From f7ad52afb4b798512d17d3c1505de3c2e4f493fa Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 25 Feb 2021 16:49:42 -0500 Subject: [PATCH 01/21] feat: adding iteration of nexus repo manager --- chart/templates/NOTES.txt | 51 +-- chart/templates/_helpers.tpl | 45 ++- chart/templates/adtl-configmap.yaml | 22 -- chart/templates/backup-pv.yaml | 22 -- chart/templates/backup-pvc.yaml | 28 -- chart/templates/backup-secret.yaml | 12 - chart/templates/bigbang/virtualservice.yaml | 26 ++ chart/templates/cloudiam-pv.yaml | 22 -- chart/templates/cloudiam-pvc.yaml | 28 -- chart/templates/clusterrolebinding.yaml | 24 -- chart/templates/configmap-properties.yaml | 17 + chart/templates/configmap.yaml | 9 +- chart/templates/deployment-statefulset.yaml | 408 -------------------- chart/templates/deployment.yaml | 169 ++++++++ chart/templates/image-pull-secret.yaml | 10 + chart/templates/ingress-docker.yaml | 48 --- chart/templates/ingress.yaml | 93 +++-- chart/templates/initpwd-job.yaml | 63 --- chart/templates/proxy-ks-secret.yaml | 13 - chart/templates/proxy-route.yaml | 14 +- chart/templates/proxy-svc.yaml | 55 --- chart/templates/psp-clusterrole.yaml | 19 + chart/templates/psp-rolebinding.yaml | 17 + chart/templates/psp.yaml | 36 ++ chart/templates/pv.yaml | 6 +- chart/templates/pvc.yaml | 8 +- chart/templates/rclone-config-secret.yaml | 19 - chart/templates/route.yaml | 8 +- chart/templates/secret.yaml | 13 +- chart/templates/service.yaml | 84 ++-- chart/templates/serviceaccount.yaml | 17 +- 31 files changed, 481 insertions(+), 925 deletions(-) delete mode 100644 chart/templates/adtl-configmap.yaml delete mode 100644 chart/templates/backup-pv.yaml delete mode 100644 chart/templates/backup-pvc.yaml delete mode 100644 chart/templates/backup-secret.yaml create mode 100644 chart/templates/bigbang/virtualservice.yaml delete mode 100644 chart/templates/cloudiam-pv.yaml delete mode 100644 chart/templates/cloudiam-pvc.yaml delete mode 100644 chart/templates/clusterrolebinding.yaml create mode 100644 chart/templates/configmap-properties.yaml delete mode 100644 chart/templates/deployment-statefulset.yaml create mode 100644 chart/templates/deployment.yaml create mode 100644 chart/templates/image-pull-secret.yaml delete mode 100644 chart/templates/ingress-docker.yaml delete mode 100644 chart/templates/initpwd-job.yaml delete mode 100644 chart/templates/proxy-ks-secret.yaml delete mode 100644 chart/templates/proxy-svc.yaml create mode 100644 chart/templates/psp-clusterrole.yaml create mode 100644 chart/templates/psp-rolebinding.yaml create mode 100644 chart/templates/psp.yaml delete mode 100644 chart/templates/rclone-config-secret.yaml diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index 30a5af8..026bdc7 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -1,35 +1,20 @@ -- To access Nexus: - - NOTE: It may take a few minutes for the ingress load balancer to become available or the backends to become HEALTHY. - You can watch the status of the backends by running: - `kubectl get ingress -o jsonpath='{.items[*].metadata.annotations.ingress\.kubernetes\.io/backends}'` - - To access Nexus you can check: - {{- if .Values.nexusProxy.env.enforceHttps }} - https://{{ .Values.nexusProxy.env.nexusHttpHost }} - {{- else }} - http://{{ .Values.nexusProxy.env.nexusHttpHost }} - {{- end }} - -- Login with the following credentials - - username: admin - {{- if .Values.initAdminPassword.enabled }} - password: {{ .Values.initAdminPassword.password }} - {{- else }} - password: {{ .Values.nexusBackup.nexusAdminPassword }} - {{- end }} - -{{- if .Values.initAdminPassword.enabled }} -- Change Your password after the first login - - {{- if .Values.nexusBackup.enabled }} - Once you login you should change your admin password to match the value of `nexusBackup.env.nexusAdminPassword` - This is important for security reasons and also because backup container needs this password set for admin user - to access Nexus API to run backups. +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostRepo }}{{ . }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostDocker }}{{ . }} +{{- else if contains "NodePort" .Values.service.serviceType }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "nexus.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.serviceType }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "nexus.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "nexus.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{- range $index, $port := .Values.service.ports }} + echo http://$SERVICE_IP:{{ $port }} {{- end }} +{{- else if contains "ClusterIP" .Values.service.serviceType }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "nexus.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8081:80 {{- end }} -- Next steps in configuration - - Please follow the link below to the README for nexus configuration, usage, backups and DR info: - https://github.com/Oteemo/charts/tree/master/charts/sonatype-nexus#after-installing-the-chart diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index a05d2b8..e726f1f 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -25,36 +25,39 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +Create chart name and version as used by the chart label. */}} -{{- define "nexus.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} +{{- define "nexus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* -Create a default fully qualified name for proxy keystore secret. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Common labels */}} -{{- define "nexus.proxy-ks.name" -}} -{{- printf "%s-%s" (include "nexus.fullname" .) "proxy-ks" | trunc 63 | trimSuffix "-" -}} +{{- define "nexus.labels" -}} +helm.sh/chart: {{ include "nexus.chart" . }} +{{ include "nexus.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} -{{/* Manage the labels for each entity */}} -{{- define "nexus.labels" -}} -app: {{ template "nexus.name" . }} -fullname: {{ template "nexus.fullname" . }} -chart: {{ .Chart.Name }} -release: {{ .Release.Name }} -heritage: {{ .Release.Service }} +{{/* +Selector labels +*/}} +{{- define "nexus.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nexus.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{/* -Create a fully qualified name for docker ingress. +Create the name of the service account to use */}} -{{- define "nexus.ingres.docker" -}} -{{- printf "%s-%s" (include "nexus.fullname" .) "docker" | trunc 63 | trimSuffix "-" -}} +{{- define "nexus.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "nexus.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} {{- end -}} diff --git a/chart/templates/adtl-configmap.yaml b/chart/templates/adtl-configmap.yaml deleted file mode 100644 index 5023b8e..0000000 --- a/chart/templates/adtl-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $root := . }} -{{- if .Values.additionalConfigMaps }} -{{- range $cm := .Values.additionalConfigMaps }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $cm.name }} - namespace: {{ template "nexus.namespace" $root }} - labels: -{{ include "nexus.labels" $root | indent 4 }} -{{- if $.Values.nexus.labels }} -{{ toYaml $.Values.nexus.labels | indent 4 }} -{{- end }} -{{- if $cm.labels }} -{{ toYaml $cm.labels | indent 4 }} -{{- end }} -data: -{{ toYaml $cm.data | indent 2 }} -{{- end }} -{{- end }} - diff --git a/chart/templates/backup-pv.yaml b/chart/templates/backup-pv.yaml deleted file mode 100644 index fd3187f..0000000 --- a/chart/templates/backup-pv.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }} -{{- if .Values.nexusBackup.persistence.pdName -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ .Values.nexusBackup.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - capacity: - storage: {{ .Values.nexusBackup.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - name: {{ template "nexus.fullname" . }}-backup - namespace: {{ .Release.Namespace }} - gcePersistentDisk: - pdName: {{ .Values.nexusBackup.persistence.pdName }} - fsType: {{ .Values.nexusBackup.persistence.fsType }} -{{- end }} -{{- end }} diff --git a/chart/templates/backup-pvc.yaml b/chart/templates/backup-pvc.yaml deleted file mode 100644 index da99ec2..0000000 --- a/chart/templates/backup-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }} -{{- if and .Values.nexusBackup.persistence.enabled (not .Values.nexusBackup.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "nexus.fullname" . }}-backup - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexusBackup.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusBackup.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.nexusBackup.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusBackup.persistence.storageSize | quote }} -{{- if .Values.nexusBackup.persistence.storageClass }} -{{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/backup-secret.yaml b/chart/templates/backup-secret.yaml deleted file mode 100644 index 5ac4b13..0000000 --- a/chart/templates/backup-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.env.nexusAuthorization) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - nexus.nexusAdminPassword: {{ printf "%s%s" "Basic " (printf "%s%s" "admin:" .Values.nexusBackup.nexusAdminPassword | b64enc) | cat | b64enc | quote }} -{{- end }} diff --git a/chart/templates/bigbang/virtualservice.yaml b/chart/templates/bigbang/virtualservice.yaml new file mode 100644 index 0000000..5601574 --- /dev/null +++ b/chart/templates/bigbang/virtualservice.yaml @@ -0,0 +1,26 @@ +{{- if .Values.istio.enabled -}} +{{- $serviceName := include "nexus.fullname" . -}} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ template "nexus.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "nexus.name" . }} + helm.sh/chart: {{ include "nexus.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: nexus-repository-manager + app.kubernetes.io/component: {{ include "nexus.name" . }} +spec: + gateways: + - main.istio-system.svc.cluster.local + hosts: + - "nexus-repository-manager.{{ .Values.hostname }}" + http: + - route: + - destination: + port: + number: {{ .Values.nexus.nexusPort }} + host: {{ $serviceName }} +{{- end }} diff --git a/chart/templates/cloudiam-pv.yaml b/chart/templates/cloudiam-pv.yaml deleted file mode 100644 index 045690a..0000000 --- a/chart/templates/cloudiam-pv.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }} -{{- if .Values.nexusCloudiam.persistence.pdName -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ .Values.nexusCloudiam.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - capacity: - storage: {{ .Values.nexusCloudiam.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - name: {{ template "nexus.fullname" . }}-cloudiam - namespace: {{ .Release.Namespace }} - gcePersistentDisk: - pdName: {{ .Values.nexusCloudiam.persistence.pdName }} - fsType: {{ .Values.nexusCloudiam.persistence.fsType }} -{{- end }} -{{- end }} diff --git a/chart/templates/cloudiam-pvc.yaml b/chart/templates/cloudiam-pvc.yaml deleted file mode 100644 index aab8dd9..0000000 --- a/chart/templates/cloudiam-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }} -{{- if and .Values.nexusCloudiam.persistence.enabled (not .Values.nexusCloudiam.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "nexus.fullname" . }}-cloudiam - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexusCloudiam.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusCloudiam.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.nexusCloudiam.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusCloudiam.persistence.storageSize | quote }} -{{- if .Values.nexusCloudiam.persistence.storageClass }} -{{- if (eq "-" .Values.nexusCloudiam.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.nexusCloudiam.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/clusterrolebinding.yaml b/chart/templates/clusterrolebinding.yaml deleted file mode 100644 index bad0a80..0000000 --- a/chart/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: {{ template "nexus.fullname" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- with .Values.rbac.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -roleRef: -{{- with .Values.rbac.roleRef }} -{{ toYaml . | indent 2 }} -{{- end }} -subjects: -- kind: ServiceAccount - {{- if .Values.serviceAccount.name }} - name: {{ .Values.serviceAccount.name }} - {{- else }} - name: {{ template "nexus.fullname" . }} - {{- end }} - namespace: {{ template "nexus.namespace" . }} -{{- end -}} \ No newline at end of file diff --git a/chart/templates/configmap-properties.yaml b/chart/templates/configmap-properties.yaml new file mode 100644 index 0000000..c1a5808 --- /dev/null +++ b/chart/templates/configmap-properties.yaml @@ -0,0 +1,17 @@ +{{- if .Values.nexus.properties.override -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus.name" . }}-properties + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + nexus.properties: | + {{- range $k, $v := .Values.nexus.properties.data }} + {{ $k }}={{ $v }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index 05abc30..55418b1 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -3,12 +3,13 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "nexus.name" . }}-conf - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} data: {{ toYaml .Values.config.data | indent 2 }} {{- end }} \ No newline at end of file diff --git a/chart/templates/deployment-statefulset.yaml b/chart/templates/deployment-statefulset.yaml deleted file mode 100644 index 28e7c71..0000000 --- a/chart/templates/deployment-statefulset.yaml +++ /dev/null @@ -1,408 +0,0 @@ -{{- if .Values.statefulset.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -{{- if .Values.deployment.annotations }} - annotations: -{{ toYaml .Values.deployment.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - {{- if .Values.statefulset.enabled }} - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} - {{- end }} - {{- if .Values.deploymentStrategy }} - strategy: -{{ toYaml .Values.deploymentStrategy | indent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - template: - metadata: - {{- if .Values.nexus.podAnnotations }} - annotations: -{{ toYaml .Values.nexus.podAnnotations | indent 8}} - {{- end }} - labels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - spec: - {{- if .Values.deployment.initContainers }} - initContainers: -{{ toYaml .Values.deployment.initContainers | indent 6 }} - {{- end }} - {{- if .Values.nexus.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nexus.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.nexus.hostAliases }} - hostAliases: -{{ toYaml .Values.nexus.hostAliases | indent 8 }} - {{- end }} - {{- if .Values.nexus.imagePullSecret }} - imagePullSecrets: - - name: {{ .Values.nexus.imagePullSecret }} - {{- end }} - {{- if .Values.serviceAccount.name }} - serviceAccountName: {{ .Values.serviceAccount.name | quote }} - {{- else if .Values.serviceAccount.create }} - serviceAccountName: {{ template "nexus.fullname" . }} - {{- end }} - {{- if .Values.nexus.priorityClassName }} - priorityClassName: {{ .Values.nexus.priorityClassName }} - {{- end }} - containers: - - name: nexus - image: {{ .Values.nexus.imageName }}:{{ .Values.nexus.imageTag }} - imagePullPolicy: {{ .Values.nexus.imagePullPolicy }} - {{- if .Values.deployment.postStart.command }} - lifecycle: - postStart: - exec: - command: {{ .Values.deployment.postStart.command }} - {{- end }} - env: -{{ toYaml .Values.nexus.env | indent 12 }} - - name: NEXUS_DATA_CHOWN - value: {{ .Values.nexus.chownNexusData | quote }} -{{- if .Values.nexus.context }} - - name: NEXUS_CONTEXT - value: {{ .Values.nexus.context }} -{{- end }} - - resources: -{{ toYaml .Values.nexus.resources | indent 12 }} - ports: - - containerPort: {{ .Values.nexus.dockerPort }} - name: nexus-docker-g - - containerPort: {{ .Values.nexus.nexusPort }} - name: nexus-http - {{- with .Values.nexus.additionalPorts }} -{{ toYaml . | indent 12 }} - {{- end }} - livenessProbe: - httpGet: - path: {{ .Values.nexus.livenessProbe.path }} - port: {{ .Values.nexus.nexusPort }} - initialDelaySeconds: {{ .Values.nexus.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nexus.livenessProbe.periodSeconds }} - failureThreshold: {{ .Values.nexus.livenessProbe.failureThreshold }} - {{- if .Values.nexus.livenessProbe.timeoutSeconds }} - timeoutSeconds: {{ .Values.nexus.livenessProbe.timeoutSeconds }} - {{- end }} - readinessProbe: - httpGet: - path: {{ .Values.nexus.readinessProbe.path }} - port: {{ .Values.nexus.nexusPort }} - initialDelaySeconds: {{ .Values.nexus.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.nexus.readinessProbe.periodSeconds }} - failureThreshold: {{ .Values.nexus.readinessProbe.failureThreshold }} - {{- if .Values.nexus.readinessProbe.timeoutSeconds }} - timeoutSeconds: {{ .Values.nexus.readinessProbe.timeoutSeconds }} - {{- end }} - volumeMounts: - - mountPath: /nexus-data - name: {{ template "nexus.fullname" . }}-data - {{- if .Values.nexusBackup.enabled }} - - mountPath: /nexus-data/backup - name: {{ template "nexus.fullname" . }}-backup - {{- end }} - {{- if .Values.nexusCloudiam.enabled }} - - mountPath: /nexus-data/cloudiam - name: {{ template "nexus.fullname" . }}-cloudiam - {{- end }} - {{- if .Values.config.enabled }} - - mountPath: {{ .Values.config.mountPath }} - name: {{ template "nexus.name" . }}-conf - {{- end }} - {{- if .Values.secret.enabled }} - - mountPath: {{ .Values.secret.mountPath }} - name: {{ template "nexus.name" . }}-secret - readOnly: {{ .Values.secret.readOnly }} - {{- end }} - {{- if .Values.deployment.additionalVolumeMounts}} -{{ toYaml .Values.deployment.additionalVolumeMounts | indent 12 }} - {{- end }} - {{- if .Values.nexusProxy.enabled }} - - name: nexus-proxy - image: {{ .Values.nexusProxy.imageName }}:{{ .Values.nexusProxy.imageTag }} - resources: -{{ toYaml .Values.nexusProxy.resources | indent 12 }} - imagePullPolicy: {{ .Values.nexusProxy.imagePullPolicy }} - env: - - name: ALLOWED_USER_AGENTS_ON_ROOT_REGEX - value: {{ default "GoogleHC" .Values.nexusProxy.env.allowedUserAgentsOnRootRegex | quote }} - - name: CLOUD_IAM_AUTH_ENABLED - value: {{ .Values.nexusProxy.env.cloudIamAuthEnabled | quote }} - - name: BIND_PORT - value: {{ .Values.nexusProxy.targetPort | quote }} - - name: ENFORCE_HTTPS - value: {{ .Values.nexusProxy.env.enforceHttps | quote }} - - name: NEXUS_DOCKER_HOST - value: {{ .Values.nexusProxy.env.nexusDockerHost | quote }} - - name: NEXUS_HTTP_HOST - value: {{ .Values.nexusProxy.env.nexusHttpHost | quote }} - - name: UPSTREAM_DOCKER_PORT - value: {{ .Values.nexus.dockerPort | quote }} - - name: UPSTREAM_HTTP_PORT - value: {{ .Values.nexus.nexusPort | quote }} - - name: UPSTREAM_HOST - value: "localhost" - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - - name: NEXUS_RUT_HEADER - value: "X-Forwarded-User" - - name: CLIENT_ID - value: {{ .Values.nexusProxy.env.clientId | quote }} - - name: CLIENT_SECRET - value: {{ .Values.nexusProxy.env.clientSecret | quote }} - - name: ORGANIZATION_ID - value: {{ .Values.nexusProxy.env.organizationId | quote }} - - name: REDIRECT_URL - value: {{ .Values.nexusProxy.env.redirectUrl | quote }} - - name: KEYSTORE_PASS - valueFrom: - secretKeyRef: - name: {{ template "nexus.proxy-ks.name" . }} - key: password - - name: KEYSTORE_PATH - value: "/nexus-proxy-ks/keystore" - - name: AUTH_CACHE_TTL - value: "60000" - - name: SESSION_TTL - value: "86400000" - - name: JWT_REQUIRES_MEMBERSHIP_VERIFICATION - value: {{ .Values.nexusProxy.env.requiredMembershipVerification | quote }} - {{- end }} - ports: - - containerPort: {{ .Values.nexusProxy.targetPort }} - name: nexus-proxy - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - volumeMounts: - - mountPath: /nexus-proxy-ks - name: {{ template "nexus.proxy-ks.name" . }} - readOnly: true - {{- end }} - {{- end }} - {{- if .Values.nexusBackup.enabled }} - - name: nexus-backup - image: {{ .Values.nexusBackup.imageName }}:{{ .Values.nexusBackup.imageTag }} - imagePullPolicy: {{ .Values.nexusBackup.imagePullPolicy }} - resources: -{{ toYaml .Values.nexusBackup.resources | indent 12 }} - env: - - name: NEXUS_AUTHORIZATION - {{- if not .Values.nexusBackup.env.nexusAuthorization }} - valueFrom: - secretKeyRef: - key: nexus.nexusAdminPassword - name: {{ template "nexus.fullname" . }} - {{- else }} - value: {{ .Values.nexusBackup.env.nexusAuthorization | quote }} - {{- end }} - - name: NEXUS_BACKUP_DIRECTORY - value: /nexus-data/backup - - name: NEXUS_DATA_DIRECTORY - value: /nexus-data - - name: NEXUS_LOCAL_HOST_PORT - value: "localhost:{{ .Values.nexus.nexusPort }}" - - name: OFFLINE_REPOS - value: {{ .Values.nexusBackup.env.offlineRepos | quote }} - - name: TARGET_BUCKET - value: {{ .Values.nexusBackup.env.targetBucket | quote }} - - name: GRACE_PERIOD - value: {{ .Values.nexusBackup.env.gracePeriod | quote }} - - name: TRIGGER_FILE - value: .backup - - name: RCLONE_REMOTE - value: {{ .Values.nexusBackup.env.rcloneRemote | quote }} - - name: STREAMING_UPLOAD_CUTOFF - value: {{ .Values.nexusBackup.env.streamingUploadCutoff | default "5000000" | quote }} - {{- if .Values.nexusCloudiam.enabled }} - - name: CLOUD_IAM_SERVICE_ACCOUNT_KEY_PATH - value: /nexus-data/cloudiam/service-account-key.json - {{- end }} - volumeMounts: - - mountPath: /nexus-data - name: {{ template "nexus.fullname" . }}-data - - mountPath: /nexus-data/backup - name: {{ template "nexus.fullname" . }}-backup - {{- if .Values.nexusCloudiam.enabled }} - - mountPath: /nexus-data/cloudiam - name: {{ template "nexus.fullname" . }}-cloudiam - {{- end }} - - mountPath: /root/.config/rclone - name: {{ template "nexus.fullname" . }}-rclone-config - {{- end }} - {{- if .Values.deployment.additionalContainers }} -{{ toYaml .Values.deployment.additionalContainers | indent 8 }} - {{- end }} - {{- if .Values.nexus.securityContextEnabled }} - securityContext: -{{ toYaml .Values.nexus.securityContext | indent 8 }} - {{- end }} - volumes: - {{- if .Values.nexusBackup.enabled }} - - name: {{ template "nexus.fullname" . }}-rclone-config - secret: - secretName: {{ template "nexus.name" . }}-rclone-config-secret - {{- end }} - {{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} - - name: {{ template "nexus.proxy-ks.name" . }} - secret: - secretName: {{ template "nexus.proxy-ks.name" . }} - {{- end }} - - {{- if .Values.statefulset.enabled }} - {{- if not .Values.persistence.enabled }} - - name: {{ template "nexus.fullname" . }}-data - emptyDir: {} - {{- end }} - {{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.persistence.enabled) }} - - name: {{ template "nexus.fullname" . }}-backup - emptyDir: {} - {{- end }} - {{- if and .Values.nexusCloudiam.enabled (not .Values.nexusCloudiam.persistence.enabled) }} - - name: {{ template "nexus.fullname" . }}-cloudiam - emptyDir: {} - {{- end }} - {{- else }} - - name: {{ template "nexus.fullname" . }}-data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "data") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.nexusBackup.enabled }} - - name: {{ template "nexus.fullname" . }}-backup - {{- if and .Values.nexusBackup.persistence.enabled .Values.nexusBackup.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nexusBackup.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "backup") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- end }} - {{- if .Values.nexusCloudiam.enabled }} - - name: {{ template "nexus.fullname" . }}-cloudiam - {{- if and .Values.nexusCloudiam.persistence.enabled .Values.nexusCloudiam.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.nexusCloudiam.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "cloudiam") }} - {{- else }} - emptyDir: {} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.config.enabled }} - - name: {{ template "nexus.name" . }}-conf - configMap: - name: {{ template "nexus.name" . }}-conf - {{- end }} - {{- if .Values.secret.enabled }} - - name: {{ template "nexus.name" . }}-secret - secret: - secretName: {{ template "nexus.name" . }}-secret - {{- end }} - {{- if .Values.deployment.additionalVolumes }} -{{ toYaml .Values.deployment.additionalVolumes | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - - -## create pvc in case of statefulsets - {{- if .Values.statefulset.enabled }} - volumeClaimTemplates: - {{- if .Values.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-data - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.storageSize | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.nexusBackup.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-backup - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.nexusBackup.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusBackup.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.nexusBackup.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusBackup.persistence.storageSize | quote }} - {{- if .Values.nexusBackup.persistence.storageClass }} - {{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.nexusCloudiam.persistence.enabled }} - - metadata: - name: {{ template "nexus.fullname" . }}-cloudiam - labels: -{{ include "nexus.labels" . | indent 10 }} - {{- if .Values.nexusCloudiam.persistence.annotations }} - annotations: -{{ toYaml .Values.nexusCloudiam.persistence.annotations | indent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.nexusCloudiam.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.nexusCloudiam.persistence.storageSize | quote }} - {{- if .Values.nexusCloudiam.persistence.storageClass }} - {{- if (eq "-" .Values.nexusCloudiam.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.nexusCloudiam.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} - {{- end }} diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml new file mode 100644 index 0000000..c391a57 --- /dev/null +++ b/chart/templates/deployment.yaml @@ -0,0 +1,169 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "nexus.fullname" . }} + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +{{- if .Values.deployment.annotations }} + annotations: +{{ toYaml .Values.deployment.annotations | indent 4 }} +{{- end }} +spec: + replicas: 1 + strategy: + type: {{ .Values.deploymentStrategy }} + selector: + matchLabels: + {{- include "nexus.selectorLabels" . | nindent 6 }} + {{- if .Values.nexus.extraSelectorLabels }} + {{- with .Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 6 }} + {{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/configmap-properties: {{ include (print .Template.BasePath "/configmap-properties.yaml") $ | sha256sum }} + {{- if .Values.nexus.podAnnotations }} +{{ toYaml .Values.nexus.podAnnotations | indent 8}} + {{- end }} + labels: + {{- include "nexus.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "nexus.serviceAccountName" . }} + {{- if .Values.deployment.initContainers }} + initContainers: +{{ toYaml .Values.deployment.initContainers | indent 6 }} + {{- end }} + {{- if .Values.nexus.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nexus.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.nexus.hostAliases }} + hostAliases: +{{ toYaml .Values.nexus.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.nexus.imagePullSecret }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.deployment.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + + lifecycle: + {{- if .Values.deployment.postStart.command }} + postStart: + exec: + command: {{ .Values.deployment.postStart.command }} + {{- end }} + env: +{{ toYaml .Values.nexus.env | indent 12 }} + envFrom: +{{ toYaml .Values.nexus.envFrom | indent 12 }} + resources: +{{ toYaml .Values.nexus.resources | indent 12 }} + ports: + - name: nexus-ui + containerPort: {{ .Values.nexus.nexusPort }} + {{- if .Values.nexus.docker.enabled }} + {{- range .Values.nexus.docker.registries }} + - name: docker-{{ .port }} + containerPort: {{ .port }} + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: {{ .Values.nexus.livenessProbe.path }} + port: {{ .Values.nexus.nexusPort }} + initialDelaySeconds: {{ .Values.nexus.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nexus.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.nexus.livenessProbe.failureThreshold }} + {{- if .Values.nexus.livenessProbe.timeoutSeconds }} + timeoutSeconds: {{ .Values.nexus.livenessProbe.timeoutSeconds }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.nexus.readinessProbe.path }} + port: {{ .Values.nexus.nexusPort }} + initialDelaySeconds: {{ .Values.nexus.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.nexus.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.nexus.readinessProbe.failureThreshold }} + {{- if .Values.nexus.readinessProbe.timeoutSeconds }} + timeoutSeconds: {{ .Values.nexus.readinessProbe.timeoutSeconds }} + {{- end }} + volumeMounts: + - mountPath: /nexus-data + name: {{ template "nexus.name" . }}-data + {{- if .Values.config.enabled }} + - mountPath: {{ .Values.config.mountPath }} + name: {{ template "nexus.name" . }}-conf + {{- end }} + {{- if .Values.nexus.properties.override }} + - mountPath: /nexus-data/etc/nexus.properties + name: {{ template "nexus.name" . }}-properties + subPath: nexus.properties + {{- end }} + {{- if .Values.secret.enabled }} + - mountPath: {{ .Values.secret.mountPath }} + name: {{ template "nexus.name" . }}-secret + subPath: {{ .Values.secret.subPath }} + readOnly: {{ .Values.secret.readOnly }} + {{- end }} + {{- if .Values.deployment.additionalVolumeMounts}} +{{ toYaml .Values.deployment.additionalVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} +{{ toYaml .Values.deployment.additionalContainers | indent 8 }} + {{- end }} + {{- if .Values.nexus.securityContext }} + securityContext: +{{ toYaml .Values.nexus.securityContext | indent 8 }} + {{- end }} + volumes: + - name: {{ template "nexus.name" . }}-data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s" (include "nexus.fullname" .) "data") }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.config.enabled }} + - name: {{ template "nexus.name" . }}-conf + configMap: + name: {{ template "nexus.name" . }}-conf + {{- end }} + {{- if .Values.nexus.properties.override }} + - name: {{ template "nexus.name" . }}-properties + configMap: + name: {{ template "nexus.name" . }}-properties + items: + - key: nexus.properties + path: nexus.properties + {{- end }} + {{- if .Values.secret.enabled }} + - name: {{ template "nexus.name" . }}-secret + secret: + secretName: {{ template "nexus.name" . }}-secret + items: + - key: admin.password + path: admin.password + {{- end }} + {{- if .Values.deployment.additionalVolumes }} +{{ toYaml .Values.deployment.additionalVolumes | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/chart/templates/image-pull-secret.yaml b/chart/templates/image-pull-secret.yaml new file mode 100644 index 0000000..d70c3db --- /dev/null +++ b/chart/templates/image-pull-secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.nexus.imagePullSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "nexus.name" . }} +data: + .dockerconfigjson: {{ .Values.nexus.imagePullSecret }} + +type: kubernetes.io/dockerconfigjson +{{- end }} \ No newline at end of file diff --git a/chart/templates/ingress-docker.yaml b/chart/templates/ingress-docker.yaml deleted file mode 100644 index 5dd7971..0000000 --- a/chart/templates/ingress-docker.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.ingressDocker.enabled }} -apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }} -kind: Ingress -metadata: - name: {{ template "nexus.ingres.docker" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} - {{- range $key, $value := .Values.ingressDocker.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - annotations: - {{- range $key, $value := .Values.ingressDocker.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- if .Values.nexusProxy.env.nexusDockerHost }} - - host: {{ .Values.nexusProxy.env.nexusDockerHost }} - http: - paths: - - backend: - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} - {{- if .Values.nexusProxy.enabled }} - servicePort: {{ .Values.nexusProxy.port }} - {{- else }} - servicePort: {{ .Values.nexus.dockerPort }} - {{- end }} - path: {{ .Values.ingress.path }} - {{- end }} - {{- with .Values.ingressDocker.rules }} - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- if .Values.ingress.tls.enabled }} - tls: - - hosts: - {{- if .Values.nexusProxy.env.nexusDockerHost }} - - {{ .Values.nexusProxy.env.nexusDockerHost }} - {{- end }} - {{- if .Values.ingressDocker.tls.secretName }} - secretName: {{ .Values.ingressDocker.tls.secretName | quote }} - {{- end }} -{{- end -}} -{{- end }} diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml index 9f50803..170be13 100644 --- a/chart/templates/ingress.yaml +++ b/chart/templates/ingress.yaml @@ -1,48 +1,73 @@ {{- if .Values.ingress.enabled -}} -apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }} +{{- $fullName := include "nexus.fullname" . -}} +{{- $svcPort := .Values.nexus.nexusPort -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: - name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} + name: {{ $fullName }} labels: -{{ include "nexus.labels" . | indent 4 }} - {{- range $key, $value := .Values.ingress.labels }} - {{ $key }}: {{ $value | quote }} + {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} + {{- with .Values.ingress.annotations }} annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} rules: -{{- if .Values.nexusProxy.env.nexusHttpHost }} - - host: {{ .Values.nexusProxy.env.nexusHttpHost }} + - host: {{ .Values.ingress.hostRepo }} http: paths: - - backend: - {{- if .Values.nexusProxy.svcName }} - serviceName: {{ .Values.nexusProxy.svcName }} - {{- else }} - serviceName: {{ template "nexus.fullname" . }} - {{- end }} -{{- if .Values.nexusProxy.enabled }} - servicePort: {{ .Values.nexusProxy.port }} -{{- else }} - servicePort: {{ .Values.nexus.nexusPort }} -{{- end }} - path: {{ .Values.ingress.path }} -{{- end }} - {{- with .Values.ingress.rules }} + - path: {{ .Values.ingress.hostPath }} + backend: + serviceName: {{ $fullName }} + servicePort: 8081 + +{{ if .Values.nexus.docker.enabled }} +{{ range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + labels: + {{- include "nexus.labels" $ | nindent 4 }} + {{- if $.Values.nexus.extraLabels }} + {{- with $.Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} + {{- with $.Values.ingress.annotations }} + annotations: {{- toYaml . | nindent 4 }} - {{- end -}} -{{- if .Values.ingress.tls.enabled }} + {{- end }} +spec: tls: - hosts: - {{- if .Values.nexusProxy.env.nexusHttpHost }} - - {{ .Values.nexusProxy.env.nexusHttpHost }} - {{- end }} - {{- if .Values.ingress.tls.secretName }} - secretName: {{ .Values.ingress.tls.secretName | quote }} - {{- end }} -{{- end -}} + - {{ $registry.host | quote }} + secretName: {{ $registry.secretName }} + rules: + - host: {{ $registry.host }} + http: + paths: + - path: / + backend: + serviceName: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + servicePort: {{ $registry.port }} + {{- end }} +{{- end }} {{- end }} diff --git a/chart/templates/initpwd-job.yaml b/chart/templates/initpwd-job.yaml deleted file mode 100644 index 15d9cf0..0000000 --- a/chart/templates/initpwd-job.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.initAdminPassword.enabled }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "nexus.fullname" . }}-initpwd-job - annotations: - helm.sh/hook: "post-install" - helm.sh/hook-weight: "10" - helm.sh/hook-delete-policy: "before-hook-creation" - labels: -{{ include "nexus.labels" . | indent 4 }} -spec: - backoffLimit: 5 - template: - metadata: - name: {{ template "nexus.fullname" . }}-initpwd - labels: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - spec: - restartPolicy: Never - containers: - - name: nexus-initpwd - image: curlimages/curl:7.73.0 - command: - - /bin/sh - - -ec - - | - curl --fail -X PUT \ - http://$(NEXUS_HOST)/service/rest/beta/security/users/admin/change-password \ - -H "Content-Type: text/plain" \ - -H "Authorization: Basic $(NEXUS_AUTHORIZATION)" \ - -d "$(ADMIN_PASSWORD)" - env: - - name: NEXUS_AUTHORIZATION - valueFrom: - secretKeyRef: - key: nexusAuthorization - name: {{ template "nexus.fullname" . }}-initpwd-secret - - name: NEXUS_HOST - value: {{ template "nexus.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.nexus.nexusPort }} - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: adminPassword - name: {{ template "nexus.fullname" . }}-initpwd-secret ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.fullname" . }}-initpwd-secret - annotations: - helm.sh/hook: "post-install" - helm.sh/hook-weight: "-10" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - nexusAuthorization: {{ printf "%s%s" "admin:" (default "admin123" .Values.initAdminPassword.defaultPasswordOverride) | b64enc | b64enc }} - adminPassword: {{ .Values.initAdminPassword.password | b64enc }} -{{- end }} diff --git a/chart/templates/proxy-ks-secret.yaml b/chart/templates/proxy-ks-secret.yaml deleted file mode 100644 index d97bc5a..0000000 --- a/chart/templates/proxy-ks-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.nexusProxy.env.cloudIamAuthEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.proxy-ks.name" . }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -type: Opaque -data: - keystore: {{ .Values.nexusProxy.secrets.keystore }} - password: {{ .Values.nexusProxy.secrets.password | b64enc }} -{{- end}} diff --git a/chart/templates/proxy-route.yaml b/chart/templates/proxy-route.yaml index 1fc4fa3..f66e135 100644 --- a/chart/templates/proxy-route.yaml +++ b/chart/templates/proxy-route.yaml @@ -3,11 +3,7 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: name: {{ template "nexus.fullname" . }} - namespace: {{ template "nexus.namespace" . }} - labels: - {{- range $key, $value := .Values.nexusProxyRoute.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{ .Values.nexusProxyRoute.labels }} annotations: {{- range $key, $value := .Values.nexusProxyRoute.annotations }} {{ $key }}: {{ $value | quote }} @@ -15,21 +11,13 @@ metadata: spec: host: {{ .Values.nexusProxyRoute.path }} port: - {{- if .Values.nexusProxy.svcName }} - targetPort: {{ .Values.nexusProxy.svcName }} - {{- else }} targetPort: {{ template "nexus.fullname" . }} - {{- end }} tls: insecureEdgeTerminationPolicy: Redirect termination: edge to: kind: Service -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} name: {{ template "nexus.fullname" . }} -{{- end }} weight: 100 wildcardPolicy: None {{- end }} diff --git a/chart/templates/proxy-svc.yaml b/chart/templates/proxy-svc.yaml deleted file mode 100644 index 0ab13fa..0000000 --- a/chart/templates/proxy-svc.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or .Values.nexusProxy.enabled .Values.ingress.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} - name: {{ template "nexus.fullname" . }} -{{- end }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -{{- if .Values.nexusProxy.labels }} -{{ toYaml .Values.nexusProxy.labels | indent 4 }} -{{- end }} -{{- if .Values.nexus.annotations }} - annotations: -{{ toYaml .Values.nexus.annotations | indent 4 }} -{{- end }} -spec: - ports: -{{- if .Values.nexusProxy.enabled }} - - port: {{ .Values.nexusProxy.port }} -{{- else }} - - port: {{ .Values.nexus.nexusPort }} -{{- end }} -{{- if .Values.nexusProxy.svcName }} - name: {{ .Values.nexusProxy.svcName }} -{{- else }} - name: {{ template "nexus.fullname" . }} -{{- end }} - protocol: TCP -{{- if .Values.nexusProxy.enabled }} - targetPort: {{ .Values.nexusProxy.targetPort }} -{{- else }} - targetPort: {{ .Values.nexus.nexusPort }} - - port: {{ .Values.nexus.dockerPort }} - name: docker - protocol: TCP - targetPort: {{ .Values.nexus.dockerPort }} -{{- end }} - selector: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - type: {{ .Values.nexus.service.type }} - {{- if and (eq .Values.nexus.service.type "ClusterIP") .Values.nexus.service.clusterIP }} - clusterIP: {{ .Values.nexus.service.clusterIP }} - {{- end }} - {{- if and (eq .Values.nexus.service.type "LoadBalancer") .Values.nexus.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.nexus.service.loadBalancerIP }} - {{- end }} -{{- end }} diff --git a/chart/templates/psp-clusterrole.yaml b/chart/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..a810a4f --- /dev/null +++ b/chart/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if .Values.psp.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }}-psp-use +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "nexus.name" . }} + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/chart/templates/psp-rolebinding.yaml b/chart/templates/psp-rolebinding.yaml new file mode 100644 index 0000000..042a2ff --- /dev/null +++ b/chart/templates/psp-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.psp.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }}-psp-use +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "nexus.name" . }}-psp-use +subjects: +- kind: ServiceAccount + name: {{ include "nexus.serviceAccountName" . }} +{{- end -}} \ No newline at end of file diff --git a/chart/templates/psp.yaml b/chart/templates/psp.yaml new file mode 100644 index 0000000..0d7978e --- /dev/null +++ b/chart/templates/psp.yaml @@ -0,0 +1,36 @@ +{{- if .Values.psp.create -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + name: {{ template "nexus.name" . }} +spec: + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - secret + - projected + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: RunAsAny + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 +{{- end }} diff --git a/chart/templates/pv.yaml b/chart/templates/pv.yaml index 50bed46..1f17872 100644 --- a/chart/templates/pv.yaml +++ b/chart/templates/pv.yaml @@ -4,9 +4,13 @@ apiVersion: v1 kind: PersistentVolume metadata: name: {{ .Values.persistence.pdName }} - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} spec: capacity: storage: {{ .Values.persistence.storageSize }} diff --git a/chart/templates/pvc.yaml b/chart/templates/pvc.yaml index 9b78436..32e9b78 100644 --- a/chart/templates/pvc.yaml +++ b/chart/templates/pvc.yaml @@ -1,12 +1,15 @@ -{{- if not .Values.statefulset.enabled }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "nexus.fullname" . }}-data - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} {{- if .Values.persistence.annotations }} annotations: {{ toYaml .Values.persistence.annotations | indent 4 }} @@ -25,4 +28,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/chart/templates/rclone-config-secret.yaml b/chart/templates/rclone-config-secret.yaml deleted file mode 100644 index 3606b40..0000000 --- a/chart/templates/rclone-config-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.nexusBackup.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.name" . }}-rclone-config-secret - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} -data: -{{- if .Values.nexusBackup.rcloneConfig }} -{{- range $key, $val := .Values.nexusBackup.rcloneConfig }} - {{ $key }}: |- -{{ $val | b64enc| indent 4}} -{{- end }} -{{- end -}} -{{- end}} diff --git a/chart/templates/route.yaml b/chart/templates/route.yaml index e00819f..cf76e5b 100644 --- a/chart/templates/route.yaml +++ b/chart/templates/route.yaml @@ -3,11 +3,7 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: name: {{ .Values.route.name }} - namespace: {{ template "nexus.namespace" . }} - labels: - {{- range $key, $value := .Values.route.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{ .Values.route.labels }} annotations: {{- range $key, $value := .Values.route.annotations }} {{ $key }}: {{ $value | quote }} @@ -28,6 +24,4 @@ spec: {{- end }} weight: 100 wildcardPolicy: None -status: - ingress: [] {{- end }} diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml index 3f272cc..37f4377 100644 --- a/chart/templates/secret.yaml +++ b/chart/templates/secret.yaml @@ -1,14 +1,15 @@ -{{- if and .Values.secret.enabled .Values.secret.data -}} +{{- if .Values.secret.enabled -}} apiVersion: v1 kind: Secret metadata: name: {{ template "nexus.name" . }}-secret - namespace: {{ template "nexus.namespace" . }} labels: {{ include "nexus.labels" . | indent 4 }} -{{- if .Values.nexus.labels }} -{{ toYaml .Values.nexus.labels | indent 4 }} -{{- end }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} data: -{{ toYaml .Values.secret.data | indent 2 }} + admin.password: {{ randAlphaNum 12 | b64enc | quote }} {{- end}} diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml index c547835..ba7acb7 100644 --- a/chart/templates/service.yaml +++ b/chart/templates/service.yaml @@ -1,44 +1,66 @@ {{- if .Values.service.enabled -}} +--- apiVersion: v1 kind: Service metadata: -{{- if .Values.service.name }} - name: {{ .Values.service.name }} -{{- else }} - name: {{ template "nexus.name" . }}-service -{{- end }} - namespace: {{ template "nexus.namespace" . }} - labels: -{{ include "nexus.labels" . | indent 4 }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} + name: {{ include "nexus.fullname" . }} {{- if .Values.service.annotations }} annotations: {{ toYaml .Values.service.annotations | indent 4 }} {{- end }} + labels: + {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} spec: + type: {{ .Values.service.type }} ports: - {{- if .Values.service.portName }} - - name: {{ .Values.service.portName }} - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - {{- end }} - {{- with .Values.service.ports }} -{{ toYaml . | indent 2 }} - {{- end }} + - port: {{ .Values.nexus.nexusPort }} + protocol: TCP + name: nexus-ui selector: - app: {{ template "nexus.name" . }} - release: {{ .Release.Name }} - type: {{ .Values.service.type }} - {{ if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range .Values.service.loadBalancerSourceRanges }} - - {{ . }} + {{- include "nexus.selectorLabels" . | nindent 4 }} + {{- if .Values.nexus.extraSelectorLabels }} + {{- with .Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} + +{{- if .Values.nexus.docker.enabled }} +{{- range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nexus.fullname" $ | trunc 49 }}-docker-{{ $registry.port }} +{{- if $.Values.service.annotations }} + annotations: +{{ toYaml $.Values.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "nexus.labels" $ | nindent 4 }} + {{- if $.Values.nexus.extraLabels }} + {{- with $.Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} - {{ end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} -{{- end}} +spec: + type: {{ $.Values.service.type }} + ports: + - port: {{ $registry.port }} + protocol: TCP + name: docker-{{ $registry.port }} + selector: + {{- include "nexus.selectorLabels" $ | nindent 4 }} + {{- if $.Values.nexus.extraSelectorLabels }} + {{- with $.Values.nexus.extraSelectorLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml index ab1cc22..5bb8fa5 100644 --- a/chart/templates/serviceaccount.yaml +++ b/chart/templates/serviceaccount.yaml @@ -1,14 +1,15 @@ -{{- if .Values.serviceAccount.create }} +{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: - {{- if .Values.serviceAccount.name }} - name: {{ .Values.serviceAccount.name }} - {{- else }} - name: {{ template "nexus.fullname" . }} + name: {{ include "nexus.serviceAccountName" . }} + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} {{- end }} - namespace: {{ template "nexus.namespace" . }} - {{- if .Values.serviceAccount.annotations }} - annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -- GitLab From 50813aeca8582eb8b2e3a88d5a68f9e75f09ac3f Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 25 Feb 2021 16:51:53 -0500 Subject: [PATCH 02/21] chore: update README with vendor info info reflects future repo location --- README.md | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index ed90302..26f6adc 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,27 @@ -# Nexus -This is a fork of the upstream Helm charts for installing Nexus Artifactor Repository Pro (i.e. Licenced Paid Version) +# Sonatype Nexus -## Originally sourced from upstream, and minimially modified. -Steps performed: -``` -kpt pkg get https://github.com/Oteemo/charts.git/charts/sonatype-nexus@sonatype-nexus-4.2.0 chart/ -``` +Source of truth for components, artifacts, binaries, etc. -## Upstream Changes +This chart was sourced from +[Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with +minimal changes. -* TODO: no diff from upstream yet +## Prerequisites + +- Kubernetes Cluster deployed +- Kubernetes config installed in ~/.kube/config +- Helm installed ## Iron Bank -You can `pull` the registry1 images for: -* Nexus [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus) -* Nexus IQ Server [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus-iq-server%2Fnexus-iq-server) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus-iq-server) +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). + +## Helm + +Please reference complete list of providable variables +[here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) + +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart +``` -- GitLab From 393aeaaec28391422eea0743486434d3e45dfcb0 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Tue, 6 Apr 2021 17:37:36 -0400 Subject: [PATCH 03/21] feat: support for encrypted license baseline documentation, saml.yaml --- CODEOWNERS | 3 +- README.md | 54 ++- chart/Chart.yaml | 31 +- chart/OWNERS | 4 - chart/README.md | 350 ------------------- chart/templates/_helpers.tpl | 4 + chart/templates/bigbang/configmap-sso.yaml | 18 + chart/templates/bigbang/license.yaml | 13 + chart/templates/bigbang/saml.yaml | 76 ++++ chart/templates/{ => bigbang}/secret.yaml | 0 chart/templates/deployment.yaml | 13 +- chart/templates/ingress.yaml | 2 +- chart/values.yaml | 387 ++++++++------------- 13 files changed, 326 insertions(+), 629 deletions(-) delete mode 100644 chart/README.md create mode 100644 chart/templates/bigbang/configmap-sso.yaml create mode 100644 chart/templates/bigbang/license.yaml create mode 100644 chart/templates/bigbang/saml.yaml rename chart/templates/{ => bigbang}/secret.yaml (100%) diff --git a/CODEOWNERS b/CODEOWNERS index e59ada3..afe62c4 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1,2 @@ -* @kevin.wilder @ariel.shnitzer @grant.duncklee \ No newline at end of file +#followup and see who else belongs here +* @grant.duncklee diff --git a/README.md b/README.md index 26f6adc..7336c7b 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,63 @@ -# Sonatype Nexus +# Sonatype Nexus Repository Manager (NXRM) Source of truth for components, artifacts, binaries, etc. -This chart was sourced from -[Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with -minimal changes. +This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes. ## Prerequisites - - Kubernetes Cluster deployed - Kubernetes config installed in ~/.kube/config - Helm installed +- Keycloak (Optional - SSO) +- Sonatype NXRM License. Required for SAML integration ## Iron Bank - You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). ## Helm - -Please reference complete list of providable variables -[here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) ```bash git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git helm install nexus-repository-manager chart ``` + +## BigBang Additions, Comments, and Important Information +### SAML/SSO Integration +BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a +solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO +integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a +Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our +implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. + +Retrieve a list of all available privileges: +`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"` + +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. + +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` + +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 6609dea..5843156 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,8 +1,13 @@ -apiVersion: v1 -name: sonatype-nexus -version: 4.2.0 -appVersion: 3.27.0 -description: Sonatype Nexus is an open source repository manager +apiVersion: v2 +name: nexus-repository-manager + +version: 29.1.0-bb.0 +appVersion: 3.29.0 + +description: Sonatype Nexus Repository Manager - Universal Binary repository + +type: application + keywords: - artifacts - dependency @@ -10,16 +15,14 @@ keywords: - sonatype - nexus - repository + - quickstart + - ci + - repository-manager + - nexus3 home: https://www.sonatype.com/nexus-repository-oss -icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg +icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg sources: - https://github.com/sonatype/nexus-public - - https://github.com/travelaudience/docker-nexus - - https://github.com/travelaudience/kubernetes-nexus - - https://github.com/travelaudience/docker-nexus-backup - - https://github.com/dbccompany/docker-nexus-backup maintainers: - - name: rjkernick - email: rjkernick@gmail.com - - name: tsiddique - email: tsiddique@live.com + - email: support@sonatype.com + name: Sonatype diff --git a/chart/OWNERS b/chart/OWNERS index 30775e3..274fdf3 100644 --- a/chart/OWNERS +++ b/chart/OWNERS @@ -1,6 +1,2 @@ approvers: -- rjkernick -- tsiddique reviewers: -- rjkernick -- tsiddique diff --git a/chart/README.md b/chart/README.md deleted file mode 100644 index c1acb03..0000000 --- a/chart/README.md +++ /dev/null @@ -1,350 +0,0 @@ -# Nexus - -[Nexus OSS](https://www.sonatype.com/nexus-repository-oss) is a free open source repository manager. It supports a wide range of package formats and it's used by hundreds of tech companies. - -## Introduction - -This chart bootstraps a Nexus OSS deployment on a cluster using Helm. -This setup is best configured in [GCP](https://cloud.google.com/) since: - -- [google cloud storage](https://cloud.google.com/storage/) is used for backups -- [NEW: Rclone](https://rclone.org/) it uses Rclone to create backups, basically compatible with all the major clouds. -- [GCE Ingress controller](https://github.com/kubernetes/ingress/blob/master/docs/faq/gce.md) is used for using a pre-allocated static IP in GCE. - -There is also the option of using a [proxy for Nexus](https://github.com/travelaudience/nexus-proxy) that authenticates Nexus against an external identity provider (only GCP IAM at the moment) which is **disabled** by default. - -## Prerequisites - -- Kubernetes 1.15+ with Beta APIs enabled -- PV provisioner support in the underlying infrastructure -- [Fulfill Nexus kubernetes requirements](https://github.com/travelaudience/kubernetes-nexus#pre-requisites) - -### With GCP IAM enabled - -All the [Prerequisites](#Prerequisites) should be in place, plus: - -- [Fulfill GCP IAM requirements](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#pre-requisites) - -## Testing the Chart - -To test the chart: - -```bash -helm install --dry-run --debug ./ -``` - -To test the chart with your own values: - -```bash -helm install --dry-run --debug -f my_values.yaml ./ -``` - -## Installing the Chart - -To install the chart: - -```bash -helm repo add oteemocharts https://oteemo.github.io/charts -helm install sonatype-nexus oteemocharts/sonatype-nexus -``` - -The above command deploys Nexus on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -The default login is admin/admin123 - -## Uninstalling the Chart - -To uninstall/delete the deployment: - -```bash -$ helm list -NAME REVISION UPDATED STATUS CHART NAMESPACE -plinking-gopher 1 Fri Sep 1 13:19:50 2017 DEPLOYED sonatype-nexus-0.1.0 default -$ helm delete plinking-gopher -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Official Nexus image vs TravelAudience - -There are known issues with backups on the official image. If you want to swap in the official image, just override the values when installing the chart. Please note that backups will not work as expected with the official image. - -- [https://issues.sonatype.org/browse/NEXUS-23442](https://issues.sonatype.org/browse/NEXUS-23442) -- [https://github.com/travelaudience/docker-nexus](https://github.com/travelaudience/docker-nexus) - -## Configuration - -The following table lists the configurable parameters of the Nexus chart and their default values. - -| Parameter | Description | Default | -| ------------------------------------------------------------ | ---------------------------------- | ----------------------------------------| -| `namespaceOverride` | Override for namespace | `nil` | -| `statefulset.enabled` | Use statefulset instead of deployment | `false` | -| `replicaCount` | Number of Nexus service replicas | `1` | -| `deploymentStrategy` | Deployment Strategy | `rollingUpdate` | -| `initAdminPassword.enabled` | Enable initialization of admin password on Helm install | `false` | -| `initAdminPassword.defaultPasswordOverride` | Override the default admin password | `nil` | -| `initAdminPassword.password` | Admin password to be set | `admin321` | -| `nexus.imageName` | Nexus image | `quay.io/travelaudience/docker-nexus` | -| `nexus.imageTag` | Version of Nexus | `3.25.1` | -| `nexus.imagePullPolicy` | Nexus image pull policy | `IfNotPresent` | -| `nexus.imagePullSecret` | Secret to download Nexus image from private registry | `nil` | -| `nexus.env` | Nexus environment variables | `[{install4jAddVmParams: -Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap}]` | -| `nexus.resources` | Nexus resource requests and limits | `{}` | -| `nexus.dockerPort` | Port to access docker | `5003` | -| `nexus.nexusPort` | Internal port for Nexus service | `8081` | -| `nexus.additionalPorts` | expose additional ports | `[]` | -| `nexus.service.type` | Service for Nexus | `NodePort` | -| `nexus.service.clusterIp` | Specific cluster IP when service type is cluster IP. Use None for headless service |`nil` | -| `nexus.service.loadBalancerIP` | Custom loadBalancerIP |`nil` | -| `nexus.securityContextEnabled` | Security Context (for enabling official image use `fsGroup: 200`) | `{}` | -| `nexus.labels` | Service labels | `{}` | -| `nexus.podAnnotations` | Pod Annotations | `{}` -| `nexus.livenessProbe.initialDelaySeconds` | LivenessProbe initial delay | 30 | -| `nexus.livenessProbe.periodSeconds` | Seconds between polls | 30 | -| `nexus.livenessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `nexus.livenessProbe.timeoutSeconds` | Time in seconds after liveness probe times out | `nil` | -| `nexus.livenessProbe.path` | Path for LivenessProbe | / | -| `nexus.readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay | 30 | -| `nexus.readinessProbe.periodSeconds` | Seconds between polls | 30 | -| `nexus.readinessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `nexus.readinessProbe.timeoutSeconds` | Time in seconds after readiness probe times out | `nil` | -| `nexus.readinessProbe.path` | Path for ReadinessProbe | / | -| `nexus.hostAliases` | Aliases for IPs in /etc/hosts | [] | -| `nexus.context` | Non-root path to run Nexus at | `nil` | -| `nexus.chownNexusData` | Set false to not execute chown to the mounted nexus-data directory at startup | `true` | -| `nexusProxy.enabled` | Enable nexus proxy | `true` | -| `nexusProxy.svcName` | Nexus proxy service name | `nil` | -| `nexusProxy.targetPort` | Container Port for Nexus proxy | `8080` | -| `nexusProxy.port` | Port for exposing Nexus | `8080` | -| `nexusProxy.imageName` | Proxy image | `quay.io/travelaudience/docker-nexus-proxy` | -| `nexusProxy.imageTag` | Proxy image version | `2.6.0` | -| `nexusProxy.imagePullPolicy` | Proxy image pull policy | `IfNotPresent` | -| `nexusProxy.resources` | Proxy resource requests and limits | `{}` | -| `nexusProxy.env.nexusHttpHost` | Nexus url to access Nexus | `nil` | -| `nexusProxy.env.nexusDockerHost` | Containers url to be used with docker | `nil` | -| `nexusProxy.env.enforceHttps` | Allow only https access or not | `false` | -| `nexusProxy.env.cloudIamAuthEnabled` | Enable GCP IAM authentication in Nexus proxy | `false` | -| `nexusProxyRoute.enabled` | Set to true to create route for additional service | `false` | -| `nexusProxyRoute.labels` | Labels to be added to proxy route | `{}` | -| `nexusProxyRoute.annotations` | Annotations to be added to proxy route | `{}` | -| `nexusProxyRoute.path` | Host name of Route e.g jenkins.example.com | nil | -| `persistence.enabled` | Create a volume for storage | `true` | -| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `persistence.storageClass` | Storage class of Nexus PVC | `nil` | -| `persistence.storageSize` | Size of Nexus data volume | `8Gi` | -| `persistence.annotations` | Persistent Volume annotations | `{}` | -| `persistence.existingClaim` | Existing PVC name | `nil` | -| `nexusBackup.enabled` | Nexus backup process | `false` | -| `nexusBackup.imageName` | Nexus backup image | `dbcc/docker-nexus-backup` | -| `nexusBackup.imageTag` | Nexus backup image version | `0.0.1` | -| `nexusBackup.imagePullPolicy` | Backup image pull policy | `IfNotPresent` | -| `nexusBackup.env.rcloneRemote` | Required if `nexusBackup` is enabled. Name of the Rclone remote as defined in the `rcloneConfig` entry. Example: `AWS` | `nil` | -| `nexusBackup.env.targetBucket` | Required if `nexusBackup` is enabled. Name of the target bucket or bucket/path. Example: `my_bucket` or `my_bucket/my_folder` | `nil` | -| `nexusBackup.env.streamingUploadCutoff` | Size of the data chunks to send to the Rclone remote, this value affects the maximum size of the backup file to upload. | `"5000000"` | -| `nexusBackup.env.nexusAuthorization` | If set, `nexusBackup.nexusAdminPassword` will be disregarded. | `nil` | -| `nexusBackup.env.offlineRepos` | Space separated list of repositories must be taken down to achieve a consistent backup. | `"maven-central maven-public maven-releases maven-snapshots"` | -| `nexusBackup.env.gracePeriod` | The amount of time in seconds to wait between stopping repositories and starting the upload. | `60` | -| `nexusBackup.nexusAdminPassword` | Nexus admin password used by the backup container to access Nexus API. This password should match the one that gets chosen by the user to replace the default admin password after the first login | `admin123` | -| `nexusBackup.persistence.enabled` | Create a volume for backing Nexus configuration | `true` | -| `nexusBackup.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `nexusBackup.persistence.storageClass` | Storage class of Nexus backup PVC | `nil` | -| `nexusBackup.persistence.storageSize` | Size of Nexus backup data volume | `8Gi` | -| `nexusBackup.persistence.annotations` | PV annotations for backup | `{}` | -| `nexusBackup.persistence.existingClaim` | Existing PVC name for backup | `nil` | -| `nexusBackup.resources` | Backup resource requests and limits | `{}` | -| `nexusBackup.rcloneConfig.rclone.conf` | Rclone remote configuration, can be generated using the `rclone config` command, or using docker: `docker run -it --rm rclone/rclone config` | `[AWS]`
`type = s3`
`provider = AWS`
`env_auth = true`
`region = us-east-1`
`acl = authenticated-read` | -| `nexusCloudiam.enabled` | Nexus Cloud IAM service account key path | `false` | -| `nexusCloudiam.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | -| `nexusCloudiam.persistence.annotations` | PV annotations for Cloud IAM service account key path | `{}` | -| `nexusCloudiam.persistence.enabled` | Create a volume for Cloud IAM service account key path | `true` | -| `nexusCloudiam.persistence.existingClaim` | Existing PVC name for Cloud IAM service account key path | `nil` | -| `nexusCloudiam.persistence.storageClass` | Storage class of Cloud IAM service account path PVC | `nil` | -| `nexusCloudiam.persistence.storageSize` | Size of Cloud IAM service account path volume | `8Gi` | -| `ingress.enabled` | Create an ingress for Nexus | `false` | -| `ingress.annotations` | Annotations to enhance ingress configuration | `{}` | -| `ingress.tls.enabled` | Enable TLS | `true` | -| `ingress.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` | -| `ingress.path` | Path for ingress rules. GCP users should set to `/*` | `/` | -| `ingressDocker.enabled` | Create an ingress for Docker registry | `false` | -| `ingressDocker.annotations` | Annotations to enhance docker ingress configuration | `{}` | -| `ingressDocker.tls.enabled` | Enable TLS | `true` | -| `ingressDocker.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` | -| `ingressDocker.path` | Path for docker ingress rules. GCP users should set to `/*` | `/` | -| `tolerations` | tolerations list | `[]` | -| `config.enabled` | Enable configmap | `false` | -| `config.mountPath` | Path to mount the config | `/sonatype-nexus-conf` | -| `config.data` | Configmap data | `nil` | -| `deployment.annotations` | Annotations to enhance deployment configuration | `{}` | -| `deployment.initContainers` | Init containers to run before main containers | `nil` | -| `deployment.postStart.command` | Command to run after starting the nexus container | `nil` | -| `deployment.additionalContainers` | Add additional Container | `nil` | -| `deployment.additionalVolumes` | Add additional Volumes | `nil` | -| `deployment.additionalVolumeMounts` | Add additional Volume mounts | `nil` | -| `secret.enabled` | Enable secret | `false` | -| `secret.mountPath` | Path to mount the secret | `/etc/secret-volume` | -| `secret.readOnly` | Secret readonly state | `true` | -| `secret.data` | Secret data to add to secret. If nil then expects that a secret by name of `${.Values.nameOverride}-secret` or `${.Chart.Name}-secret` exists | `nil` | -| `service.enabled` | Enable additional service | `nil` | -| `service.name` | Service name | `nil` | -| `service.portName` | Service port name | `nil` | -| `service.labels` | Service labels | `nil` | -| `service.annotations` | Service annotations | `nil` | -| `service.loadBalancerSourceRanges` | Service LoadBalancer source IP whitelist | `nil` | -| `service.loadBalancerIP` | Custom loadBalancerIP |`nil` | -| `service.targetPort` | Service port | `nil` | -| `service.port` | Port for exposing service | `nil` | -| `serviceAccount.create` | Automatically create a service account | `true` | -| `serviceAccount.name` | Service account to use | `nil` | -| `serviceAccount.annotations` | Service account annotations | `nil` | -| `rbac.create` | Creates a ClusterRoleBinding attached to the Service account. | `false` | -| `rbac.roleRef` | ClusterRoleBinding field `roleRef` content. See examples [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example). | `nil` | -| `rbac.annotations` | ClusterRoleBinding annotations. | `nil` | -| `route.enabled` | Set to true to create route for additional service | `false` | -| `route.name` | Name of route | `docker` | -| `route.portName` | Target port name of service | `docker` | -| `route.labels` | Labels to be added to route | `{}` | -| `route.annotations` | Annotations to be added to route | `{}` | -| `route.path` | Host name of Route e.g jenkins.example.com | nil | -| `additionalConfigMaps` | List of ConfigMap data containing Name, Data and Labels | nil | - -If `nexusProxy.env.cloudIamAuthEnabled` is set to `true` the following variables need to be configured - -| Parameter | Description | Default | -| ----------------------------- | ---------------------------------- | ---------------------------------------------------- | -| `nexusProxy.env.clientId` | GCP OAuth client ID | `nil` | -| `nexusProxy.env.clientSecret` | GCP OAuth client Secret | `nil` | -| `nexusProxy.env.organizationId` | GCP organization ID | `nil` | -| `nexusProxy.env.redirectUrl` | OAuth callback url. example `https://nexus.example.com/oauth/callback` | `nil` | -| `nexusProxy.env.requiredMembershipVerification` | Whether users presenting valid JWT tokens must still be verified for membership within the GCP organization. | `true` | -| `nexusProxy.secrets.keystore` | base-64 encoded value of the keystore file needed for the proxy to sign user tokens. Example: cat keystore.jceks | base64 | `nil` | -| `nexusProxy.secrets.password` | Password to the Java Keystore file | `nil` | - -```bash -helm install --set persistence.enabled=false my-release stable/sonatype-nexus -``` - -The above example turns off the persistence. Data will not be kept between restarts or deployments - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```bash -helm install -f my-values.yaml sonatype-nexus stable/sonatype-nexus -``` - -### Persistence - -By default a PersistentVolumeClaim is created and mounted into the `/nexus-data` directory. In order to disable this functionality -you can change the `values.yaml` to disable persistence which will use an `emptyDir` instead. - -> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."* - -You must enable StatefulSet (`statefulset.enabled=true`) for true data persistence. If using Deployment approach, you can not recover data after restart or delete of helm chart. Statefulset will make sure that it picks up the same old volume which was used by the previous life of the nexus pod, helping you recover your data. When enabling statefulset, its required to enable the persistence. - -### Recommended settings - -As a minimum for running in production, the following settings are advised: - -```yaml -nexusProxy: - env: - nexusDockerHost: container.example.com - nexusHttpHost: nexus.example.com - -nexusBackup: - env: - targetBucket: "gs://my-nexus-backup" - persistence: - storageClass: standard - -ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: gce - kubernetes.io/tls-acme: true - -persistence: - storageClass: standard - storageSize: 1024Gi - -resources: - requests: - cpu: 250m - # Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem - # and https://twitter.com/analytically/status/894592422382063616: - # Xms == Xmx - # Xmx <= 4G - # MaxDirectMemory >= 2G - # Xmx + MaxDirectMemory <= RAM * 2/3 (hence the request for 4800Mi) - # MaxRAMFraction=1 is not being set as it would allow the heap - # to use all the available memory. - memory: 4800Mi -``` - -### Using GCP Storage for Backup - -Irrespective of whether Nexus is deployed to Google's GKE, or to some other k8s installation, it is possible to configure the [nexus-backup](https://github.com/travelaudience/docker-nexus-backup) container to backup to GCP Cloud Storage. -This makes for a cost effective solution for backups. - -To enable, add the following key to the values file: - -```yaml -nexusCloudiam: - enabled: true -``` - -You should also deploy Nexus as a stateful app, rather than a deployment. -That means also adding: - -```yaml -statefulset: - enabled: true -``` - -Deploying the chart now will result in a new PV and PVC within the pod that runs the containers. - -Create a service account with privileges to upload to your GCP bucket, and creaet a key for this service account. -Download that service account key as a file, call it `service-account-key.json`. - -This file now needs to be made available to the pod running in k8s, and should be called `/nexus-data/cloudiam/service-account-key.json`. -How this is done will depend upon the storage class used for the PV. - -Confirm that the service account file is available to the pod, using: - - kubectl exec --stdin --tty \ - --container nexus-backup \ - sonatype-nexus-0 \ - -- find /nexus-data/cloudiam -type f - -You might need to scale the deployment to zero and back up to pick up the changes: - - kubectl scale --replicas=0 statefulset.apps/sonatype-nexus - kubectl scale --replicas=1 statefulset.apps/sonatype-nexus - - -## After Installing the Chart - -After installing the chart a couple of actions need still to be done in order to use nexus. Please follow the instructions below. - -### Nexus Configuration - -The following steps need to be executed in order to use Nexus: - -- [Configure Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md) -- [Configure Backups](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md#configure-backup) - -and if GCP IAM authentication is enabled, please also check: - -- [Enable GCP IAM authentication in Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#enable-gcp-iam-auth) - -### Nexus Usage - -To see how to use Nexus with different tools like Docker, Maven, Python, and so on please check: - -- [Nexus Usage](https://github.com/travelaudience/kubernetes-nexus#usage) - -### Disaster Recovery - -In a disaster recovery scenario, the latest backup made by the nexus-backup container should be restored. In order to achieve this please follow the procedure described below: - -- [Restore Backups](https://github.com/travelaudience/kubernetes-nexus#restore) diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index e726f1f..0a209ed 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -51,6 +51,10 @@ app.kubernetes.io/name: {{ include "nexus.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- define "nexus.licenseKey" -}} +sonatype-license.lic: {{ .Values.license_key }} +{{- end -}} + {{/* Create the name of the service account to use */}} diff --git a/chart/templates/bigbang/configmap-sso.yaml b/chart/templates/bigbang/configmap-sso.yaml new file mode 100644 index 0000000..8879e41 --- /dev/null +++ b/chart/templates/bigbang/configmap-sso.yaml @@ -0,0 +1,18 @@ +{{- if .Values.sso.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus.name" . }}-sso + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + idp-metadata: {{ .Values.sso.idp_data | toJson | quote }} + #realm: {{ .Values.sso.realm | quote }} + realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]' + role: {{ .Values.sso.role | toJson | quote }} +{{- end }} + diff --git a/chart/templates/bigbang/license.yaml b/chart/templates/bigbang/license.yaml new file mode 100644 index 0000000..e6a37ca --- /dev/null +++ b/chart/templates/bigbang/license.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "nexus.name" . }}-license + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: +{{ include "nexus.licenseKey" . | indent 2 }} diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml new file mode 100644 index 0000000..5f017dd --- /dev/null +++ b/chart/templates/bigbang/saml.yaml @@ -0,0 +1,76 @@ +{{- if and .Values.sso.enabled .Values.secret.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + labels: +{{ include "nexus.labels" . | indent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} + annotations: + "helm.sh/hook": post-install + creationTimestamp: null + name: saml +spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest + name: saml + command: + - sh + args: + - -c + - | + until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available" && + BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}" + # saml metadata + curl -X PUT \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/saml" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$IDP_DATA" && + # realm configuration + curl -X PUT \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/realms/active" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$REALM" && + # role creation + curl -X POST \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/rest/v1/security/roles" \ + -H "accept: application/json" \ + -H "Content-Type: application/json" \ + -d "$ROLE" + env: + - name: API_CREDENTIALS + valueFrom: + secretKeyRef: + name: {{ template "nexus.name" . }}-secret + key: admin.password + - name: IDP_DATA + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: idp-metadata + - name: REALM + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: realm + - name: ROLE + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-sso + key: role + resources: {} + restartPolicy: Never +status: {} +{{- end }} diff --git a/chart/templates/secret.yaml b/chart/templates/bigbang/secret.yaml similarity index 100% rename from chart/templates/secret.yaml rename to chart/templates/bigbang/secret.yaml diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index c391a57..09e2657 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: {{- with .Values.nexus.extraSelectorLabels }} {{ toYaml . | indent 6 }} {{- end }} - {{- end }} + {{- end }} template: metadata: annotations: @@ -106,6 +106,11 @@ spec: volumeMounts: - mountPath: /nexus-data name: {{ template "nexus.name" . }}-data + - mountPath: /nexus-data/etc + name: {{ template "nexus.name" . }}-data + - mountPath: {{ .Values.license.mountPath }} + name: {{ template "nexus.name" . }}-license + subPath: {{ .Values.license.subPath }} {{- if .Values.config.enabled }} - mountPath: {{ .Values.config.mountPath }} name: {{ template "nexus.name" . }}-conf @@ -139,6 +144,12 @@ spec: {{- else }} emptyDir: {} {{- end }} + - name: nexus-repository-manager-license + secret: + secretName: {{ template "nexus.name" . }}-license + items: + - key: sonatype-license.lic + path: sonatype-license.lic {{- if .Values.config.enabled }} - name: {{ template "nexus.name" . }}-conf configMap: diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml index 170be13..2711a21 100644 --- a/chart/templates/ingress.yaml +++ b/chart/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{- if .Values.ingress.enabled -}} +{{- if and .Values.ingress.enabled (not .Values.istio.enabled) -}} {{- $fullName := include "nexus.fullname" . -}} {{- $svcPort := .Values.nexus.nexusPort -}} {{- $ingressPath := .Values.ingress.path -}} diff --git a/chart/values.yaml b/chart/values.yaml index c6da164..a99fb2b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,34 +1,87 @@ -## Overrides for generated resource names -# namespaceOverride: +# -- Big Bang Additions +hostname: bigbang.dev +istio: + enabled: false +license_key: "test" +license: + mountPath: /nexus-data/sonatype-license.lic + subPath: sonatype-license.lic +sso: + enabled: false + idp_data: + entityId: "" + usernameAttribute: "" + firstNameAttribute: "" + lastNameAttribute: "" + emailAttribute: "" + groupsAttribute: "" + validateResponseSignature: true + validateAssertionSignature: true + idpMetadata: '' + realm: + - "NexusAuthenticatingRealm" + - "NexusAuthorizingRealm" + - "SamlRealm" + role: + id: "nexus" + name: "nexus" + description: "nexus group" + privileges: + - "nx-all" + roles: + - "nx-admin" +# -- End of BigBang Additions + +global: + hosts: + name: nexus-repository-manager + service: + name: nexus-repository-manager + +ingress: + enabled: true + annotations: {kubernetes.io/ingress.class: nginx} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hostPath: / + hostRepo: repo.demo + tls: [] + # - secretName: nexus-local-tls + # hosts: + # - nexus.local + # - nexus-docker.local + # - nexus-docker-hosted.local statefulset: + # This is not supported enabled: false -replicaCount: 1 # By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage. -deploymentStrategy: {} - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - # type: RollingUpdate - -# If enabled, a Job will be launched after the chart is installed to initialize the admin password of your choice -initAdminPassword: - enabled: false - # Set this in the instance where default admin password is different - defaultPasswordOverride: - password: "admin321" +deploymentStrategy: Recreate +image: + # IB Nexus Image + repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus + tag: latest + pullPolicy: IfNotPresent nexus: - imageName: quay.io/travelaudience/docker-nexus - imageTag: 3.27.0 - imagePullPolicy: IfNotPresent - # Uncomment this to scheduler pods on priority - # priorityClassName: "high-priority" + docker: + enabled: false + registries: [] + # - host: chart.local + # port: 5000 + # secretName: registrySecret env: - - name: INSTALL4J_ADD_VM_PARAMS - value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:ActiveProcessorCount=4" + - name: install4jAddVmParams + value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap" - name: NEXUS_SECURITY_RANDOMPASSWORD - value: "false" + value: "true" + properties: + override: true + data: + nexus.licenseFile: /nexus-data/sonatype-license.lic + # nexus.scripts.allowCreation: true + # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager + #nexus.ldap.env.java.naming.security.authentication: simple # nodeSelector: # cloud.google.com/gke-nodepool: default-pool resources: {} @@ -44,40 +97,22 @@ nexus: # cpu: 250m # memory: 4800Mi # The ports should only be changed if the nexus image uses a different port - dockerPort: 5003 nexusPort: 8081 - additionalPorts: [] - service: - type: NodePort - # clusterIP: None - # annotations: {} - ## When using LoadBalancer service type, use the following AWS certificate from ACM - ## https://aws.amazon.com/documentation/acm/ - # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123" - # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" - # service.beta.kubernetes.io/aws-load-balancer-backend-port: "https" - ## When using LoadBalancer service type, whitelist these source IP ranges - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - # loadBalancerSourceRanges: - # - 192.168.1.10/32 - # labels: {} - ## Configures the requested IP on the loadBalancer when using LoadBalancer service type - # loadBalancerIP: "192.168.1.10" - securityContextEnabled: true + securityContext: - fsGroup: 200 + fsGroup: 2000 podAnnotations: {} livenessProbe: - initialDelaySeconds: 300 + initialDelaySeconds: 30 periodSeconds: 30 failureThreshold: 6 - # timeoutSeconds: 10 + timeoutSeconds: 10 path: / readinessProbe: initialDelaySeconds: 30 periodSeconds: 30 failureThreshold: 6 - # timeoutSeconds: 10 + timeoutSeconds: 10 path: / # hostAliases allows the modification of the hosts file inside a container hostAliases: [] @@ -85,10 +120,49 @@ nexus: # hostnames: # - "example.com" # - "www.example.com" - context: - # When using nexus it is important that all the files in the data directory have the proper owner configured. Therefore this - # value defaults to true to apply chown -R nexus:nexus to the mounted directory at every startup of the container. - chownNexusData: true + + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +deployment: + # # Add annotations in deployment to enhance deployment configurations + annotations: {} + # # Add init containers. e.g. to be used to give specific permissions for nexus-data. + # # Add your own init container or uncomment and modify the given example. + initContainers: + # - name: fmp-volume-permission + # image: busybox + # imagePullPolicy: IfNotPresent + # command: ['chown','-R', '200', '/nexus-data'] + # volumeMounts: + # - name: nexus-data + # mountPath: /nexus-data + # # Uncomment and modify this to run a command after starting the nexus container. + postStart: + command: # '["/bin/sh", "-c", "ls"]' + preStart: + command: # '["/bin/rm", "-f", "/path/to/lockfile"]' + terminationGracePeriodSeconds: 120 + additionalContainers: + additionalVolumes: + additionalVolumeMounts: + +service: + name: nexus3 + enabled: true + labels: {} + annotations: {} + serviceType: ClusterIP + route: enabled: false @@ -98,37 +172,6 @@ route: annotations: # path: /docker -nexusProxy: - enabled: true - # svcName: proxy-svc - imageName: quay.io/travelaudience/docker-nexus-proxy - imageTag: 2.6.0 - imagePullPolicy: IfNotPresent - port: 8080 - targetPort: 8080 - # labels: {} - env: - nexusDockerHost: - nexusHttpHost: - enforceHttps: false - cloudIamAuthEnabled: false -## If cloudIamAuthEnabled is set to true uncomment the variables below and remove this line - # clientId: "" - # clientSecret: "" - # organizationId: "" - # redirectUrl: "" - # requiredMembershipVerification: "true" - # secrets: - # keystore: "" - # password: "" - resources: {} - # requests: - # cpu: 100m - # memory: 256Mi - # limits: - # cpu: 200m - # memory: 512Mi - nexusProxyRoute: enabled: false labels: @@ -153,183 +196,29 @@ persistence: # pdName: nexus-data-disk # fsType: ext4 -nexusBackup: - enabled: false - imageName: dbcc/docker-nexus-backup - imageTag: 0.0.1 - imagePullPolicy: IfNotPresent - env: - rcloneRemote: - targetBucket: - nexusAuthorization: - # Size of the data chunk to stream to the remote - streamingUploadCutoff: "5000000" - offlineRepos: "maven-central maven-public maven-releases maven-snapshots" - gracePeriod: 60 - # This should match the value of `initAdminPassword.password` if `initAdminPassword.enabled` is true - nexusAdminPassword: "admin123" - persistence: - enabled: true - # existingClaim: - # annotations: - # "helm.sh/resource-policy": keep - accessMode: ReadWriteOnce - # See comment above for information on setting the backup storageClass - # storageClass: "-" - storageSize: 8Gi - # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs. - # pdName: nexus-backup-disk - # fsType: ext4 - resources: {} - # requests: - # cpu: 100m - # memory: 256Mi - # limits: - # cpu: 200m - # memory: 512Mi - rcloneConfig: - rclone.conf: | - [AWS] - type = s3 - provider = AWS - env_auth = true - region = us-east-1 - acl = authenticated-read - -nexusCloudiam: - enabled: false - persistence: - enabled: true - # existingClaim: - # annotations: - # "helm.sh/resource-policy": keep - accessMode: ReadWriteOnce - # See comment above for information on setting the backup storageClass - # storageClass: "-" - storageSize: 1Mi - # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs. - # pdName: nexus-cloudiam-path - # fsType: ext4 - -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - annotations: {} - -rbac: - create: false - roleRef: {} - annotations: {} - -ingress: - enabled: false - path: / - labels: {} - annotations: {} - # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173. - # kubernetes.io/ingress.allow-http: true - # kubernetes.io/ingress.class: gce - # kubernetes.io/ingress.global-static-ip-name: "" - # kubernetes.io/tls-acme: true - tls: - enabled: true - secretName: nexus-tls - # Specify custom rules in addition to or instead of the nexus-proxy rules - rules: - # - host: http://nexus.127.0.0.1.nip.io - # http: - # paths: - # - backend: - # serviceName: additional-svc - # servicePort: 80 - -ingressDocker: - enabled: false - path: / - labels: {} - annotations: {} - # # NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173. - # kubernetes.io/ingress.allow-http: true - # kubernetes.io/ingress.class: gce - # kubernetes.io/ingress.global-static-ip-name: "" - # kubernetes.io/tls-acme: true - tls: - enabled: true - secretName: nexus-tls - # Specify custom rules in addition to or instead of the nexus-proxy rules - rules: - # - host: http://nexus.127.0.0.1.nip.io - # http: - # paths: - # - backend: - # serviceName: additional-svc - # servicePort: 80 - -affinity: {} - tolerations: [] -# # Enable configmap and add data in configmap +# # Enable configmap and add data in configmap config: enabled: false mountPath: /sonatype-nexus-conf - data: - -deployment: - # # Add annotations in deployment to enhance deployment configurations - annotations: {} - # # Add init containers. e.g. to be used to give specific permissions for nexus-data. - # # Add your own init container or uncomment and modify the given example. - initContainers: - # - name: fmp-volume-permission - # image: busybox - # imagePullPolicy: IfNotPresent - # command: ['chown','-R', '200', '/nexus-data'] - # volumeMounts: - # - name: nexus-data - # mountPath: /nexus-data - # # Uncomment and modify this to run a command after starting the nexus container. - postStart: - command: # '["/bin/sh", "-c", "ls"]' - # # Enable nexus scripts settings, disabled by default for versions >= 3.21.2 - # command: '["/bin/sh", "-c", "if [[ -z $(grep ^nexus.scripts.allowCreation=true /nexus-data/etc/nexus.properties) ]];then echo nexus.scripts.allowCreation=true >> /nexus-data/etc/nexus.properties;fi"]' - - additionalContainers: - additionalVolumes: - additionalVolumeMounts: + data: [] # # To use an additional secret, set enable to true and add data secret: - enabled: false - mountPath: /etc/secret-volume + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password readOnly: true - data: -# # To use an additional service, set enable to true -service: - type: ClusterIP - # name: additional-svc - enabled: false - labels: {} +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account annotations: {} - ports: - - name: nexus-service - targetPort: 80 - port: 80 - ## Configures the requested IP on the loadBalancer when using LoadBalancer service type - # loadBalancerIP: "192.168.1.10" + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" -additionalConfigMaps: [] -# - name: maven-central -# labels: -# nexus-type: repository -# data: -# recipe: 'MavenProxy' -# remoteUrl: 'https://repo.maven.apache.org/maven2/' -# blobStoreName: 'default' -# strictContentTypeValidation: 'true' -# versionPolicy: 'RELEASE' -# layoutPolicy: 'STRICT' +psp: + create: false -- GitLab From 3418123e247a15f97ed6494d7c0fd46ba434e790 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Wed, 14 Apr 2021 12:10:39 -0400 Subject: [PATCH 04/21] quit istio sidecar on completion --- chart/templates/bigbang/saml.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml index 5f017dd..e8d6e77 100644 --- a/chart/templates/bigbang/saml.yaml +++ b/chart/templates/bigbang/saml.yaml @@ -2,13 +2,6 @@ apiVersion: batch/v1 kind: Job metadata: - labels: -{{ include "nexus.labels" . | indent 4 }} - {{- if .Values.nexus.extraLabels }} - {{- with .Values.nexus.extraLabels }} - {{ toYaml . | indent 4 }} - {{- end }} - {{- end }} annotations: "helm.sh/hook": post-install creationTimestamp: null @@ -48,7 +41,9 @@ spec: "$BASE_URL/service/rest/v1/security/roles" \ -H "accept: application/json" \ -H "Content-Type: application/json" \ - -d "$ROLE" + -d "$ROLE" && + curl -fsI -X POST http://localhost:15020/quitquitquit && + exit env: - name: API_CREDENTIALS valueFrom: -- GitLab From e3a42f15863bae474e24278a4c4f26cbb2a3cfd7 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 15 Apr 2021 12:15:40 -0400 Subject: [PATCH 05/21] adding documentation for saml, update readme --- CODEOWNERS | 2 +- README.md | 32 +++++++-------------- docs/README.md | 63 ++++++++++++++++++++++++++++++++++++---- docs/general.md | 9 ++++++ docs/keycloak.md | 75 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 153 insertions(+), 28 deletions(-) create mode 100644 docs/general.md create mode 100644 docs/keycloak.md diff --git a/CODEOWNERS b/CODEOWNERS index afe62c4..3cd0a7e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,2 +1,2 @@ -#followup and see who else belongs here * @grant.duncklee +#* @anyone? diff --git a/README.md b/README.md index 7336c7b..f734a30 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,12 @@ -# Sonatype Nexus Repository Manager (NXRM) +# Sonatype Nexus Repository Manager (NXRM) Documentation -Source of truth for components, artifacts, binaries, etc. - -This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes. - -## Prerequisites -- Kubernetes Cluster deployed -- Kubernetes config installed in ~/.kube/config -- Helm installed -- Keycloak (Optional - SSO) -- Sonatype NXRM License. Required for SAML integration +## Table of Contents +- [NXRM SSO Integration](docs/keycloak.md) +- [NXRM High Availability](docs/general.md#high-availability) +- [NXRM Storage](docs/general.md#storage) +- [NXRM Database](docs/general.md#database) +- [NXRM Dependent Packages](#nxrm-dependent-packages) +- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information) ## Iron Bank You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). @@ -21,17 +18,7 @@ Please reference complete list of providable variables [here](https://github.com git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git helm install nexus-repository-manager chart ``` - ## BigBang Additions, Comments, and Important Information -### SAML/SSO Integration -BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a -solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO -integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a -Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our -implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. - -Retrieve a list of all available privileges: -`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"` ### Random Admin Password NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The @@ -61,3 +48,6 @@ We expect you to secure your license; the license will be provided as a binary. encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` will create a named template and generate the appropriate secret within the namespace. The chart will reference the license via a secret volumeMount to ensure the application starts licensed. + +### NXRM Dependent Packages +Nexus IQ Server requires Nexus Repository Manager. diff --git a/docs/README.md b/docs/README.md index d145864..7336c7b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,12 +1,63 @@ -# Nexus Artifact Repository Pro Docs +# Sonatype Nexus Repository Manager (NXRM) -## Usage +Source of truth for components, artifacts, binaries, etc. -### Prerequisites +This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes. -### Deployment +## Prerequisites +- Kubernetes Cluster deployed +- Kubernetes config installed in ~/.kube/config +- Helm installed +- Keycloak (Optional - SSO) +- Sonatype NXRM License. Required for SAML integration -### Nexus Post Install Configuration Notes +## Iron Bank +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). -#### Allow SSO login +## Helm +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart +``` + +## BigBang Additions, Comments, and Important Information +### SAML/SSO Integration +BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a +solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO +integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a +Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our +implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. + +Retrieve a list of all available privileges: +`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"` + +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. + +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` + +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. diff --git a/docs/general.md b/docs/general.md new file mode 100644 index 0000000..c57c3bc --- /dev/null +++ b/docs/general.md @@ -0,0 +1,9 @@ +# NXRM Storage, Database, and High Availability + +## Storage + +### Blob Store + +## Database + +## High Availability diff --git a/docs/keycloak.md b/docs/keycloak.md new file mode 100644 index 0000000..16ea731 --- /dev/null +++ b/docs/keycloak.md @@ -0,0 +1,75 @@ +# NXRM Keycloak Configuration + +**SAML/SSO integration is a *Pro* license feature.** + +BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO integration as part of the NXRM Helm installation. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a Keycloak instance, the IDP metadata file, along with other parameters you may define in `sso.idp_data`. + +Our implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. + +## Download Keycloak IdP Metadata +1. Login to the Keycloak Admin Console i.e. /auth/admin/master/console/ +2. From the left-side menu, click on *Realm Settings*. +3. From the General tab, right-click on SAML 2.0 Identity Provider Metadata under the Endpoints field and save the link/file locally. This is the Keycloak IdP metadata that will be needed when configuring NXRM/IQ. + +## Configure Users and Groups in Keycloak +4. To add groups, via the left-side menu, under *Manage*, select *Groups* and then *New*. +5. In the next screen enter a group name and select *Save*. This will create a group that will be used for role mapping on the NXRM/IQ side. +6. To add users, via the left-side menu, under *Manage*, select *Users* and then *Add user*. +7. In the next screen, enter a *username*, First Name, Last Name* and *Email*, then click *Save*. +8. Once saved, the user will be created but will not have a default password set or be assigned to any groups. To set the password, click on the *Credentials* tab, set a password and click *Reset Password*. +9. To add the user to a group, click on the Groups tab and from the *Available Groups* field enter the name of the group created in Step 5 and click *Join*. + + +## NXRM Configuration +``` +# values.yaml +sso: + enabled: false + idp_data: + entityId: "{{ base_url }}/service/rest/v1/security/saml/metadata" + usernameAttribute: "username" + firstNameAttribute: "firstName" + lastNameAttribute: "lastName" + emailAttribute: "email" + groupsAttribute: "groups" + validateResponseSignature: true + validateAssertionSignature: true + idpMetadata: 'string' + realm: + - "NexusAuthenticatingRealm" + - "NexusAuthorizingRealm" + - "SamlRealm" + role: + id: "nexus" + name: "nexus" + description: "nexus group" + privileges: + - "nx-all" + roles: + - "nx-admin" + +# Retrieve a list of all available privileges: +# curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json" +``` + +10. Obtain a copy of the NXRM 3 SAML Metadata by opening the Entity ID URI i.e. /service/rest/v1/security/saml/metadata and saving the XML to file + +## Configure Keycloak - Client Config and Attribute Mapping +11. Further to configuring the NXRM/IQ side, to import the NXRM or IQ SAML metadata into Keycloak, via the Keycloak Admin Console select Clients from the left-side menu, then click *Create*. +12. In the Add Client screen, click *Select file* from the Import field, upload the NXRM or IQ SAML metadata that was obtained when configuring the NXRM/IQ side and click *Save*. +13. After saving, in the next screen, for the Client SAML Endpoint field, enter the Nexus instance*s Assertion Consumer Service (ACS) URL i.e. /saml for NXRM 3 or /saml for Nexus IQ Server and click *Save*. +14. If in the Configure Nexus Applications section, the *Validate Response Signature* and *Validate Assertion Signature* fields are set to "Default" or "True", then in the Clients → Settings tab ensure that the *Sign Documents* and *Sign Assertions* fields are enabled. + +Once the client has been created and the Client SAML Endpoint has been set, an attribute for each of the mappable fields that were configured in the Configure Nexus Applications section i.e. username, firstName, lastName, email and groups, will need to be created. + +15. To map an attribute, select the Mappers tab and then click on 'Create'. +16. Create a mapper for each of the mappable attributes with the values shown here: + + | Name | Mapper Type | Property | Friendly Name | SAML Attribute Name | SAML Attribute NameFormat | + |-------------|---------------|-----------|---------------|---------------------|---------------------------| + | username | User Property | username | username | username | Basic | + | First Name | User Property | firstName | firstName | firstName | Basic | + | Last Name | User Property | lastName | lastName | lastName | Basic | + | Email | User Property | email | email | email | Basic | + | Groups | Group list | groups | groups | *N/A* | Basic | + -- GitLab From afd016fe643a5ab19d9005c971586e83b3c82691 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 15 Apr 2021 14:50:27 -0400 Subject: [PATCH 06/21] comments on HA, storage, health, etc. --- docs/README.md | 63 ------------------------------------------------- docs/general.md | 24 ++++++++++++++++++- 2 files changed, 23 insertions(+), 64 deletions(-) delete mode 100644 docs/README.md diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index 7336c7b..0000000 --- a/docs/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# Sonatype Nexus Repository Manager (NXRM) - -Source of truth for components, artifacts, binaries, etc. - -This chart was sourced from [Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with minimal changes. - -## Prerequisites -- Kubernetes Cluster deployed -- Kubernetes config installed in ~/.kube/config -- Helm installed -- Keycloak (Optional - SSO) -- Sonatype NXRM License. Required for SAML integration - -## Iron Bank -You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). - -## Helm -Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) - -```bash -git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git -helm install nexus-repository-manager chart -``` - -## BigBang Additions, Comments, and Important Information -### SAML/SSO Integration -BigBang requires/prefers SAML/SSO integration out of the box; unfortunately, the upstream Helm chart did not have a -solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO -integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a -Keycloak instance, the IDP metadata file, along with other parameters you may defined in `sso.idp_data`. Our -implementation closely follows the [Sonatype SAML Integration](https://support.sonatype.com/hc/en-us/articles/1500000976522-SAML-integration-for-Nexus-Repository-Manager-Pro-3-and-Nexus-IQ-Server-with-Keycloak) documentation. - -Retrieve a list of all available privileges: -`curl -X GET "https://{{ base_url }}/service/rest/v1/security/privileges" -H "accept: application/json"` - -### Random Admin Password -NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The -problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are -leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password -on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This -method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes -secret to enable programmatic ingestion. - -Ensure the following is present to enable the randomized Kubernetes password: -```bash -# values.yaml -nexus: - env: - - name: NEXUS_SECURITY_RANDOMPASSWORD - key: "true" -... -secret: - enabled: true - mountPath: /nexus-data/admin.password - subPath: admin.password - readOnly: true -``` - -### License -We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 -encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` -will create a named template and generate the appropriate secret within the namespace. The chart will reference the -license via a secret volumeMount to ensure the application starts licensed. diff --git a/docs/general.md b/docs/general.md index c57c3bc..ae79981 100644 --- a/docs/general.md +++ b/docs/general.md @@ -1,9 +1,31 @@ # NXRM Storage, Database, and High Availability ## Storage +## Blob Store +Can be a shared file system or a cloud object store. -### Blob Store +[Blob Stores](https://help.sonatype.com/repomanager3/high-availability/configuring-blob-stores) + +### Recommended Shared File Systems +- NFS v4 +- AWS EFS +- AWS S3 ## Database +Nexus 3 uses builtin DB OrientDB for holding metadata and pointers for blob objects. ## High Availability +Discussing with Sonatype to ensure their HA-C solution is compatible with our deployment. + +The upstream charts have the replica count hard-coded to `1`, possibly due to a limitation. + +## Monitoring Node Health +NXRM provides two endpoints to monitor health status. Success is represented as `HTTP 200 OK`, failure is represented +as `HTTP 503 SERVICE UNAVAILABLE`. + +- `http://:/service/rest/v1/status` +Verifies that a node can handle read requests. + +- `http://:/service/rest/v1/status/writable` +Verifies that a node can handle read and write requests. + -- GitLab From 9092336aa792cb9b2308ec88f1d11ae77335ea1d Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 16 Apr 2021 08:18:13 -0400 Subject: [PATCH 07/21] fix: add logic to handle null or empty license_key value --- chart/templates/bigbang/configmap-sso.yaml | 2 +- chart/templates/bigbang/license.yaml | 2 ++ chart/templates/bigbang/saml.yaml | 2 +- chart/templates/configmap-properties.yaml | 8 +++++++- chart/templates/deployment.yaml | 4 ++++ chart/values.yaml | 13 +++++++------ 6 files changed, 22 insertions(+), 9 deletions(-) diff --git a/chart/templates/bigbang/configmap-sso.yaml b/chart/templates/bigbang/configmap-sso.yaml index 8879e41..6230c5c 100644 --- a/chart/templates/bigbang/configmap-sso.yaml +++ b/chart/templates/bigbang/configmap-sso.yaml @@ -1,4 +1,4 @@ -{{- if .Values.sso.enabled -}} +{{- if and .Values.sso.enabled .Values.license_key -}} apiVersion: v1 kind: ConfigMap metadata: diff --git a/chart/templates/bigbang/license.yaml b/chart/templates/bigbang/license.yaml index e6a37ca..ffab010 100644 --- a/chart/templates/bigbang/license.yaml +++ b/chart/templates/bigbang/license.yaml @@ -1,3 +1,4 @@ +{{- if .Values.license_key }} apiVersion: v1 kind: Secret metadata: @@ -11,3 +12,4 @@ metadata: {{- end }} data: {{ include "nexus.licenseKey" . | indent 2 }} +{{- end -}} \ No newline at end of file diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml index e8d6e77..185716d 100644 --- a/chart/templates/bigbang/saml.yaml +++ b/chart/templates/bigbang/saml.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.sso.enabled .Values.secret.enabled }} +{{- if and .Values.sso.enabled .Values.secret.enabled .Values.license_key }} apiVersion: batch/v1 kind: Job metadata: diff --git a/chart/templates/configmap-properties.yaml b/chart/templates/configmap-properties.yaml index c1a5808..78cf7fb 100644 --- a/chart/templates/configmap-properties.yaml +++ b/chart/templates/configmap-properties.yaml @@ -11,7 +11,13 @@ metadata: {{- end }} data: nexus.properties: | - {{- range $k, $v := .Values.nexus.properties.data }} + {{- $data := dict -}} + {{- $licenseDict := dict -}} + {{- if .Values.license_key -}} + {{- $_ := set $licenseDict "nexus.licenseFile" .Values.license.mountPath -}} + {{- end -}} + {{- $data := mergeOverwrite $licenseDict .Values.nexus.properties.data -}} + {{- range $k, $v := $data }} {{ $k }}={{ $v }} {{- end }} {{- end }} \ No newline at end of file diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 09e2657..f873876 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -108,9 +108,11 @@ spec: name: {{ template "nexus.name" . }}-data - mountPath: /nexus-data/etc name: {{ template "nexus.name" . }}-data + {{- if .Values.license_key }} - mountPath: {{ .Values.license.mountPath }} name: {{ template "nexus.name" . }}-license subPath: {{ .Values.license.subPath }} + {{- end }} {{- if .Values.config.enabled }} - mountPath: {{ .Values.config.mountPath }} name: {{ template "nexus.name" . }}-conf @@ -144,12 +146,14 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if .Values.license_key }} - name: nexus-repository-manager-license secret: secretName: {{ template "nexus.name" . }}-license items: - key: sonatype-license.lic path: sonatype-license.lic + {{- end }} {{- if .Values.config.enabled }} - name: {{ template "nexus.name" . }}-conf configMap: diff --git a/chart/values.yaml b/chart/values.yaml index a99fb2b..b9926bd 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -2,7 +2,7 @@ hostname: bigbang.dev istio: enabled: false -license_key: "test" +license_key: "" license: mountPath: /nexus-data/sonatype-license.lic subPath: sonatype-license.lic @@ -77,11 +77,12 @@ nexus: value: "true" properties: override: true - data: - nexus.licenseFile: /nexus-data/sonatype-license.lic - # nexus.scripts.allowCreation: true - # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager - #nexus.ldap.env.java.naming.security.authentication: simple + data: {} + # data: + # nexus.licenseFile: /nexus-data/sonatype-license.override.lic + # nexus.scripts.allowCreation: true + # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager + # nexus.ldap.env.java.naming.security.authentication: simple # nodeSelector: # cloud.google.com/gke-nodepool: default-pool resources: {} -- GitLab From 0a2e061539c9ea62bfa68dfac4fe52e45324032a Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 16 Apr 2021 12:36:49 -0400 Subject: [PATCH 08/21] fix: made imagePullSecrets funtional --- chart/templates/deployment.yaml | 4 ++-- chart/templates/image-pull-secret.yaml | 10 ---------- chart/values.yaml | 3 +-- 3 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 chart/templates/image-pull-secret.yaml diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index f873876..2f04be1 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -48,9 +48,9 @@ spec: hostAliases: {{ toYaml .Values.nexus.hostAliases | indent 8 }} {{- end }} - {{- if .Values.nexus.imagePullSecret }} + {{- with .Values.nexus.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8}} {{- end }} {{- if .Values.deployment.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} diff --git a/chart/templates/image-pull-secret.yaml b/chart/templates/image-pull-secret.yaml deleted file mode 100644 index d70c3db..0000000 --- a/chart/templates/image-pull-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.nexus.imagePullSecret -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "nexus.name" . }} -data: - .dockerconfigjson: {{ .Values.nexus.imagePullSecret }} - -type: kubernetes.io/dockerconfigjson -{{- end }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index b9926bd..54aac65 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -121,9 +121,8 @@ nexus: # hostnames: # - "example.com" # - "www.example.com" + imagePullSecrets: [] - -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -- GitLab From 4d0184c6686648902d1aae988eae844f936b3067 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 16 Apr 2021 16:54:35 -0400 Subject: [PATCH 09/21] feat: allow virtualservice hostname to be overriden --- chart/templates/bigbang/virtualservice.yaml | 2 +- chart/values.yaml | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/chart/templates/bigbang/virtualservice.yaml b/chart/templates/bigbang/virtualservice.yaml index 5601574..b5e29fc 100644 --- a/chart/templates/bigbang/virtualservice.yaml +++ b/chart/templates/bigbang/virtualservice.yaml @@ -16,7 +16,7 @@ spec: gateways: - main.istio-system.svc.cluster.local hosts: - - "nexus-repository-manager.{{ .Values.hostname }}" + - "{{ .Values.hostname }}.{{ .Values.domain }}" http: - route: - destination: diff --git a/chart/values.yaml b/chart/values.yaml index 54aac65..79478e0 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,5 +1,6 @@ # -- Big Bang Additions -hostname: bigbang.dev +hostname: nexus +domain: bigbang.dev istio: enabled: false license_key: "" @@ -32,12 +33,6 @@ sso: - "nx-admin" # -- End of BigBang Additions -global: - hosts: - name: nexus-repository-manager - service: - name: nexus-repository-manager - ingress: enabled: true annotations: {kubernetes.io/ingress.class: nginx} -- GitLab From f2a6fd40b41522c33f52ac0f4f55db735055c5bd Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 11:27:03 -0400 Subject: [PATCH 10/21] bigbang compliant --- .gitlab-ci.yml | 4 +++ CHANGELOG.md | 2 ++ CONTRIBUTING.md | 22 ++++++++++++++++ chart/templates/bigbang/virtualservice.yaml | 2 +- tests/README.md | 1 + tests/cypress.json | 10 +++++++ tests/cypress/integration/nexus-healthspec.js | 5 ++++ tests/cypress/look_other_packages_for_example | 0 tests/main-test-gateway.yaml | 26 +++++++++++++++++++ tests/test-values.yml | 7 +++++ 10 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 .gitlab-ci.yml create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 tests/README.md create mode 100644 tests/cypress.json create mode 100644 tests/cypress/integration/nexus-healthspec.js delete mode 100644 tests/cypress/look_other_packages_for_example create mode 100644 tests/main-test-gateway.yaml create mode 100644 tests/test-values.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..6e9f482 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,4 @@ +include: + - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' + ref: master + file: '/templates/package-tests.yml' diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..4dc68c6 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,2 @@ +# Changelog + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..dd0eeba --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,22 @@ +# Contributing + +Thanks for contributing to this repository! + +This repository follows the following conventions: + +* [Semantic Versioning](https://semver.org/) +* [Keep a Changelog](https://keepachangelog.com/) +* [Conventional Commits](https://www.conventionalcommits.org/) + +Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters. + +To contribute a change: + +1. Create a branch on the cloned repository +2. Make the changes in code. +3. Write tests using [cypress](https://www.cypress.io) and [Conftest](https://conftest.dev) +4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated. +5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR. +6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `main` branch. +7. Wait for a maintainer of the repository (see CODEOWNERS) to approve. +8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit. diff --git a/chart/templates/bigbang/virtualservice.yaml b/chart/templates/bigbang/virtualservice.yaml index b5e29fc..952e2a2 100644 --- a/chart/templates/bigbang/virtualservice.yaml +++ b/chart/templates/bigbang/virtualservice.yaml @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/component: {{ include "nexus.name" . }} spec: gateways: - - main.istio-system.svc.cluster.local + - istio-system/main hosts: - "{{ .Values.hostname }}.{{ .Values.domain }}" http: diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..d735775 --- /dev/null +++ b/tests/README.md @@ -0,0 +1 @@ +Cypress tests run headless calling the script cy-run.sh \ No newline at end of file diff --git a/tests/cypress.json b/tests/cypress.json new file mode 100644 index 0000000..43b18da --- /dev/null +++ b/tests/cypress.json @@ -0,0 +1,10 @@ +{ + + "pluginsFile": false, + "supportFile": false, + "fixturesFolder": false, + "env": { + "nexus_url": "nexus.bigbang.dev" + + } +} diff --git a/tests/cypress/integration/nexus-healthspec.js b/tests/cypress/integration/nexus-healthspec.js new file mode 100644 index 0000000..dbaa644 --- /dev/null +++ b/tests/cypress/integration/nexus-healthspec.js @@ -0,0 +1,5 @@ +describe('Basic prometheus', function() { + it('Visits the prometheus sign in page', function() { + cy.visit(Cypress.env('nexus_url')) + }) +}) diff --git a/tests/cypress/look_other_packages_for_example b/tests/cypress/look_other_packages_for_example deleted file mode 100644 index e69de29..0000000 diff --git a/tests/main-test-gateway.yaml b/tests/main-test-gateway.yaml new file mode 100644 index 0000000..1c7d7d1 --- /dev/null +++ b/tests/main-test-gateway.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: main + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP + tls: + httpsRedirect: true + - hosts: + - '*.bigbang.dev' + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: wildcard-cert + mode: SIMPLE diff --git a/tests/test-values.yml b/tests/test-values.yml new file mode 100644 index 0000000..51a51c8 --- /dev/null +++ b/tests/test-values.yml @@ -0,0 +1,7 @@ + +istio: + enabled: true +nexus: + imagePullSecrets: [name: private-registry] + + -- GitLab From 351ba7b54d46066f72b45f6b062a90f9c44070f5 Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 11:31:37 -0400 Subject: [PATCH 11/21] bigbang compliant --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 79478e0..efb1ce8 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -55,7 +55,7 @@ deploymentStrategy: Recreate image: # IB Nexus Image repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus - tag: latest + tag: 3.29.0-02 pullPolicy: IfNotPresent nexus: -- GitLab From a9cab9a0851fc4be3bd67801d11b4a4599a388af Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 11:44:12 -0400 Subject: [PATCH 12/21] bigbang compliant --- CODEOWNERS | 4 ++-- chart/values.yaml | 2 ++ tests/test-values.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 3cd0a7e..07514d0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,2 +1,2 @@ -* @grant.duncklee -#* @anyone? +* @grant.duncklee @kavitha + diff --git a/chart/values.yaml b/chart/values.yaml index efb1ce8..4bce23f 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,6 +3,8 @@ hostname: nexus domain: bigbang.dev istio: enabled: false +monioring: + enabled: false license_key: "" license: mountPath: /nexus-data/sonatype-license.lic diff --git a/tests/test-values.yml b/tests/test-values.yml index 51a51c8..2d1cc86 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,6 +2,7 @@ istio: enabled: true nexus: - imagePullSecrets: [name: private-registry] + imagePullSecrets: [name: + - name: private-registry-mil -- GitLab From c0504164313e26a0414027c1a15c4e1307ad54c0 Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 11:45:28 -0400 Subject: [PATCH 13/21] bigbang compliant --- tests/test-values.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test-values.yml b/tests/test-values.yml index 2d1cc86..b09ad18 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -2,7 +2,7 @@ istio: enabled: true nexus: - imagePullSecrets: [name: + imagePullSecrets: - name: private-registry-mil -- GitLab From 6e9d2d710a6f40664f1d24a768084de6852be1fc Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 12:45:01 -0400 Subject: [PATCH 14/21] add affinity to nexus deployment --- chart/templates/deployment.yaml | 4 +++ chart/values.yaml | 3 +- docs/README.md | 53 +++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 docs/README.md diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 2f04be1..c678ca3 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -43,6 +43,10 @@ spec: {{- if .Values.nexus.nodeSelector }} nodeSelector: {{ toYaml .Values.nexus.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.nexus.affinity }} + affinity: +{{ toYaml .Values.nexus.affinity | indent 8 }} {{- end }} {{- if .Values.nexus.hostAliases }} hostAliases: diff --git a/chart/values.yaml b/chart/values.yaml index 4bce23f..831ed14 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -80,8 +80,9 @@ nexus: # nexus.scripts.allowCreation: true # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager # nexus.ldap.env.java.naming.security.authentication: simple - # nodeSelector: + nodeSelector: {} # cloud.google.com/gke-nodepool: default-pool + affinity: {} resources: {} # requests: ## Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..f734a30 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,53 @@ +# Sonatype Nexus Repository Manager (NXRM) Documentation + +## Table of Contents +- [NXRM SSO Integration](docs/keycloak.md) +- [NXRM High Availability](docs/general.md#high-availability) +- [NXRM Storage](docs/general.md#storage) +- [NXRM Database](docs/general.md#database) +- [NXRM Dependent Packages](#nxrm-dependent-packages) +- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information) + +## Iron Bank +You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus). + +## Helm +Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration) + +```bash +git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git +helm install nexus-repository-manager chart +``` +## BigBang Additions, Comments, and Important Information + +### Random Admin Password +NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The +problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are +leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password +on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This +method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes +secret to enable programmatic ingestion. + +Ensure the following is present to enable the randomized Kubernetes password: +```bash +# values.yaml +nexus: + env: + - name: NEXUS_SECURITY_RANDOMPASSWORD + key: "true" +... +secret: + enabled: true + mountPath: /nexus-data/admin.password + subPath: admin.password + readOnly: true +``` + +### License +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` +will create a named template and generate the appropriate secret within the namespace. The chart will reference the +license via a secret volumeMount to ensure the application starts licensed. + +### NXRM Dependent Packages +Nexus IQ Server requires Nexus Repository Manager. -- GitLab From 8255ea7492cb49dcc0fcaee498d1a5f7c188b247 Mon Sep 17 00:00:00 2001 From: Kavitha Thulasiraman Date: Fri, 23 Apr 2021 12:46:51 -0400 Subject: [PATCH 15/21] add affinity to nexus deployment --- docs/affinity.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 docs/affinity.md diff --git a/docs/affinity.md b/docs/affinity.md new file mode 100644 index 0000000..130ea04 --- /dev/null +++ b/docs/affinity.md @@ -0,0 +1,44 @@ +# Node Affinity & Anti-Affinity for Nexus + +Affinity is exposed through values options for this package. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this. + +It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +## Values for NodeSelector + +The `nodeSelector` value at the top level can be set to do basic node selection for deployments. See the below example for an example to schedule pods to only nodes with the label `node-type` equal to `operator`: + +```yaml +nodeSelector: + node-type: operator +``` + +## Values for Affinity + +The `affinity` value at the top level should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `operator`: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - operator +``` + +## Values for Anti-Affinity + +The `affinity` value at the top level can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule pods to not be present on the nodes that already have pods with the `dont-schedule-with: operator` label: + +```yaml +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + dont-schedule-with: operator +``` -- GitLab From b8ebc3db0fabb44925f26765cacbb43f3519bef1 Mon Sep 17 00:00:00 2001 From: Thomas Runyon Date: Mon, 26 Apr 2021 12:09:14 -0400 Subject: [PATCH 16/21] added more vs for docker registires --- chart/templates/bigbang/virtualservice.yaml | 29 ++++++++++++++++++++- chart/values.yaml | 3 +++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/chart/templates/bigbang/virtualservice.yaml b/chart/templates/bigbang/virtualservice.yaml index 952e2a2..46c31b1 100644 --- a/chart/templates/bigbang/virtualservice.yaml +++ b/chart/templates/bigbang/virtualservice.yaml @@ -14,7 +14,9 @@ metadata: app.kubernetes.io/component: {{ include "nexus.name" . }} spec: gateways: - - istio-system/main + {{- range .Values.istio.nexus.gateways }} + - {{ . }} + {{- end }} hosts: - "{{ .Values.hostname }}.{{ .Values.domain }}" http: @@ -24,3 +26,28 @@ spec: number: {{ .Values.nexus.nexusPort }} host: {{ $serviceName }} {{- end }} +{{- $fullName := include "nexus.fullname" . -}} +{{ if .Values.nexus.docker.enabled }} +{{ range $registry := .Values.nexus.docker.registries }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + namespace: {{ $.Release.Namespace }} +spec: + gateways: + {{- range $.Values.istio.nexus.gateways }} + - {{ . }} + {{- end }} + hosts: + - {{ $registry.host | quote }} + http: + - route: + - destination: + port: + number: {{ $registry.port }} + host: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} +{{- end }} +{{- end }} + diff --git a/chart/values.yaml b/chart/values.yaml index 831ed14..a69817a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,6 +3,9 @@ hostname: nexus domain: bigbang.dev istio: enabled: false + nexus: + gateways: + - "istio-system/main" monioring: enabled: false license_key: "" -- GitLab From d466d51cbaf296d8cd35d1a8896802797e4771e5 Mon Sep 17 00:00:00 2001 From: runyontr Date: Wed, 28 Apr 2021 11:33:08 +0000 Subject: [PATCH 17/21] Update chart/Chart.yaml --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 5843156..b32c1b5 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: nexus-repository-manager version: 29.1.0-bb.0 -appVersion: 3.29.0 +appVersion: 3.29.0-bb.1 description: Sonatype Nexus Repository Manager - Universal Binary repository -- GitLab From 0fd429582c4a02684c6c170b8e1bb775be870efc Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 29 Apr 2021 16:56:12 -0400 Subject: [PATCH 18/21] add imagePullSecrets to saml. add monitoring --- chart/templates/bigbang/saml.yaml | 5 ++++ chart/templates/bigbang/secret.yaml | 1 + chart/templates/bigbang/servicemonitor.yaml | 28 +++++++++++++++++++++ chart/values.yaml | 2 +- 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 chart/templates/bigbang/servicemonitor.yaml diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml index 185716d..a03b1ab 100644 --- a/chart/templates/bigbang/saml.yaml +++ b/chart/templates/bigbang/saml.yaml @@ -11,6 +11,11 @@ spec: metadata: creationTimestamp: null spec: + activeDeadlineSeconds: 90 + {{- with .Values.nexus.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8}} + {{- end }} containers: - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest name: saml diff --git a/chart/templates/bigbang/secret.yaml b/chart/templates/bigbang/secret.yaml index 37f4377..ec1e8be 100644 --- a/chart/templates/bigbang/secret.yaml +++ b/chart/templates/bigbang/secret.yaml @@ -12,4 +12,5 @@ metadata: {{- end }} data: admin.password: {{ randAlphaNum 12 | b64enc | quote }} + admin.username: YWRtaW4K {{- end}} diff --git a/chart/templates/bigbang/servicemonitor.yaml b/chart/templates/bigbang/servicemonitor.yaml new file mode 100644 index 0000000..a451ff1 --- /dev/null +++ b/chart/templates/bigbang/servicemonitor.yaml @@ -0,0 +1,28 @@ +{{- if .Values.monitoring.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "nexus.fullname" . }} + labels: + release: monitoring +spec: + selector: + matchLabels: + name: {{ include "nexus.fullname" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - interval: 30s + path: /service/metrics/data + port: nexus-ui + scheme: http + basicAuth: + password: + name: {{ template "nexus.name" . }}-secret + key: admin.password + username: + name: {{ template "nexus.name" . }}-secret + key: admin.user + jobLabel: {{ template "nexus.fullname" . }}-metrics +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index a69817a..aadeaa3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -6,7 +6,7 @@ istio: nexus: gateways: - "istio-system/main" -monioring: +monitoring: enabled: false license_key: "" license: -- GitLab From 102c702c5498405135c12512d29bcf4882f1e70f Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Fri, 30 Apr 2021 09:47:22 -0400 Subject: [PATCH 19/21] fixup, update to prometheus metrics path --- chart/templates/bigbang/servicemonitor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/servicemonitor.yaml b/chart/templates/bigbang/servicemonitor.yaml index a451ff1..d955f26 100644 --- a/chart/templates/bigbang/servicemonitor.yaml +++ b/chart/templates/bigbang/servicemonitor.yaml @@ -14,7 +14,7 @@ spec: - {{ .Release.Namespace }} endpoints: - interval: 30s - path: /service/metrics/data + path: /service/metrics/prometheus port: nexus-ui scheme: http basicAuth: -- GitLab From d29d30a3e6229bc0137456e578372652aed118ef Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Fri, 30 Apr 2021 11:54:50 -0400 Subject: [PATCH 20/21] only generate secret once, secret must survive upgrades --- chart/templates/bigbang/secret.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/chart/templates/bigbang/secret.yaml b/chart/templates/bigbang/secret.yaml index ec1e8be..6195fea 100644 --- a/chart/templates/bigbang/secret.yaml +++ b/chart/templates/bigbang/secret.yaml @@ -1,4 +1,5 @@ {{- if .Values.secret.enabled -}} +{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }} apiVersion: v1 kind: Secret metadata: @@ -14,3 +15,4 @@ data: admin.password: {{ randAlphaNum 12 | b64enc | quote }} admin.username: YWRtaW4K {{- end}} +{{- end}} -- GitLab From bcc14499ab06a9b63c57416c4a9e757ef3f2b149 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Mon, 3 May 2021 12:09:43 -0400 Subject: [PATCH 21/21] add release namespace to servicemonitor --- chart/templates/bigbang/servicemonitor.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/chart/templates/bigbang/servicemonitor.yaml b/chart/templates/bigbang/servicemonitor.yaml index d955f26..6fae080 100644 --- a/chart/templates/bigbang/servicemonitor.yaml +++ b/chart/templates/bigbang/servicemonitor.yaml @@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "nexus.fullname" . }} + namespace: {{ .Release.Namespace }} labels: release: monitoring spec: -- GitLab