Strategy | `rollingUpdate` | -| `initAdminPassword.enabled` | Enable initialization of admin password on Helm install | `false` | -| `initAdminPassword.defaultPasswordOverride` | Override the default admin password | `nil` | -| `initAdminPassword.password` | Admin password to be set | `admin321` | -| `nexus.imageName` | Nexus image | `quay.io/travelaudience/docker-nexus` | -| `nexus.imageTag` | Version of Nexus | `3.25.1` | -| `nexus.imagePullPolicy` | Nexus image pull policy | `IfNotPresent` | -| `nexus.imagePullSecret` | Secret to download Nexus image from private registry | `nil` | -| `nexus.env` | Nexus environment variables | `[{install4jAddVmParams: -Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap}]` | -| `nexus.resources` | Nexus resource requests and limits | `{}` | -| `nexus.dockerPort` | Port to access docker | `5003` | -| `nexus.nexusPort` | Internal port for Nexus service | `8081` | -| `nexus.additionalPorts` | expose additional ports | `[]` | -| `nexus.service.type` | Service for Nexus | `NodePort` | -| `nexus.service.clusterIp` | Specific cluster IP when service type is cluster IP. Use None for headless service |`nil` | -| `nexus.service.loadBalancerIP` | Custom loadBalancerIP |`nil` | -| `nexus.securityContextEnabled` | Security Context (for enabling official image use `fsGroup: 200`) | `{}` | -| `nexus.labels` | Service labels | `{}` | -| `nexus.podAnnotations` | Pod Annotations | `{}` -| `nexus.livenessProbe.initialDelaySeconds` | LivenessProbe initial delay | 30 | -| `nexus.livenessProbe.periodSeconds` | Seconds between polls | 30 | -| `nexus.livenessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `nexus.livenessProbe.timeoutSeconds` | Time in seconds after liveness probe times out | `nil` | -| `nexus.livenessProbe.path` | Path for LivenessProbe | / | -| `nexus.readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay | 30 | -| `nexus.readinessProbe.periodSeconds` | Seconds between polls | 30 | -| `nexus.readinessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `nexus.readinessProbe.timeoutSeconds` | Time in seconds after readiness probe times out | `nil` | -| `nexus.readinessProbe.path` | Path for ReadinessProbe | / | -| `nexus.hostAliases` | Aliases for IPs in /etc/hosts | [] | -| `nexus.context` | Non-root path to run Nexus at | `nil` | -| `nexus.chownNexusData` | Set false to not execute chown to the mounted nexus-data directory at startup | `true` | -| `nexusProxy.enabled` | Enable nexus proxy | `true` | -| `nexusProxy.svcName` | Nexus proxy service name | `nil` | -| `nexusProxy.targetPort` | Container Port for Nexus proxy | `8080` | -| `nexusProxy.port` | Port for exposing Nexus | `8080` | -| `nexusProxy.imageName` | Proxy image | `quay.io/travelaudience/docker-nexus-proxy` | -| `nexusProxy.imageTag` | Proxy image version | `2.6.0` | -| `nexusProxy.imagePullPolicy` | Proxy image pull policy | `IfNotPresent` | -| `nexusProxy.resources` | Proxy resource requests and limits | `{}` | -| `nexusProxy.env.nexusHttpHost` | Nexus url to access Nexus | `nil` | -| `nexusProxy.env.nexusDockerHost` | Containers url to be used with docker | `nil` | -| `nexusProxy.env.enforceHttps` | Allow only https access or not | `false` | -| `nexusProxy.env.cloudIamAuthEnabled` | Enable GCP IAM authentication in Nexus proxy | `false` | -| `nexusProxyRoute.enabled` | Set to true to create route for additional service | `false` | -| `nexusProxyRoute.labels` | Labels to be added to proxy route | `{}` | -| `nexusProxyRoute.annotations` | Annotations to be added to proxy route | `{}` | -| `nexusProxyRoute.path` | Host name of Route e.g jenkins.example.com | nil | -| `persistence.enabled` | Create a volume for storage | `true` | -| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `persistence.storageClass` | Storage class of Nexus PVC | `nil` | -| `persistence.storageSize` | Size of Nexus data volume | `8Gi` | -| `persistence.annotations` | Persistent Volume annotations | `{}` | -| `persistence.existingClaim` | Existing PVC name | `nil` | -| `nexusBackup.enabled` | Nexus backup process | `false` | -| `nexusBackup.imageName` | Nexus backup image | `dbcc/docker-nexus-backup` | -| `nexusBackup.imageTag` | Nexus backup image version | `0.0.1` | -| `nexusBackup.imagePullPolicy` | Backup image pull policy | `IfNotPresent` | -| `nexusBackup.env.rcloneRemote` | Required if `nexusBackup` is enabled. Name of the Rclone remote as defined in the `rcloneConfig` entry. Example: `AWS` | `nil` | -| `nexusBackup.env.targetBucket` | Required if `nexusBackup` is enabled. Name of the target bucket or bucket/path. Example: `my_bucket` or `my_bucket/my_folder` | `nil` | -| `nexusBackup.env.streamingUploadCutoff` | Size of the data chunks to send to the Rclone remote, this value affects the maximum size of the backup file to upload. | `"5000000"` | -| `nexusBackup.env.nexusAuthorization` | If set, `nexusBackup.nexusAdminPassword` will be disregarded. | `nil` | -| `nexusBackup.env.offlineRepos` | Space separated list of repositories must be taken down to achieve a consistent backup. | `"maven-central maven-public maven-releases maven-snapshots"` | -| `nexusBackup.env.gracePeriod` | The amount of time in seconds to wait between stopping repositories and starting the upload. | `60` | -| `nexusBackup.nexusAdminPassword` | Nexus admin password used by the backup container to access Nexus API. This password should match the one that gets chosen by the user to replace the default admin password after the first login | `admin123` | -| `nexusBackup.persistence.enabled` | Create a volume for backing Nexus configuration | `true` | -| `nexusBackup.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `nexusBackup.persistence.storageClass` | Storage class of Nexus backup PVC | `nil` | -| `nexusBackup.persistence.storageSize` | Size of Nexus backup data volume | `8Gi` | -| `nexusBackup.persistence.annotations` | PV annotations for backup | `{}` | -| `nexusBackup.persistence.existingClaim` | Existing PVC name for backup | `nil` | -| `nexusBackup.resources` | Backup resource requests and limits | `{}` | -| `nexusBackup.rcloneConfig.rclone.conf` | Rclone remote configuration, can be generated using the `rclone config` command, or using docker: `docker run -it --rm rclone/rclone config` | `[AWS]`
`type = s3`
`provider = AWS`
`env_auth = true`
`region = us-east-1`
`acl = authenticated-read` | -| `nexusCloudiam.enabled` | Nexus Cloud IAM service account key path | `false` | -| `nexusCloudiam.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `nexusCloudiam.persistence.annotations` | PV annotations for Cloud IAM service account key path | `{}` | -| `nexusCloudiam.persistence.enabled` | Create a volume for Cloud IAM service account key path | `true` | -| `nexusCloudiam.persistence.existingClaim` | Existing PVC name for Cloud IAM service account key path | `nil` | -| `nexusCloudiam.persistence.storageClass` | Storage class of Cloud IAM service account path PVC | `nil` | -| `nexusCloudiam.persistence.storageSize` | Size of Cloud IAM service account path volume | `8Gi` | -| `ingress.enabled` | Create an ingress for Nexus | `false` | -| `ingress.annotations` | Annotations to enhance ingress configuration | `{}` | -| `ingress.tls.enabled` | Enable TLS | `true` | -| `ingress.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` | -| `ingress.path` | Path for ingress rules. GCP users should set to `/*` | `/` | -| `ingressDocker.enabled` | Create an ingress for Docker registry | `false` | -| `ingressDocker.annotations` | Annotations to enhance docker ingress configuration | `{}` | -| `ingressDocker.tls.enabled` | Enable TLS | `true` | -| `ingressDocker.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` | -| `ingressDocker.path` | Path for docker ingress rules. GCP users should set to `/*` | `/` | -| `tolerations` | tolerations list | `[]` | -| `config.enabled` | Enable configmap | `false` | -| `config.mountPath` | Path to mount the config | `/sonatype-nexus-conf` | -| `config.data` | Configmap data | `nil` | -| `deployment.annotations` | Annotations to enhance deployment configuration | `{}` | -| `deployment.initContainers` | Init containers to run before main containers | `nil` | -| `deployment.postStart.command` | Command to run after starting the nexus container | `nil` | -| `deployment.additionalContainers` | Add additional Container | `nil` | -| `deployment.additionalVolumes` | Add additional Volumes | `nil` | -| `deployment.additionalVolumeMounts` | Add additional Volume mounts | `nil` | -| `secret.enabled` | Enable secret | `false` | -| `secret.mountPath` | Path to mount the secret | `/etc/secret-volume` | -| `secret.readOnly` | Secret readonly state | `true` | -| `secret.data` | Secret data to add to secret. If nil then expects that a secret by name of `${.Values.nameOverride}-secret` or `${.Chart.Name}-secret` exists | `nil` | -| `service.enabled` | Enable additional service | `nil` | -| `service.name` | Service name | `nil` | -| `service.portName` | Service port name | `nil` | -| `service.labels` | Service labels | `nil` | -| `service.annotations` | Service annotations | `nil` | -| `service.loadBalancerSourceRanges` | Service LoadBalancer source IP whitelist | `nil` | -| `service.loadBalancerIP` | Custom loadBalancerIP |`nil` | -| `service.targetPort` | Service port | `nil` | -| `service.port` | Port for exposing service | `nil` | -| `serviceAccount.create` | Automatically create a service account | `true` | -| `serviceAccount.name` | Service account to use | `nil` | -| `serviceAccount.annotations` | Service account annotations | `nil` | -| `rbac.create` | Creates a ClusterRoleBinding attached to the Service account. | `false` | -| `rbac.roleRef` | ClusterRoleBinding field `roleRef` content. See examples [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example). | `nil` | -| `rbac.annotations` | ClusterRoleBinding annotations. | `nil` | -| `route.enabled` | Set to true to create route for additional service | `false` | -| `route.name` | Name of route | `docker` | -| `route.portName` | Target port name of service | `docker` | -| `route.labels` | Labels to be added to route | `{}` | -| `route.annotations` | Annotations to be added to route | `{}` | -| `route.path` | Host name of Route e.g jenkins.example.com | nil | -| `additionalConfigMaps` | List of ConfigMap data containing Name, Data and Labels | nil | - -If `nexusProxy.env.cloudIamAuthEnabled` is set to `true` the following variables need to be configured - -| Parameter | Description | Default | -| ----------------------------- | ---------------------------------- | ---------------------------------------------------- | -| `nexusProxy.env.clientId` | GCP OAuth client ID | `nil` | -| `nexusProxy.env.clientSecret` | GCP OAuth client Secret | `nil` | -| `nexusProxy.env.organizationId` | GCP organization ID | `nil` | -| `nexusProxy.env.redirectUrl` | OAuth callback url. example `https://nexus.example.com/oauth/callback` | `nil` | -| `nexusProxy.env.requiredMembershipVerification` | Whether users presenting valid JWT tokens must still be verified for membership within the GCP organization. | `true` | -| `nexusProxy.secrets.keystore` | base-64 encoded value of the keystore file needed for the proxy to sign user tokens. Example: cat keystore.jceks | base64 | `nil` | -| `nexusProxy.secrets.password` | Password to the Java Keystore file | `nil` | - -```bash -helm install --set persistence.enabled=false my-release stable/sonatype-nexus -``` - -The above example turns off the persistence. Data will not be kept between restarts or deployments - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```bash -helm install -f my-values.yaml sonatype-nexus stable/sonatype-nexus -``` - -### Persistence - -By default a PersistentVolumeClaim is created and mounted into the `/nexus-data` directory. In order to disable this functionality -you can change the `values.yaml` to disable persistence which will use an `emptyDir` instead. - -> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."* - -You must enable StatefulSet (`statefulset.enabled=true`) for true data persistence. If using Deployment approach, you can not recover data after restart or delete of helm chart. Statefulset will make sure that it picks up the same old volume which was used by the previous life of the nexus pod, helping you recover your data. When enabling statefulset, its required to enable the persistence. - -### Recommended settings - -As a minimum for running in production, the following settings are advised: - -```yaml -nexusProxy: - env: - nexusDockerHost: container.example.com - nexusHttpHost: nexus.example.com - -nexusBackup: - env: - targetBucket: "gs://my-nexus-backup" - persistence: - storageClass: standard - -ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: gce - kubernetes.io/tls-acme: true - -persistence: - storageClass: standard - storageSize: 1024Gi - -resources: - requests: - cpu: 250m - # Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem - # and https://twitter.com/analytically/status/894592422382063616: - # Xms == Xmx - # Xmx <= 4G - # MaxDirectMemory >= 2G - # Xmx + MaxDirectMemory <= RAM * 2/3 (hence the request for 4800Mi) - # MaxRAMFraction=1 is not being set as it would allow the heap - # to use all the available memory. - memory: 4800Mi -``` - -### Using GCP Storage for Backup - -Irrespective of whether Nexus is deployed to Google's GKE, or to some other k8s installation, it is possible to configure the [nexus-backup](https://github.com/travelaudience/docker-nexus-backup) container to backup to GCP Cloud Storage. -This makes for a cost effective solution for backups. - -To enable, add the following key to the values file: - -```yaml -nexusCloudiam: - enabled: true -``` - -You should also deploy Nexus as a stateful app, rather than a deployment. -That means also adding: - -```yaml -statefulset: - enabled: true -``` - -Deploying the chart now will result in a new PV and PVC within the pod that runs the containers. - -Create a service account with privileges to upload to your GCP bucket, and creaet a key for this service account. -Download that service account key as a file, call it `service-account-key.json`. - -This file now needs to be made available to the pod running in k8s, and should be called `/nexus-data/cloudiam/service-account-key.json`. -How this is done will depend upon the storage class used for the PV. - -Confirm that the service account file is available to the pod, using: - - kubectl exec --stdin --tty \ - --container nexus-backup \ - sonatype-nexus-0 \ - -- find /nexus-data/cloudiam -type f - -You might need to scale the deployment to zero and back up to pick up the changes: - - kubectl scale --replicas=0 statefulset.apps/sonatype-nexus - kubectl scale --replicas=1 statefulset.apps/sonatype-nexus - - -## After Installing the Chart - -After installing the chart a couple of actions need still to be done in order to use nexus. Please follow the instructions below. - -### Nexus Configuration - -The following steps need to be executed in order to use Nexus: - -- [Configure Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md) -- [Configure Backups](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md#configure-backup) - -and if GCP IAM authentication is enabled, please also check: - -- [Enable GCP IAM authentication in Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#enable-gcp-iam-auth) - -### Nexus Usage - -To see how to use Nexus with different tools like Docker, Maven, Python, and so on please check: - -- [Nexus Usage](https://github.com/travelaudience/kubernetes-nexus#usage) - -### Disaster Recovery - -In a disaster recovery scenario, the latest backup made by the nexus-backup container should be restored. In order to achieve this please follow the procedure described below: - -- [Restore Backups](https://github.com/travelaudience/kubernetes-nexus#restore) diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index 30a5af82ed9d1a22f7e150ebdd8c95704756b7f1..026bdc74c549d51101f7fb6ebb0c1276fad7110d 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -1,35 +1,20 @@ -- To access Nexus: - - NOTE: It may take a few minutes for the ingress load balancer to become available or the backends to become HEALTHY. - You can watch the status of the backends by running: - `kubectl get ingress -o jsonpath='{.items[*].metadata.annotations.ingress\.kubernetes\.io/backends}'` - - To access Nexus you can check: - {{- if .Values.nexusProxy.env.enforceHttps }} - https://{{ .Values.nexusProxy.env.nexusHttpHost }} - {{- else }} - http://{{ .Values.nexusProxy.env.nexusHttpHost }} - {{- end }} - -- Login with the following credentials - - username: admin - {{- if .Values.initAdminPassword.enabled }} - password: {{ .Values.initAdminPassword.password }} - {{- else }} - password: {{ .Values.nexusBackup.nexusAdminPassword }} - {{- end }} - -{{- if .Values.initAdminPassword.enabled }} -- Change Your password after the first login - - {{- if .Values.nexusBackup.enabled }} - Once you login you should change your admin password to match the value of `nexusBackup.env.nexusAdminPassword` - This is important for security reasons and also because backup container needs this password set for admin user - to access Nexus API to run backups. +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostRepo }}{{ . }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostDocker }}{{ . }} +{{- else if contains "NodePort" .Values.service.serviceType }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "nexus.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.serviceType }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "nexus.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "nexus.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{- range $index, $port := .Values.service.ports }} + echo http://$SERVICE_IP:{{ $port }} {{- end }} +{{- else if contains "ClusterIP" .Values.service.serviceType }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "nexus.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8081:80 {{- end }} -- Next steps in configuration - - Please follow the link below to the README for nexus configuration, usage, backups and DR info: - https://github.com/Oteemo/charts/tree/master/charts/sonatype-nexus#after-installing-the-chart diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index a05d2b8b1e4f1fce453a6bdf75e3888be75b895e..0a209ed85520338aab7cea1d06d3e66527c4ec3d 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -25,36 +25,43 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +Create chart name and version as used by the chart label. */}} -{{- define "nexus.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} +{{- define "nexus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* -Create a default fully qualified name for proxy keystore secret. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Common labels */}} -{{- define "nexus.proxy-ks.name" -}} -{{- printf "%s-%s" (include "nexus.fullname" .) "proxy-ks" | trunc 63 | trimSuffix "-" -}} +{{- define "nexus.labels" -}} +helm.sh/chart: {{ include "nexus.chart" . }} +{{ include "nexus.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} -{{/* Manage the labels for each entity */}} -{{- define "nexus.labels" -}} -app: {{ template "nexus.name" . }} -fullname: {{ template "nexus.fullname" . }} -chart: {{ .Chart.Name }} -release: {{ .Release.Name }} -heritage: {{ .Release.Service }} +{{/* +Selector labels +*/}} +{{- define "nexus.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nexus.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "nexus.licenseKey" -}} +sonatype-license.lic: {{ .Values.license_key }} {{- end -}} {{/* -Create a fully qualified name for docker ingress. +Create the name of the service account to use */}} -{{- define "nexus.ingres.docker" -}} -{{- printf "%s-%s" (include "nexus.fullname" .) "docker" | trunc 63 | trimSuffix "-" -}} +{{- define "nexus.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "nexus.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} {{- end -}} diff --git a/chart/templates/adtl-configmap.yaml b/chart/templates/adtl-configmap.yaml deleted file mode 100644 index 5023b8ebcf7e2c172b7b43aa9d4746014fdac6ad..0000000000000000000000000000000000000000 --- a/chart/templates/adtl-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $root := . }} -{{- if .Values.additionalConfigMaps }} -{{- range $cm := .Values.additionalConfigMaps }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $cm.name }} - namespace: {{ template "nexus.namespace" $root }} - labels: -{{ include "nexus.labels" $root | indent 4 }} -{{- if $.Values.nexus.labels }} -{{ toYaml $.Values.nexus.labels | indent 4 }} -{{- end }} -{{- if $cm.labels }} -{{ toYaml $cm.labels | indent 4 }} -{{- end }} -data: -{{ toYaml $cm.data | indent 2 }} -{{- end }} -{{- end }} - diff --git a/chart/templates/backup-pv.yaml b/chart/templates/backup-pv.yaml deleted file mode 100644 index fd3187f9d93273f376449aca0890ea714a5664ed..0000000000000000000000000000000000000000 --- a/chart/templates/backup-pv.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }} -{{- if .Values.nexusBackup.persistence.pdName -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ .Values.nexusBackup.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - capacity: - storage: {{ .Values.nexusBackup.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - name: {{ template "nexus.fullname" . }}-backup - namespace: {{ .Release.Namespace }} - gcePersistentDisk: - pdName: {{ .Values.nexusBackup.persistence.pdName }} - fsType: {{ .Values.nexusBackup.persistence.fsType }} -{{- end }} -{{- end }} diff --git a/chart/templates/backup-pvc.yaml b/chart/templates/backup-pvc.yaml deleted file mode 100644 index da99ec207043232000a055a20915b7ba7da5caac..0000000000000000000000000000000000000000 --- a/chart/templates/backup-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }} -{{- if and .Values.nexusBackup.persistence.enabled (not .Values.nexusBackup.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "nexus.fullname" . }}-backup - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexusBackup.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusBackup.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.nexusBackup.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusBackup.persistence.storageSize | quote }} -{{- if .Values.nexusBackup.persistence.storageClass }} -{{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/backup-secret.yaml b/chart/templates/backup-secret.yaml deleted file mode 100644 index 5ac4b130d5a944e57be5559a13a456ae0e3590a1..0000000000000000000000000000000000000000 --- a/chart/templates/backup-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.env.nexusAuthorization) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - nexus.nexusAdminPassword: {{ printf "%s%s" "Basic " (printf "%s%s" "admin:" .Values.nexusBackup.nexusAdminPassword | b64enc) | cat | b64enc | quote }} -{{- end }} diff --git a/chart/templates/bigbang/configmap-sso.yaml b/chart/templates/bigbang/configmap-sso.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6230c5c4ed5e71e97b23ec6ce14bdd8da2eeb397 --- /dev/null +++ b/chart/templates/bigbang/configmap-sso.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.sso.enabled .Values.license_key -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus.name" . }}-sso + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + idp-metadata: {{ .Values.sso.idp_data | toJson | quote }} + #realm: {{ .Values.sso.realm | quote }} + realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]' + role: {{ .Values.sso.role | toJson | quote }} +{{- end }} + diff --git a/chart/templates/bigbang/license.yaml b/chart/templates/bigbang/license.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ffab010074af14591a804beb050bae6177987e63 --- /dev/null +++ b/chart/templates/bigbang/license.yaml @@ -0,0 +1,15 @@ +{{- if .Values.license_key }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "nexus.name" . }}-license + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: +{{ include "nexus.licenseKey" . | indent 2 }} +{{- end -}} \ No newline at end of file diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a03b1aba200742dfa71fec1a2df4cda1b3c91855 --- /dev/null +++ b/chart/templates/bigbang/saml.yaml @@ -0,0 +1,76 @@ +{{- if and .Values.sso.enabled .Values.secret.enabled .Values.license_key }} +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": post-install + creationTimestamp: null + name: saml +spec: + template: + metadata: + creationTimestamp: null + spec: + activeDeadlineSeconds: 90 + {{- with .Values.nexus.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8}} + {{- end }} + containers: + - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest + name: saml + command: + - sh + args: + - -c + - | + until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available" && + BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}" + # saml metadata + curl -X PUT \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/saml" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$IDP_DATA" && + # realm configuration + curl -X PUT \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/realms/active" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$REALM" && + # role creation + curl -X POST \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/roles" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$ROLE" && + curl -fsI -X POST http://localhost:15020/quitquitquit && + exit + env: + - name: API_CREDENTIALS + valueFrom: + secretKeyRef: + name: {{ template "nexus.name" . }}-secret + key: admin.password + - name: IDP_DATA + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: idp-metadata + - name: REALM + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: realm + - name: ROLE + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: role + resources: {} + restartPolicy: Never +status: {} +{{- end }} diff --git a/chart/templates/bigbang/secret.yaml b/chart/templates/bigbang/secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6195feafe4afd32bad8e19f3ea673f5deb6b8734 --- /dev/null +++ b/chart/templates/bigbang/secret.yaml @@ -0,0 +1,18 @@ +{{- if .Values.secret.enabled -}} +{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "nexus.name" . }}-secret + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + admin.password: {{ randAlphaNum 12 | b64enc | quote }} + admin.username: YWRtaW4K +{{- end}} +{{- end}} diff --git a/chart/templates/bigbang/servicemonitor.yaml b/chart/templates/bigbang/servicemonitor.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6fae080d504eac3fe98d2cc3b5db3ac14068df8b --- /dev/null +++ b/chart/templates/bigbang/servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if .Values.monitoring.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "nexus.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + release: monitoring +spec: + selector: + matchLabels: + name: {{ include "nexus.fullname" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - interval: 30s + path: /service/metrics/prometheus + port: nexus-ui + scheme: http + basicAuth: + password: + name: {{ template "nexus.name" . }}-secret + key: admin.password + username: + name: {{ template "nexus.name" . }}-secret + key: admin.user + jobLabel: {{ template "nexus.fullname" . }}-metrics +{{- end }} diff --git a/chart/templates/bigbang/virtualservice.yaml b/chart/templates/bigbang/virtualservice.yaml new file mode 100644 index 0000000000000000000000000000000000000000..46c31b16f3d8d9110e04e497c87f6780d94a285f --- /dev/null +++ b/chart/templates/bigbang/virtualservice.yaml @@ -0,0 +1,53 @@ +{{- if .Values.istio.enabled -}} +{{- $serviceName := include "nexus.fullname" . -}} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ template "nexus.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "nexus.name" . }} + helm.sh/chart: {{ include "nexus.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: nexus-repository-manager + app.kubernetes.io/component: {{ include "nexus.name" . }} +spec: + gateways: + {{- range .Values.istio.nexus.gateways }} + - {{ . }} + {{- end }} + hosts: + - "{{ .Values.hostname }}.{{ .Values.domain }}" + http: + - route: + - destination: + port: + number: {{ .Values.nexus.nexusPort }} + host: {{ $serviceName }} +{{- end }} +{{- $fullName := include "nexus.fullname" . -}} +{{ if .Values.nexus.docker.enabled }} +{{ range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + namespace: {{ $.Release.Namespace }} +spec: + gateways: + {{- range $.Values.istio.nexus.gateways }} + - {{ . }} + {{- end }} + hosts: + - {{ $registry.host | quote }} + http: + - route: + - destination: + port: + number: {{ $registry.port }} + host: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} +{{- end }} +{{- end }} + diff --git a/chart/templates/cloudiam-pv.yaml b/chart/templates/cloudiam-pv.yaml deleted file mode 100644 index 045690a356259ee0b825cd706883fe857ab6243a..0000000000000000000000000000000000000000 --- a/chart/templates/cloudiam-pv.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }} -{{- if .Values.nexusCloudiam.persistence.pdName -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ .Values.nexusCloudiam.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - capacity: - storage: {{ .Values.nexusCloudiam.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - name: {{ template "nexus.fullname" . }}-cloudiam - namespace: {{ .Release.Namespace }} - gcePersistentDisk: - pdName: {{ .Values.nexusCloudiam.persistence.pdName }} - fsType: {{ .Values.nexusCloudiam.persistence.fsType }} -{{- end }} -{{- end }} diff --git a/chart/templates/cloudiam-pvc.yaml b/chart/templates/cloudiam-pvc.yaml deleted file mode 100644 index aab8dd936aac2cfccc6c1b36c01ab533c817a38a..0000000000000000000000000000000000000000 --- a/chart/templates/cloudiam-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }} -{{- if and .Values.nexusCloudiam.persistence.enabled (not .Values.nexusCloudiam.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "nexus.fullname" . }}-cloudiam - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexusCloudiam.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusCloudiam.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.nexusCloudiam.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusCloudiam.persistence.storageSize | quote }} -{{- if .Values.nexusCloudiam.persistence.storageClass }} -{{- if (eq "-" .Values.nexusCloudiam.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nexusCloudiam.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/clusterrolebinding.yaml b/chart/templates/clusterrolebinding.yaml deleted file mode 100644 index bad0a804fc113cb762477e254771e90c759fb7c1..0000000000000000000000000000000000000000 --- a/chart/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: {{ template "nexus.fullname" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- with .Values.rbac.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -roleRef: -{{- with .Values.rbac.roleRef }} -{{ toYaml . | indent 2 }} -{{- end }} -subjects: -- kind: ServiceAccount - {{- if .Values.serviceAccount.name }} - name: {{ .Values.serviceAccount.name }} - {{- else }} - name: {{ template "nexus.fullname" . }} - {{- end }} - namespace: {{ template "nexus.namespace" . }} -{{- end -}} \ No newline at end of file diff --git a/chart/templates/configmap-properties.yaml b/chart/templates/configmap-properties.yaml new file mode 100644 index 0000000000000000000000000000000000000000..78cf7fbfa1b6e23efd540df52118d9d512f95df9 --- /dev/null +++ b/chart/templates/configmap-properties.yaml @@ -0,0 +1,23 @@ +{{- if .Values.nexus.properties.override -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus.name" . }}-properties + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + nexus.properties: | + {{- $data := dict -}} + {{- $licenseDict := dict -}} + {{- if .Values.license_key -}} + {{- $_ := set $licenseDict "nexus.licenseFile" .Values.license.mountPath -}} + {{- end -}} + {{- $data := mergeOverwrite $licenseDict .Values.nexus.properties.data -}} + {{- range $k, $v := $data }} + {{ $k }}={{ $v }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index 05abc30c86d16d848ca71443ae4a74242bc4c373..55418b146d9792589eddd0e6a1c193971b347383 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -3,12 +3,13 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "nexus.name" . }}-conf - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} data: {{ toYaml .Values.config.data | indent 2 }} {{- end }} \ No newline at end of file diff --git a/chart/templates/deployment-statefulset.yaml b/chart/templates/deployment-statefulset.yaml deleted file mode 100644 index 28e7c71227d2e3854824b59b22dbcdcc62baef15..0000000000000000000000000000000000000000 --- a/chart/templates/deployment-statefulset.yaml +++ /dev/null @@ -1,408 +0,0 @@ -{{- if .Values.statefulset.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -{{- if .Values.deployment.annotations }} - annotations: -{{ toYaml .Values.deployment.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - {{- if .Values.statefulset.enabled }} - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} - {{- end }} - {{- if .Values.deploymentStrategy }} - strategy: -{{ toYaml .Values.deploymentStrategy | indent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - template: - metadata: - {{- if .Values.nexus.podAnnotations }} - annotations: -{{ toYaml .Values.nexus.podAnnotations | indent 8}} - {{- end }} - labels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - spec: - {{- if .Values.deployment.initContainers }} - initContainers: -{{ toYaml .Values.deployment.initContainers | indent 6 }} - {{- end }} - {{- if .Values.nexus.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nexus.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.nexus.hostAliases }} - hostAliases: -{{ toYaml .Values.nexus.hostAliases | indent 8 }} - {{- end }} - {{- if .Values.nexus.imagePullSecret }} - imagePullSecrets: - - name: {{ .Values.nexus.imagePullSecret }} - {{- end }} - {{- if .Values.serviceAccount.name }} - serviceAccountName: {{ .Values.serviceAccount.name | quote }} - {{- else if .Values.serviceAccount.create }} - serviceAccountName: {{ template "nexus.fullname" . }} - {{- end }} - {{- if .Values.nexus.priorityClassName }} - priorityClassName: {{ .Values.nexus.priorityClassName }} - {{- end }} - containers: - - name: nexus - image: {{ .Values.nexus.imageName }}:{{ .Values.nexus.imageTag }} - imagePullPolicy: {{ .Values.nexus.imagePullPolicy }} - {{- if .Values.deployment.postStart.command }} - lifecycle: - postStart: - exec: - command: {{ .Values.deployment.postStart.command }} - {{- end }} - env: -{{ toYaml .Values.nexus.env | indent 12 }} - - name: NEXUS_DATA_CHOWN - value: {{ .Values.nexus.chownNexusData | quote }} -{{- if .Values.nexus.context }} - - name: NEXUS_CONTEXT - value: {{ .Values.nexus.context }} -{{- end }} - - resources: -{{ toYaml .Values.nexus.resources | indent 12 }} - ports: - - containerPort: {{ .Values.nexus.dockerPort }} - name: nexus-docker-g - - containerPort: {{ .Values.nexus.nexusPort }} - name: nexus-http - {{- with .Values.nexus.additionalPorts }} -{{ toYaml . | indent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: {{ .Values.nexus.livenessProbe.path }} - port: {{ .Values.nexus.nexusPort }} - initialDelaySeconds: {{ .Values.nexus.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nexus.livenessProbe.periodSeconds }} - failureThreshold: {{ .Values.nexus.livenessProbe.failureThreshold }} - {{- if .Values.nexus.livenessProbe.timeoutSeconds }} - timeoutSeconds: {{ .Values.nexus.livenessProbe.timeoutSeconds }} - {{- end }} - readinessProbe: - httpGet: - path: {{ .Values.nexus.readinessProbe.path }} - port: {{ .Values.nexus.nexusPort }} - initialDelaySeconds: {{ .Values.nexus.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nexus.readinessProbe.periodSeconds }} - failureThreshold: {{ .Values.nexus.readinessProbe.failureThreshold }} - {{- if .Values.nexus.readinessProbe.timeoutSeconds }} - timeoutSeconds: {{ .Values.nexus.readinessProbe.timeoutSeconds }} - {{- end }} - volumeMounts: - - mountPath: /nexus-data - name: {{ template "nexus.fullname" . }}-data - {{- if .Values.nexusBackup.enabled }} - - mountPath: /nexus-data/backup - name: {{ template "nexus.fullname" . }}-backup - {{- end }} - {{- if .Values.nexusCloudiam.enabled }} - - mountPath: /nexus-data/cloudiam - name: {{ template "nexus.fullname" . }}-cloudiam - {{- end }} - {{- if .Values.config.enabled }} - - mountPath: {{ .Values.config.mountPath }} - name: {{ template "nexus.name" . }}-conf - {{- end }} - {{- if .Values.secret.enabled }} - - mountPath: {{ .Values.secret.mountPath }} - name: {{ template "nexus.name" . }}-secret - readOnly: {{ .Values.secret.readOnly }} - {{- end }} - {{- if .Values.deployment.additionalVolumeMounts}} -{{ toYaml .Values.deployment.additionalVolumeMounts | indent 12 }} - {{- end }} - {{- if .Values.nexusProxy.enabled }} - - name: nexus-proxy - image: {{ .Values.nexusProxy.imageName }}:{{ .Values.nexusProxy.imageTag }} - resources: -{{ toYaml .Values.nexusProxy.resources | indent 12 }} - imagePullPolicy: {{ .Values.nexusProxy.imagePullPolicy }} - env: - - name: ALLOWED_USER_AGENTS_ON_ROOT_REGEX - value: {{ default "GoogleHC" .Values.nexusProxy.env.allowedUserAgentsOnRootRegex | quote }} - - name: CLOUD_IAM_AUTH_ENABLED - value: {{ .Values.nexusProxy.env.cloudIamAuthEnabled | quote }} - - name: BIND_PORT - value: {{ .Values.nexusProxy.targetPort | quote }} - - name: ENFORCE_HTTPS - value: {{ .Values.nexusProxy.env.enforceHttps | quote }} - - name: NEXUS_DOCKER_HOST - value: {{ .Values.nexusProxy.env.nexusDockerHost | quote }} - - name: NEXUS_HTTP_HOST - value: {{ .Values.nexusProxy.env.nexusHttpHost | quote }} - - name: UPSTREAM_DOCKER_PORT - value: {{ .Values.nexus.dockerPort | quote }} - - name: UPSTREAM_HTTP_PORT - value: {{ .Values.nexus.nexusPort | quote }} - - name: UPSTREAM_HOST - value: "localhost" - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - - name: NEXUS_RUT_HEADER - value: "X-Forwarded-User" - - name: CLIENT_ID - value: {{ .Values.nexusProxy.env.clientId | quote }} - - name: CLIENT_SECRET - value: {{ .Values.nexusProxy.env.clientSecret | quote }} - - name: ORGANIZATION_ID - value: {{ .Values.nexusProxy.env.organizationId | quote }} - - name: REDIRECT_URL - value: {{ .Values.nexusProxy.env.redirectUrl | quote }} - - name: KEYSTORE_PASS - valueFrom: - secretKeyRef: - name: {{ template "nexus.proxy-ks.name" . }} - key: password - - name: KEYSTORE_PATH - value: "/nexus-proxy-ks/keystore" - - name: AUTH_CACHE_TTL - value: "60000" - - name: SESSION_TTL - value: "86400000" - - name: JWT_REQUIRES_MEMBERSHIP_VERIFICATION - value: {{ .Values.nexusProxy.env.requiredMembershipVerification | quote }} - {{- end }} - ports: - - containerPort: {{ .Values.nexusProxy.targetPort }} - name: nexus-proxy - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - volumeMounts: - - mountPath: /nexus-proxy-ks - name: {{ template "nexus.proxy-ks.name" . }} - readOnly: true - {{- end }} - {{- end }} - {{- if .Values.nexusBackup.enabled }} - - name: nexus-backup - image: {{ .Values.nexusBackup.imageName }}:{{ .Values.nexusBackup.imageTag }} - imagePullPolicy: {{ .Values.nexusBackup.imagePullPolicy }} - resources: -{{ toYaml .Values.nexusBackup.resources | indent 12 }} - env: - - name: NEXUS_AUTHORIZATION - {{- if not .Values.nexusBackup.env.nexusAuthorization }} - valueFrom: - secretKeyRef: - key: nexus.nexusAdminPassword - name: {{ template "nexus.fullname" . }} - {{- else }} - value: {{ .Values.nexusBackup.env.nexusAuthorization | quote }} - {{- end }} - - name: NEXUS_BACKUP_DIRECTORY - value: /nexus-data/backup - - name: NEXUS_DATA_DIRECTORY - value: /nexus-data - - name: NEXUS_LOCAL_HOST_PORT - value: "localhost:{{ .Values.nexus.nexusPort }}" - - name: OFFLINE_REPOS - value: {{ .Values.nexusBackup.env.offlineRepos | quote }} - - name: TARGET_BUCKET - value: {{ .Values.nexusBackup.env.targetBucket | quote }} - - name: GRACE_PERIOD - value: {{ .Values.nexusBackup.env.gracePeriod | quote }} - - name: TRIGGER_FILE - value: .backup - - name: RCLONE_REMOTE - value: {{ .Values.nexusBackup.env.rcloneRemote | quote }} - - name: STREAMING_UPLOAD_CUTOFF - value: {{ .Values.nexusBackup.env.streamingUploadCutoff | default "5000000" | quote }} - {{- if .Values.nexusCloudiam.enabled }} - - name: CLOUD_IAM_SERVICE_ACCOUNT_KEY_PATH - value: /nexus-data/cloudiam/service-account-key.json - {{- end }} - volumeMounts: - - mountPath: /nexus-data - name: {{ template "nexus.fullname" . }}-data - - mountPath: /nexus-data/backup - name: {{ template "nexus.fullname" . }}-backup - {{- if .Values.nexusCloudiam.enabled }} - - mountPath: /nexus-data/cloudiam - name: {{ template "nexus.fullname" . }}-cloudiam - {{- end }} - - mountPath: /root/.config/rclone - name: {{ template "nexus.fullname" . }}-rclone-config - {{- end }} - {{- if .Values.deployment.additionalContainers }} -{{ toYaml .Values.deployment.additionalContainers | indent 8 }} - {{- end }} - {{- if .Values.nexus.securityContextEnabled }} - securityContext: -{{ toYaml .Values.nexus.securityContext | indent 8 }} - {{- end }} - volumes: - {{- if .Values.nexusBackup.enabled }} - - name: {{ template "nexus.fullname" . }}-rclone-config - secret: - secretName: {{ template "nexus.name" . }}-rclone-config-secret - {{- end }} - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - - name: {{ template "nexus.proxy-ks.name" . }} - secret: - secretName: {{ template "nexus.proxy-ks.name" . }} - {{- end }} - - {{- if .Values.statefulset.enabled }} - {{- if not .Values.persistence.enabled }} - - name: {{ template "nexus.fullname" . }}-data - emptyDir: {} - {{- end }} - {{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.persistence.enabled) }} - - name: {{ template "nexus.fullname" . }}-backup - emptyDir: {} - {{- end }} - {{- if and .Values.nexusCloudiam.enabled (not .Values.nexusCloudiam.persistence.enabled) }} - - name: {{ template "nexus.fullname" . }}-cloudiam - emptyDir: {} - {{- end }} - {{- else }} - - name: {{ template "nexus.fullname" . }}-data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "data") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.nexusBackup.enabled }} - - name: {{ template "nexus.fullname" . }}-backup - {{- if and .Values.nexusBackup.persistence.enabled .Values.nexusBackup.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nexusBackup.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "backup") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- end }} - {{- if .Values.nexusCloudiam.enabled }} - - name: {{ template "nexus.fullname" . }}-cloudiam - {{- if and .Values.nexusCloudiam.persistence.enabled .Values.nexusCloudiam.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nexusCloudiam.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "cloudiam") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.config.enabled }} - - name: {{ template "nexus.name" . }}-conf - configMap: - name: {{ template "nexus.name" . }}-conf - {{- end }} - {{- if .Values.secret.enabled }} - - name: {{ template "nexus.name" . }}-secret - secret: - secretName: {{ template "nexus.name" . }}-secret - {{- end }} - {{- if .Values.deployment.additionalVolumes }} -{{ toYaml .Values.deployment.additionalVolumes | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - - -## create pvc in case of statefulsets - {{- if .Values.statefulset.enabled }} - volumeClaimTemplates: - {{- if .Values.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-data - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.storageSize | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.nexusBackup.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-backup - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.nexusBackup.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusBackup.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.nexusBackup.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusBackup.persistence.storageSize | quote }} - {{- if .Values.nexusBackup.persistence.storageClass }} - {{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.nexusCloudiam.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-cloudiam - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.nexusCloudiam.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusCloudiam.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.nexusCloudiam.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusCloudiam.persistence.storageSize | quote }} - {{- if .Values.nexusCloudiam.persistence.storageClass }} - {{- if (eq "-" .Values.nexusCloudiam.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.nexusCloudiam.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - {{- end }} diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c678ca374b9bc7d31309c3becaadbf7db4d279c9 --- /dev/null +++ b/chart/templates/deployment.yaml @@ -0,0 +1,188 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "nexus.fullname" . }} + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +{{- if .Values.deployment.annotations }} + annotations: +{{ toYaml .Values.deployment.annotations | indent 4 }} +{{- end }} +spec: + replicas: 1 + strategy: + type: {{ .Values.deploymentStrategy }} + selector: + matchLabels: + {{- include "nexus.selectorLabels" . | nindent 6 }} + {{- if .Values.nexus.extraSelectorLabels }} + {{- with .Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 6 }} + {{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/configmap-properties: {{ include (print .Template.BasePath "/configmap-properties.yaml") $ | sha256sum }} + {{- if .Values.nexus.podAnnotations }} +{{ toYaml .Values.nexus.podAnnotations | indent 8}} + {{- end }} + labels: + {{- include "nexus.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "nexus.serviceAccountName" . }} + {{- if .Values.deployment.initContainers }} + initContainers: +{{ toYaml .Values.deployment.initContainers | indent 6 }} + {{- end }} + {{- if .Values.nexus.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nexus.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.nexus.affinity }} + affinity: +{{ toYaml .Values.nexus.affinity | indent 8 }} + {{- end }} + {{- if .Values.nexus.hostAliases }} + hostAliases: +{{ toYaml .Values.nexus.hostAliases | indent 8 }} + {{- end }} + {{- with .Values.nexus.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8}} + {{- end }} + {{- if .Values.deployment.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + + lifecycle: + {{- if .Values.deployment.postStart.command }} + postStart: + exec: + command: {{ .Values.deployment.postStart.command }} + {{- end }} + env: +{{ toYaml .Values.nexus.env | indent 12 }} + envFrom: +{{ toYaml .Values.nexus.envFrom | indent 12 }} + resources: +{{ toYaml .Values.nexus.resources | indent 12 }} + ports: + - name: nexus-ui + containerPort: {{ .Values.nexus.nexusPort }} + {{- if .Values.nexus.docker.enabled }} + {{- range .Values.nexus.docker.registries }} + - name: docker-{{ .port }} + containerPort: {{ .port }} + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: {{ .Values.nexus.livenessProbe.path }} + port: {{ .Values.nexus.nexusPort }} + initialDelaySeconds: {{ .Values.nexus.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nexus.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.nexus.livenessProbe.failureThreshold }} + {{- if .Values.nexus.livenessProbe.timeoutSeconds }} + timeoutSeconds: {{ .Values.nexus.livenessProbe.timeoutSeconds }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.nexus.readinessProbe.path }} + port: {{ .Values.nexus.nexusPort }} + initialDelaySeconds: {{ .Values.nexus.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nexus.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.nexus.readinessProbe.failureThreshold }} + {{- if .Values.nexus.readinessProbe.timeoutSeconds }} + timeoutSeconds: {{ .Values.nexus.readinessProbe.timeoutSeconds }} + {{- end }} + volumeMounts: + - mountPath: /nexus-data + name: {{ template "nexus.name" . }}-data + - mountPath: /nexus-data/etc + name: {{ template "nexus.name" . }}-data + {{- if .Values.license_key }} + - mountPath: {{ .Values.license.mountPath }} + name: {{ template "nexus.name" . }}-license + subPath: {{ .Values.license.subPath }} + {{- end }} + {{- if .Values.config.enabled }} + - mountPath: {{ .Values.config.mountPath }} + name: {{ template "nexus.name" . }}-conf + {{- end }} + {{- if .Values.nexus.properties.override }} + - mountPath: /nexus-data/etc/nexus.properties + name: {{ template "nexus.name" . }}-properties + subPath: nexus.properties + {{- end }} + {{- if .Values.secret.enabled }} + - mountPath: {{ .Values.secret.mountPath }} + name: {{ template "nexus.name" . }}-secret + subPath: {{ .Values.secret.subPath }} + readOnly: {{ .Values.secret.readOnly }} + {{- end }} + {{- if .Values.deployment.additionalVolumeMounts}} +{{ toYaml .Values.deployment.additionalVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} +{{ toYaml .Values.deployment.additionalContainers | indent 8 }} + {{- end }} + {{- if .Values.nexus.securityContext }} + securityContext: +{{ toYaml .Values.nexus.securityContext | indent 8 }} + {{- end }} + volumes: + - name: {{ template "nexus.name" . }}-data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "data") }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.license_key }} + - name: nexus-repository-manager-license + secret: + secretName: {{ template "nexus.name" . }}-license + items: + - key: sonatype-license.lic + path: sonatype-license.lic + {{- end }} + {{- if .Values.config.enabled }} + - name: {{ template "nexus.name" . }}-conf + configMap: + name: {{ template "nexus.name" . }}-conf + {{- end }} + {{- if .Values.nexus.properties.override }} + - name: {{ template "nexus.name" . }}-properties + configMap: + name: {{ template "nexus.name" . }}-properties + items: + - key: nexus.properties + path: nexus.properties + {{- end }} + {{- if .Values.secret.enabled }} + - name: {{ template "nexus.name" . }}-secret + secret: + secretName: {{ template "nexus.name" . }}-secret + items: + - key: admin.password + path: admin.password + {{- end }} + {{- if .Values.deployment.additionalVolumes }} +{{ toYaml .Values.deployment.additionalVolumes | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/chart/templates/ingress-docker.yaml b/chart/templates/ingress-docker.yaml deleted file mode 100644 index 5dd79717c108712991c58cffa4e635e327ca6383..0000000000000000000000000000000000000000 --- a/chart/templates/ingress-docker.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.ingressDocker.enabled }} -apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }} -kind: Ingress -metadata: - name: {{ template "nexus.ingres.docker" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} - {{- range $key, $value := .Values.ingressDocker.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - annotations: - {{- range $key, $value := .Values.ingressDocker.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- if .Values.nexusProxy.env.nexusDockerHost }} - - host: {{ .Values.nexusProxy.env.nexusDockerHost }} - http: - paths: - - backend: - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} - {{- if .Values.nexusProxy.enabled }} - servicePort: {{ .Values.nexusProxy.port }} - {{- else }} - servicePort: {{ .Values.nexus.dockerPort }} - {{- end }} - path: {{ .Values.ingress.path }} - {{- end }} - {{- with .Values.ingressDocker.rules }} - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- if .Values.ingress.tls.enabled }} - tls: - - hosts: - {{- if .Values.nexusProxy.env.nexusDockerHost }} - - {{ .Values.nexusProxy.env.nexusDockerHost }} - {{- end }} - {{- if .Values.ingressDocker.tls.secretName }} - secretName: {{ .Values.ingressDocker.tls.secretName | quote }} - {{- end }} -{{- end -}} -{{- end }} diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml index 9f508030ed03ce9c79014a92abe0069e342cd483..2711a21c88431019933f086af1757339e0c1e08c 100644 --- a/chart/templates/ingress.yaml +++ b/chart/templates/ingress.yaml @@ -1,48 +1,73 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }} +{{- if and .Values.ingress.enabled (not .Values.istio.enabled) -}} +{{- $fullName := include "nexus.fullname" . -}} +{{- $svcPort := .Values.nexus.nexusPort -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} + name: {{ $fullName }} labels: -{{ include "nexus.labels" . | indent 4 }} - {{- range $key, $value := .Values.ingress.labels }} - {{ $key }}: {{ $value | quote }} + {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} + {{- with .Values.ingress.annotations }} annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} rules: -{{- if .Values.nexusProxy.env.nexusHttpHost }} - - host: {{ .Values.nexusProxy.env.nexusHttpHost }} + - host: {{ .Values.ingress.hostRepo }} http: paths: - - backend: - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} -{{- if .Values.nexusProxy.enabled }} - servicePort: {{ .Values.nexusProxy.port }} -{{- else }} - servicePort: {{ .Values.nexus.nexusPort }} -{{- end }} - path: {{ .Values.ingress.path }} -{{- end }} - {{- with .Values.ingress.rules }} + - path: {{ .Values.ingress.hostPath }} + backend: + serviceName: {{ $fullName }} + servicePort: 8081 + +{{ if .Values.nexus.docker.enabled }} +{{ range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + labels: + {{- include "nexus.labels" $ | nindent 4 }} + {{- if $.Values.nexus.extraLabels }} + {{- with $.Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} + {{- with $.Values.ingress.annotations }} + annotations: {{- toYaml . | nindent 4 }} - {{- end -}} -{{- if .Values.ingress.tls.enabled }} + {{- end }} +spec: tls: - hosts: - {{- if .Values.nexusProxy.env.nexusHttpHost }} - - {{ .Values.nexusProxy.env.nexusHttpHost }} - {{- end }} - {{- if .Values.ingress.tls.secretName }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - {{- end }} -{{- end -}} + - {{ $registry.host | quote }} + secretName: {{ $registry.secretName }} + rules: + - host: {{ $registry.host }} + http: + paths: + - path: / + backend: + serviceName: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + servicePort: {{ $registry.port }} + {{- end }} +{{- end }} {{- end }} diff --git a/chart/templates/initpwd-job.yaml b/chart/templates/initpwd-job.yaml deleted file mode 100644 index 15d9cf08feb7ce2a0196abe50a1ab8e2656267b0..0000000000000000000000000000000000000000 --- a/chart/templates/initpwd-job.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.initAdminPassword.enabled }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "nexus.fullname" . }}-initpwd-job - annotations: - helm.sh/hook: "post-install" - helm.sh/hook-weight: "10" - helm.sh/hook-delete-policy: "before-hook-creation" - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - backoffLimit: 5 - template: - metadata: - name: {{ template "nexus.fullname" . }}-initpwd - labels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: nexus-initpwd - image: curlimages/curl:7.73.0 - command: - - /bin/sh - - -ec - - | - curl --fail -X PUT \ - http://$(NEXUS_HOST)/service/rest/beta/security/users/admin/change-password \ - -H "Content-Type: text/plain" \ - -H "Authorization: Basic $(NEXUS_AUTHORIZATION)" \ - -d "$(ADMIN_PASSWORD)" - env: - - name: NEXUS_AUTHORIZATION - valueFrom: - secretKeyRef: - key: nexusAuthorization - name: {{ template "nexus.fullname" . }}-initpwd-secret - - name: NEXUS_HOST - value: {{ template "nexus.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.nexus.nexusPort }} - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: adminPassword - name: {{ template "nexus.fullname" . }}-initpwd-secret ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.fullname" . }}-initpwd-secret - annotations: - helm.sh/hook: "post-install" - helm.sh/hook-weight: "-10" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - nexusAuthorization: {{ printf "%s%s" "admin:" (default "admin123" .Values.initAdminPassword.defaultPasswordOverride) | b64enc | b64enc }} - adminPassword: {{ .Values.initAdminPassword.password | b64enc }} -{{- end }} diff --git a/chart/templates/proxy-ks-secret.yaml b/chart/templates/proxy-ks-secret.yaml deleted file mode 100644 index d97bc5ae051a472d7abb303909773d4bac9a80a8..0000000000000000000000000000000000000000 --- a/chart/templates/proxy-ks-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.proxy-ks.name" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - keystore: {{ .Values.nexusProxy.secrets.keystore }} - password: {{ .Values.nexusProxy.secrets.password | b64enc }} -{{- end}} diff --git a/chart/templates/proxy-route.yaml b/chart/templates/proxy-route.yaml index 1fc4fa3117e8f3481406b625aec3adbb3af2a15e..f66e1357e19feab1b53e9fde19a956915b7ba17b 100644 --- a/chart/templates/proxy-route.yaml +++ b/chart/templates/proxy-route.yaml @@ -3,11 +3,7 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: - {{- range $key, $value := .Values.nexusProxyRoute.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{ .Values.nexusProxyRoute.labels }} annotations: {{- range $key, $value := .Values.nexusProxyRoute.annotations }} {{ $key }}: {{ $value | quote }} @@ -15,21 +11,13 @@ metadata: spec: host: {{ .Values.nexusProxyRoute.path }} port: - {{- if .Values.nexusProxy.svcName }} - targetPort: {{ .Values.nexusProxy.svcName }} - {{- else }} targetPort: {{ template "nexus.fullname" . }} - {{- end }} tls: insecureEdgeTerminationPolicy: Redirect termination: edge to: kind: Service -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} name: {{ template "nexus.fullname" . }} -{{- end }} weight: 100 wildcardPolicy: None {{- end }} diff --git a/chart/templates/proxy-svc.yaml b/chart/templates/proxy-svc.yaml deleted file mode 100644 index 0ab13fad8af3d8c2ffd5ea485e133b9ccd70fe48..0000000000000000000000000000000000000000 --- a/chart/templates/proxy-svc.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or .Values.nexusProxy.enabled .Values.ingress.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} - name: {{ template "nexus.fullname" . }} -{{- end }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -{{- if .Values.nexusProxy.labels }} -{{ toYaml .Values.nexusProxy.labels | indent 4 }} -{{- end }} -{{- if .Values.nexus.annotations }} - annotations: -{{ toYaml .Values.nexus.annotations | indent 4 }} -{{- end }} -spec: - ports: -{{- if .Values.nexusProxy.enabled }} - - port: {{ .Values.nexusProxy.port }} -{{- else }} - - port: {{ .Values.nexus.nexusPort }} -{{- end }} -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} - name: {{ template "nexus.fullname" . }} -{{- end }} - protocol: TCP -{{- if .Values.nexusProxy.enabled }} - targetPort: {{ .Values.nexusProxy.targetPort }} -{{- else }} - targetPort: {{ .Values.nexus.nexusPort }} - - port: {{ .Values.nexus.dockerPort }} - name: docker - protocol: TCP - targetPort: {{ .Values.nexus.dockerPort }} -{{- end }} - selector: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - type: {{ .Values.nexus.service.type }} - {{- if and (eq .Values.nexus.service.type "ClusterIP") .Values.nexus.service.clusterIP }} - clusterIP: {{ .Values.nexus.service.clusterIP }} - {{- end }} - {{- if and (eq .Values.nexus.service.type "LoadBalancer") .Values.nexus.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.nexus.service.loadBalancerIP }} - {{- end }} -{{- end }} diff --git a/chart/templates/psp-clusterrole.yaml b/chart/templates/psp-clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a810a4fb8c2b9694471d012044a753fe0714afc1 --- /dev/null +++ b/chart/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.psp.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }}-psp-use +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "nexus.name" . }} + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/chart/templates/psp-rolebinding.yaml b/chart/templates/psp-rolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..042a2ff4530c771a83ffb726e8cf9b9a23261a76 --- /dev/null +++ b/chart/templates/psp-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.psp.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }}-psp-use +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "nexus.name" . }}-psp-use +subjects: +- kind: ServiceAccount + name: {{ include "nexus.serviceAccountName" . }} +{{- end -}} \ No newline at end of file diff --git a/chart/templates/psp.yaml b/chart/templates/psp.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0d7978efcf712898e6ed84ff07af8d6559757df8 --- /dev/null +++ b/chart/templates/psp.yaml @@ -0,0 +1,36 @@ +{{- if .Values.psp.create -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }} +spec: + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - secret + - projected + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: RunAsAny + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 +{{- end }} diff --git a/chart/templates/pv.yaml b/chart/templates/pv.yaml index 50bed46454c2ba6620e088b97eb246d922797585..1f17872ddf8899c1ce3b3ea5b8851c959a0b8761 100644 --- a/chart/templates/pv.yaml +++ b/chart/templates/pv.yaml @@ -4,9 +4,13 @@ apiVersion: v1 kind: PersistentVolume metadata: name: {{ .Values.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} spec: capacity: storage: {{ .Values.persistence.storageSize }} diff --git a/chart/templates/pvc.yaml b/chart/templates/pvc.yaml index 9b7843688443795e523332484df3e324febbac8d..32e9b78e110309deb2526aa7970c640768117fc0 100644 --- a/chart/templates/pvc.yaml +++ b/chart/templates/pvc.yaml @@ -1,12 +1,15 @@ -{{- if not .Values.statefulset.enabled }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "nexus.fullname" . }}-data - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} {{- if .Values.persistence.annotations }} annotations: {{ toYaml .Values.persistence.annotations | indent 4 }} @@ -25,4 +28,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/chart/templates/rclone-config-secret.yaml b/chart/templates/rclone-config-secret.yaml deleted file mode 100644 index 3606b40ef6d543d4b8b845c47306d5e3f234f2ac..0000000000000000000000000000000000000000 --- a/chart/templates/rclone-config-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.nexusBackup.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.name" . }}-rclone-config-secret - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -data: -{{- if .Values.nexusBackup.rcloneConfig }} -{{- range $key, $val := .Values.nexusBackup.rcloneConfig }} - {{ $key }}: |- -{{ $val | b64enc| indent 4}} -{{- end }} -{{- end -}} -{{- end}} diff --git a/chart/templates/route.yaml b/chart/templates/route.yaml index e00819f5a4a092dd38b09a4672b2e114db4c32c3..cf76e5bdd46a712d72265c78aa213d85557b2a2e 100644 --- a/chart/templates/route.yaml +++ b/chart/templates/route.yaml @@ -3,11 +3,7 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: name: {{ .Values.route.name }} - namespace: {{ template "nexus.namespace" . }} - labels: - {{- range $key, $value := .Values.route.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{ .Values.route.labels }} annotations: {{- range $key, $value := .Values.route.annotations }} {{ $key }}: {{ $value | quote }} @@ -28,6 +24,4 @@ spec: {{- end }} weight: 100 wildcardPolicy: None -status: - ingress: [] {{- end }} diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml deleted file mode 100644 index 3f272cc4783b0e21b1eb71e52d026ae2322747b4..0000000000000000000000000000000000000000 --- a/chart/templates/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and .Values.secret.enabled .Values.secret.data -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.name" . }}-secret - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -data: -{{ toYaml .Values.secret.data | indent 2 }} -{{- end}} diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml index c5478354a55d61c0e7f85e86626f5d3484b55011..ba7acb7f4747157daa5b49ed71fc13abb957c1c5 100644 --- a/chart/templates/service.yaml +++ b/chart/templates/service.yaml @@ -1,44 +1,66 @@ {{- if .Values.service.enabled -}} +--- apiVersion: v1 kind: Service metadata: -{{- if .Values.service.name }} - name: {{ .Values.service.name }} -{{- else }} - name: {{ template "nexus.name" . }}-service -{{- end }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} + name: {{ include "nexus.fullname" . }} {{- if .Values.service.annotations }} annotations: {{ toYaml .Values.service.annotations | indent 4 }} {{- end }} + labels: + {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} spec: + type: {{ .Values.service.type }} ports: - {{- if .Values.service.portName }} - - name: {{ .Values.service.portName }} - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - {{- end }} - {{- with .Values.service.ports }} -{{ toYaml . | indent 2 }} - {{- end }} + - port: {{ .Values.nexus.nexusPort }} + protocol: TCP + name: nexus-ui selector: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - type: {{ .Values.service.type }} - {{ if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range .Values.service.loadBalancerSourceRanges }} - - {{ . }} + {{- include "nexus.selectorLabels" . | nindent 4 }} + {{- if .Values.nexus.extraSelectorLabels }} + {{- with .Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} + +{{- if .Values.nexus.docker.enabled }} +{{- range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nexus.fullname" $ | trunc 49 }}-docker-{{ $registry.port }} +{{- if $.Values.service.annotations }} + annotations: +{{ toYaml $.Values.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "nexus.labels" $ | nindent 4 }} + {{- if $.Values.nexus.extraLabels }} + {{- with $.Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} - {{ end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} -{{- end}} +spec: + type: {{ $.Values.service.type }} + ports: + - port: {{ $registry.port }} + protocol: TCP + name: docker-{{ $registry.port }} + selector: + {{- include "nexus.selectorLabels" $ | nindent 4 }} + {{- if $.Values.nexus.extraSelectorLabels }} + {{- with $.Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml index ab1cc2277ff7c3d584e635b98edba2f504911231..5bb8fa500b83e55fce8b02b180616d1d60d9550c 100644 --- a/chart/templates/serviceaccount.yaml +++ b/chart/templates/serviceaccount.yaml @@ -1,14 +1,15 @@ -{{- if .Values.serviceAccount.create }} +{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: - {{- if .Values.serviceAccount.name }} - name: {{ .Values.serviceAccount.name }} - {{- else }} - name: {{ template "nexus.fullname" . }} + name: {{ include "nexus.serviceAccountName" . }} + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} - namespace: {{ template "nexus.namespace" . }} - {{- if .Values.serviceAccount.annotations }} - annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index c6da164ba1f382868cc710a790e4791d91c2d01e..aadeaa3b6f4d9a4246d1a301048fcea9e33590ce 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,36 +1,91 @@ -## Overrides for generated resource names -# namespaceOverride: +# -- Big Bang Additions +hostname: nexus +domain: bigbang.dev +istio: + enabled: false + nexus: + gateways: + - "istio-system/main" +monitoring: + enabled: false +license_key: "" +license: + mountPath: /nexus-data/sonatype-license.lic + subPath: sonatype-license.lic +sso: + enabled: false + idp_data: + entityId: "" + usernameAttribute: "" + firstNameAttribute: "" + lastNameAttribute: "" + emailAttribute: "" + groupsAttribute: "" + validateResponseSignature: true + validateAssertionSignature: true + idpMetadata: '' + realm: + - "NexusAuthenticatingRealm" + - "NexusAuthorizingRealm" + - "SamlRealm" + role: + id: "nexus" + name: "nexus" + description: "nexus group" + privileges: + - "nx-all" + roles: + - "nx-admin" +# -- End of BigBang Additions + +ingress: + enabled: true + annotations: {kubernetes.io/ingress.class: nginx} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hostPath: / + hostRepo: repo.demo + tls: [] + # - secretName: nexus-local-tls + # hosts: + # - nexus.local + # - nexus-docker.local + # - nexus-docker-hosted.local statefulset: + # This is not supported enabled: false -replicaCount: 1 # By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage. -deploymentStrategy: {} - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate - -# If enabled, a Job will be launched after the chart is installed to initialize the admin password of your choice -initAdminPassword: - enabled: false - # Set this in the instance where default admin password is different - defaultPasswordOverride: - password: "admin321" +deploymentStrategy: Recreate +image: + # IB Nexus Image + repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus + tag: 3.29.0-02 + pullPolicy: IfNotPresent nexus: - imageName: quay.io/travelaudience/docker-nexus - imageTag: 3.27.0 - imagePullPolicy: IfNotPresent - # Uncomment this to scheduler pods on priority - # priorityClassName: "high-priority" + docker: + enabled: false + registries: [] + # - host: chart.local + # port: 5000 + # secretName: registrySecret env: - - name: INSTALL4J_ADD_VM_PARAMS - value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:ActiveProcessorCount=4" + - name: install4jAddVmParams + value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap" - name: NEXUS_SECURITY_RANDOMPASSWORD - value: "false" - # nodeSelector: + value: "true" + properties: + override: true + data: {} + # data: + # nexus.licenseFile: /nexus-data/sonatype-license.override.lic + # nexus.scripts.allowCreation: true + # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager + # nexus.ldap.env.java.naming.security.authentication: simple + nodeSelector: {} # cloud.google.com/gke-nodepool: default-pool + affinity: {} resources: {} # requests: ## Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem @@ -44,40 +99,22 @@ nexus: # cpu: 250m # memory: 4800Mi # The ports should only be changed if the nexus image uses a different port - dockerPort: 5003 nexusPort: 8081 - additionalPorts: [] - service: - type: NodePort - # clusterIP: None - # annotations: {} - ## When using LoadBalancer service type, use the following AWS certificate from ACM - ## https://aws.amazon.com/documentation/acm/ - # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123" - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" - # service.beta.kubernetes.io/aws-load-balancer-backend-port: "https" - ## When using LoadBalancer service type, whitelist these source IP ranges - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - # loadBalancerSourceRanges: - # - 192.168.1.10/32 - # labels: {} - ## Configures the requested IP on the loadBalancer when using LoadBalancer service type - # loadBalancerIP: "192.168.1.10" - securityContextEnabled: true + securityContext: - fsGroup: 200 + fsGroup: 2000 podAnnotations: {} livenessProbe: - initialDelaySeconds: 300 + initialDelaySeconds: 30 periodSeconds: 30 failureThreshold: 6 - # timeoutSeconds: 10 + timeoutSeconds: 10 path: / readinessProbe: initialDelaySeconds: 30 periodSeconds: 30 failureThreshold: 6 - # timeoutSeconds: 10 + timeoutSeconds: 10 path: / # hostAliases allows the modification of the hosts file inside a container hostAliases: [] @@ -85,10 +122,48 @@ nexus: # hostnames: # - "example.com" # - "www.example.com" - context: - # When using nexus it is important that all the files in the data directory have the proper owner configured. Therefore this - # value defaults to true to apply chown -R nexus:nexus to the mounted directory at every startup of the container. - chownNexusData: true + imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +deployment: + # # Add annotations in deployment to enhance deployment configurations + annotations: {} + # # Add init containers. e.g. to be used to give specific permissions for nexus-data. + # # Add your own init container or uncomment and modify the given example. + initContainers: + # - name: fmp-volume-permission + # image: busybox + # imagePullPolicy: IfNotPresent + # command: ['chown','-R', '200', '/nexus-data'] + # volumeMounts: + # - name: nexus-data + # mountPath: /nexus-data + # # Uncomment and modify this to run a command after starting the nexus container. + postStart: + command: # '["/bin/sh", "-c", "ls"]' + preStart: + command: # '["/bin/rm", "-f", "/path/to/lockfile"]' + terminationGracePeriodSeconds: 120 + additionalContainers: + additionalVolumes: + additionalVolumeMounts: + +service: + name: nexus3 + enabled: true + labels: {} + annotations: {} + serviceType: ClusterIP + route: enabled: false @@ -98,37 +173,6 @@ route: annotations: # path: /docker -nexusProxy: - enabled: true - # svcName: proxy-svc - imageName: quay.io/travelaudience/docker-nexus-proxy - imageTag: 2.6.0 - imagePullPolicy: IfNotPresent - port: 8080 - targetPort: 8080 - # labels: {} - env: - nexusDockerHost: - nexusHttpHost: - enforceHttps: false - cloudIamAuthEnabled: false -## If cloudIamAuthEnabled is set to true uncomment the variables below and remove this line - # clientId: "" - # clientSecret: "" - # organizationId: "" - # redirectUrl: "" - # requiredMembershipVerification: "true" - # secrets: - # keystore: "" - # password: "" - resources: {} - # requests: - # cpu: 100m - # memory: 256Mi - # limits: - # cpu: 200m - # memory: 512Mi - nexusProxyRoute: enabled: false labels: @@ -153,183 +197,29 @@ persistence: # pdName: nexus-data-disk # fsType: ext4 -nexusBackup: - enabled: false - imageName: dbcc/docker-nexus-backup - imageTag: 0.0.1 - imagePullPolicy: IfNotPresent - env: - rcloneRemote: - targetBucket: - nexusAuthorization: - # Size of the data chunk to stream to the remote - streamingUploadCutoff: "5000000" - offlineRepos: "maven-central maven-public maven-releases maven-snapshots" - gracePeriod: 60 - # This should match the value of `initAdminPassword.password` if `initAdminPassword.enabled` is true - nexusAdminPassword: "admin123" - persistence: - enabled: true - # existingClaim: - # annotations: - # "helm.sh/resource-policy": keep - accessMode: ReadWriteOnce - # See comment above for information on setting the backup storageClass - # storageClass: "-" - storageSize: 8Gi - # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs. - # pdName: nexus-backup-disk - # fsType: ext4 - resources: {} - # requests: - # cpu: 100m - # memory: 256Mi - # limits: - # cpu: 200m - # memory: 512Mi - rcloneConfig: - rclone.conf: | - [AWS] - type = s3 - provider = AWS - env_auth = true - region = us-east-1 - acl = authenticated-read - -nexusCloudiam: - enabled: false - persistence: - enabled: true - # existingClaim: - # annotations: - # "helm.sh/resource-policy": keep - accessMode: ReadWriteOnce - # See comment above for information on setting the backup storageClass - # storageClass: "-" - storageSize: 1Mi - # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs. - # pdName: nexus-cloudiam-path - # fsType: ext4 - -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - annotations: {} - -rbac: - create: false - roleRef: {} - annotations: {} - -ingress: - enabled: false - path: / - labels: {} - annotations: {} - # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173. - # kubernetes.io/ingress.allow-http: true - # kubernetes.io/ingress.class: gce - # kubernetes.io/ingress.global-static-ip-name: "" - # kubernetes.io/tls-acme: true - tls: - enabled: true - secretName: nexus-tls - # Specify custom rules in addition to or instead of the nexus-proxy rules - rules: - # - host: http://nexus.127.0.0.1.nip.io - # http: - # paths: - # - backend: - # serviceName: additional-svc - # servicePort: 80 - -ingressDocker: - enabled: false - path: / - labels: {} - annotations: {} - # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173. - # kubernetes.io/ingress.allow-http: true - # kubernetes.io/ingress.class: gce - # kubernetes.io/ingress.global-static-ip-name: "" - # kubernetes.io/tls-acme: true - tls: - enabled: true - secretName: nexus-tls - # Specify custom rules in addition to or instead of the nexus-proxy rules - rules: - # - host: http://nexus.127.0.0.1.nip.io - # http: - # paths: - # - backend: - # serviceName: additional-svc - # servicePort: 80 - -affinity: {} - tolerations: [] -# # Enable configmap and add data in configmap +# # Enable configmap and add data in configmap config: enabled: false mountPath: /sonatype-nexus-conf - data: - -deployment: - # # Add annotations in deployment to enhance deployment configurations - annotations: {} - # # Add init containers. e.g. to be used to give specific permissions for nexus-data. - # # Add your own init container or uncomment and modify the given example. - initContainers: - # - name: fmp-volume-permission - # image: busybox - # imagePullPolicy: IfNotPresent - # command: ['chown','-R', '200', '/nexus-data'] - # volumeMounts: - # - name: nexus-data - # mountPath: /nexus-data - # # Uncomment and modify this to run a command after starting the nexus container. - postStart: - command: # '["/bin/sh", "-c", "ls"]' - # # Enable nexus scripts settings, disabled by default for versions >= 3.21.2 - # command: '["/bin/sh", "-c", "if [[ -z $(grep ^nexus.scripts.allowCreation=true /nexus-data/etc/nexus.properties) ]];then echo nexus.scripts.allowCreation=true >> /nexus-data/etc/nexus.properties;fi"]' - - additionalContainers: - additionalVolumes: - additionalVolumeMounts: + data: [] # # To use an additional secret, set enable to true and add data secret: - enabled: false - mountPath: /etc/secret-volume + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password readOnly: true - data: -# # To use an additional service, set enable to true -service: - type: ClusterIP - # name: additional-svc - enabled: false - labels: {} +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account annotations: {} - ports: - - name: nexus-service - targetPort: 80 - port: 80 - ## Configures the requested IP on the loadBalancer when using LoadBalancer service type - # loadBalancerIP: "192.168.1.10" + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" -additionalConfigMaps: [] -# - name: maven-central -# labels: -# nexus-type: repository -# data: -# recipe: 'MavenProxy' -# remoteUrl: 'https://repo.maven.apache.org/maven2/' -# blobStoreName: 'default' -# strictContentTypeValidation: 'true' -# versionPolicy: 'RELEASE' -# layoutPolicy: 'STRICT' +psp: + create: false diff --git a/docs/README.md b/docs/README.md index d1458642aa25001822e301530c6a3a96c6506bf2..f734a30d48793b489a7eaf8f8389fc34525bed3d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,12 +1,53 @@ -# Nexus Artifact Repository Pro Docs +# Sonatype Nexus Repository Manager (NXRM) Documentation -## Usage +## Table of Contents +- [NXRM SSO Integration](docs/keycloak.md) +- [NXRM High Availability](docs/general.md#high-availability) +- [NXRM Storage](docs/general.md#storage) +- [NXRM Database](docs/general.md#database) +- [NXRM Dependent Packages](#nxrm-dependent-packages) +- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information) -### Prerequisites +## Iron Bank +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). -### Deployment +## Helm +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) -### Nexus Post Install Configuration Notes +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart +``` +## BigBang Additions, Comments, and Important Information -#### Allow SSO login +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` + +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. + +### NXRM Dependent Packages +Nexus IQ Server requires Nexus Repository Manager. diff --git a/docs/affinity.md b/docs/affinity.md new file mode 100644 index 0000000000000000000000000000000000000000..130ea04672fcc1978af5757ad0c7a026617db18b --- /dev/null +++ b/docs/affinity.md @@ -0,0 +1,44 @@ +# Node Affinity & Anti-Affinity for Nexus + +Affinity is exposed through values options for this package. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this. + +It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +## Values for NodeSelector + +The `nodeSelector` value at the top level can be set to do basic node selection for deployments. See the below example for an example to schedule pods to only nodes with the label `node-type` equal to `operator`: + +```yaml +nodeSelector: + node-type: operator +``` + +## Values for Affinity + +The `affinity` value at the top level should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `operator`: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - operator +``` + +## Values for Anti-Affinity + +The `affinity` value at the top level can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule pods to not be present on the nodes that already have pods with the `dont-schedule-with: operator` label: + +```yaml +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + dont-schedule-with: operator +``` diff --git a/docs/general.md b/docs/general.md new file mode 100644 index 0000000000000000000000000000000000000000..ae799817758c1df81025466adb1311d3c899565a --- /dev/null +++ b/docs/general.md @@ -0,0 +1,31 @@ +# NXRM Storage, Database, and High Availability + +## Storage +## Blob Store +Can be a shared file system or a cloud object store. + +[Blob Stores](https://help.sonatype.com/repomanager3/high-availability/configuring-blob-stores) + +### Recommended Shared File Systems +- NFS v4 +- AWS EFS +- AWS S3 + +## Database +Nexus 3 uses builtin DB OrientDB for holding metadata and pointers for blob objects. + +## High Availability +Discussing with Sonatype to ensure their HA-C solution is compatible with our deployment. + +The upstream charts have the replica count hard-coded to `1`, possibly due to a limitation. + +## Monitoring Node Health +NXRM provides two endpoints to monitor health status. Success is represented as `HTTP 200 OK`, failure is represented +as `HTTP 503 SERVICE UNAVAILABLE`. + +- `http://:/service/rest/v1/status` +Verifies that a node can handle read requests. + +- `http://:/service/rest/v1/status/writable` +Verifies that a node can handle read and write requests. + diff --git a/docs/keycloak.md b/docs/keycloak.md new file mode 100644 index 0000000000000000000000000000000000000000..16ea7311d485b47a656a965dc82ca5937202875f --- /dev/null +++ b/docs/keycloak.md @@ -0,0 +1,75 @@ +# NXRM Keycloak Configuration + +**SAML/SSO integration is a *Pro* license feature.** + +BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO integration as part of the NXRM Helm installation. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a Keycloak instance, the IDP metadata file, along with other parameters you may define in `sso.idp_data`. + +Our implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. + +## Download Keycloak IdP Metadata +1. Login to the Keycloak Admin Console i.e. /auth/admin/master/console/ +2. From the left-side menu, click on *Realm Settings*. +3. From the General tab, right-click on SAML 2.0 Identity Provider Metadata under the Endpoints field and save the link/file locally. This is the Keycloak IdP metadata that will be needed when configuring NXRM/IQ. + +## Configure Users and Groups in Keycloak +4. To add groups, via the left-side menu, under *Manage*, select *Groups* and then *New*. +5. In the next screen enter a group name and select *Save*. This will create a group that will be used for role mapping on the NXRM/IQ side. +6. To add users, via the left-side menu, under *Manage*, select *Users* and then *Add user*. +7. In the next screen, enter a *username*, First Name, Last Name* and *Email*, then click *Save*. +8. Once saved, the user will be created but will not have a default password set or be assigned to any groups. To set the password, click on the *Credentials* tab, set a password and click *Reset Password*. +9. To add the user to a group, click on the Groups tab and from the *Available Groups* field enter the name of the group created in Step 5 and click *Join*. + + +## NXRM Configuration +``` +# values.yaml +sso: + enabled: false + idp_data: + entityId: "{{ base_url }}/service/rest/v1/security/saml/metadata" + usernameAttribute: "username" + firstNameAttribute: "firstName" + lastNameAttribute: "lastName" + emailAttribute: "email" + groupsAttribute: "groups" + validateResponseSignature: true + validateAssertionSignature: true + idpMetadata: 'string' + realm: + - "NexusAuthenticatingRealm" + - "NexusAuthorizingRealm" + - "SamlRealm" + role: + id: "nexus" + name: "nexus" + description: "nexus group" + privileges: + - "nx-all" + roles: + - "nx-admin" + +# Retrieve a list of all available privileges: +# curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json" +``` + +10. Obtain a copy of the NXRM 3 SAML Metadata by opening the Entity ID URI i.e. /service/rest/v1/security/saml/metadata and saving the XML to file + +## Configure Keycloak - Client Config and Attribute Mapping +11. Further to configuring the NXRM/IQ side, to import the NXRM or IQ SAML metadata into Keycloak, via the Keycloak Admin Console select Clients from the left-side menu, then click *Create*. +12. In the Add Client screen, click *Select file* from the Import field, upload the NXRM or IQ SAML metadata that was obtained when configuring the NXRM/IQ side and click *Save*. +13. After saving, in the next screen, for the Client SAML Endpoint field, enter the Nexus instance*s Assertion Consumer Service (ACS) URL i.e. /saml for NXRM 3 or /saml for Nexus IQ Server and click *Save*. +14. If in the Configure Nexus Applications section, the *Validate Response Signature* and *Validate Assertion Signature* fields are set to "Default" or "True", then in the Clients → Settings tab ensure that the *Sign Documents* and *Sign Assertions* fields are enabled. + +Once the client has been created and the Client SAML Endpoint has been set, an attribute for each of the mappable fields that were configured in the Configure Nexus Applications section i.e. username, firstName, lastName, email and groups, will need to be created. + +15. To map an attribute, select the Mappers tab and then click on 'Create'. +16. Create a mapper for each of the mappable attributes with the values shown here: + + | Name | Mapper Type | Property | Friendly Name | SAML Attribute Name | SAML Attribute NameFormat | + |-------------|---------------|-----------|---------------|---------------------|---------------------------| + | username | User Property | username | username | username | Basic | + | First Name | User Property | firstName | firstName | firstName | Basic | + | Last Name | User Property | lastName | lastName | lastName | Basic | + | Email | User Property | email | email | email | Basic | + | Groups | Group list | groups | groups | *N/A* | Basic | + diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000000000000000000000000000000000000..d735775da03fd68374d2b934e190091aeefbeb05 --- /dev/null +++ b/tests/README.md @@ -0,0 +1 @@ +Cypress tests run headless calling the script cy-run.sh \ No newline at end of file diff --git a/tests/cypress.json b/tests/cypress.json new file mode 100644 index 0000000000000000000000000000000000000000..43b18da7e6191a0665ead1f129081fce0512c1ac --- /dev/null +++ b/tests/cypress.json @@ -0,0 +1,10 @@ +{ + + "pluginsFile": false, + "supportFile": false, + "fixturesFolder": false, + "env": { + "nexus_url": "nexus.bigbang.dev" + + } +} diff --git a/tests/cypress/integration/nexus-healthspec.js b/tests/cypress/integration/nexus-healthspec.js new file mode 100644 index 0000000000000000000000000000000000000000..dbaa6447f5b0b06ceb84210c728be93144935ed9 --- /dev/null +++ b/tests/cypress/integration/nexus-healthspec.js @@ -0,0 +1,5 @@ +describe('Basic prometheus', function() { + it('Visits the prometheus sign in page', function() { + cy.visit(Cypress.env('nexus_url')) + }) +}) diff --git a/tests/cypress/look_other_packages_for_example b/tests/cypress/look_other_packages_for_example deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/tests/main-test-gateway.yaml b/tests/main-test-gateway.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1c7d7d1bd7598367474f3123659e7de6de5c88d3 --- /dev/null +++ b/tests/main-test-gateway.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: main + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP + tls: + httpsRedirect: true + - hosts: + - '*.bigbang.dev' + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: wildcard-cert + mode: SIMPLE diff --git a/tests/test-values.yml b/tests/test-values.yml new file mode 100644 index 0000000000000000000000000000000000000000..b09ad181fc47063ee0c5eb0ec27cdd72aec120e4 --- /dev/null +++ b/tests/test-values.yml @@ -0,0 +1,8 @@ + +istio: + enabled: true +nexus: + imagePullSecrets: + - name: private-registry-mil + +