UNCLASSIFIED

Skip to content

GitLab

Commit fdeea492 authored by Grant Duncklee's avatar Grant Duncklee
Browse files

Merge branch 'bb-29/bigbang-addon' into 'main' 

29.1.0-bb.0

See merge request !1
parents 41dfdebe bcc14499
Pipeline #351576 passed with stages
in 3 minutes and 31 seconds
Hide whitespace changes
Inline Side-by-side
Showing with 343 additions and 540 deletions
.gitlab-ci.yml 0 → 100644
View file @ fdeea492
include:
- project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
ref: master
file: '/templates/package-tests.yml'
CHANGELOG.md 0 → 100644
View file @ fdeea492
# Changelog
CONTRIBUTING.md 0 → 100644
View file @ fdeea492
# Contributing
Thanks for contributing to this repository!
This repository follows the following conventions:
* [Semantic Versioning](https://semver.org/)
* [Keep a Changelog](https://keepachangelog.com/)
* [Conventional Commits](https://www.conventionalcommits.org/)
Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters.
To contribute a change:
1. Create a branch on the cloned repository
2. Make the changes in code.
3. Write tests using [cypress](https://www.cypress.io) and [Conftest](https://conftest.dev)
4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated.
5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR.
6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `main` branch.
7. Wait for a maintainer of the repository (see CODEOWNERS) to approve.
8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit.
README.md
View file @ fdeea492
# Nexus # Sonatype Nexus Repository Manager (NXRM) Documentation
This is a fork of the upstream Helm charts for installing Nexus Artifactor Repository Pro (i.e. Licenced Paid Version)
## Originally sourced from upstream, and minimially modified. ## Table of Contents
Steps performed: - [NXRM SSO Integration](docs/keycloak.md)
``` - [NXRM High Availability](docs/general.md#high-availability)
kpt pkg get https://github.com/Oteemo/charts.git/charts/sonatype-nexus@sonatype-nexus-4.2.0 chart/ - [NXRM Storage](docs/general.md#storage)
- [NXRM Database](docs/general.md#database)
- [NXRM Dependent Packages](#nxrm-dependent-packages)
- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information)
## Iron Bank
You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus).
## Helm
Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
```bash
git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git
helm install nexus-repository-manager chart
``` ```
## BigBang Additions, Comments, and Important Information
## Upstream Changes ### Random Admin Password
NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The
problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are
leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password
on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This
method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
secret to enable programmatic ingestion.
* TODO: no diff from upstream yet Ensure the following is present to enable the randomized Kubernetes password:
```bash
# values.yaml
nexus:
env:
- name: NEXUS_SECURITY_RANDOMPASSWORD
key: "true"
...
secret:
enabled: true
mountPath: /nexus-data/admin.password
subPath: admin.password
readOnly: true
```
## Iron Bank ### License
We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64
encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
will create a named template and generate the appropriate secret within the namespace. The chart will reference the
license via a secret volumeMount to ensure the application starts licensed.
You can `pull` the registry1 images for: ### NXRM Dependent Packages
* Nexus [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus) Nexus IQ Server requires Nexus Repository Manager.
* Nexus IQ Server [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus-iq-server%2Fnexus-iq-server) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus-iq-server)
chart/Chart.yaml
View file @ fdeea492
apiVersion: v1 apiVersion: v2
name: sonatype-nexus name: nexus-repository-manager
version: 4.2.0-bb.0 version: 29.1.0-bb.1
appVersion: 3.27.0 appVersion: 3.29.0
description: Sonatype Nexus is an open source repository manager description: Sonatype Nexus Repository Manager - Universal Binary repository
type: application
keywords: keywords:
- artifacts - artifacts
- dependency - dependency
...@@ -10,16 +11,14 @@ keywords: ...@@ -10,16 +11,14 @@ keywords:
- sonatype - sonatype
- nexus - nexus
- repository - repository
- quickstart
- ci
- repository-manager
- nexus3
home: https://www.sonatype.com/nexus-repository-oss home: https://www.sonatype.com/nexus-repository-oss
icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
sources: sources:
- https://github.com/sonatype/nexus-public - https://github.com/sonatype/nexus-public
- https://github.com/travelaudience/docker-nexus
- https://github.com/travelaudience/kubernetes-nexus
- https://github.com/travelaudience/docker-nexus-backup
- https://github.com/dbccompany/docker-nexus-backup
maintainers: maintainers:
- name: rjkernick - email: support@sonatype.com
email: rjkernick@gmail.com name: Sonatype
- name: tsiddique
email: tsiddique@live.com
chart/OWNERS
View file @ fdeea492
approvers: approvers:
- rjkernick
- tsiddique
reviewers: reviewers:
- rjkernick
- tsiddique
chart/README.md deleted 100644 → 0
View file @ 41dfdebe
# Nexus
[Nexus OSS](https://www.sonatype.com/nexus-repository-oss) is a free open source repository manager. It supports a wide range of package formats and it's used by hundreds of tech companies.
## Introduction
This chart bootstraps a Nexus OSS deployment on a cluster using Helm.
This setup is best configured in [GCP](https://cloud.google.com/) since:
- [google cloud storage](https://cloud.google.com/storage/) is used for backups
- [NEW: Rclone](https://rclone.org/) it uses Rclone to create backups, basically compatible with all the major clouds.
- [GCE Ingress controller](https://github.com/kubernetes/ingress/blob/master/docs/faq/gce.md) is used for using a pre-allocated static IP in GCE.
There is also the option of using a [proxy for Nexus](https://github.com/travelaudience/nexus-proxy) that authenticates Nexus against an external identity provider (only GCP IAM at the moment) which is **disabled** by default.
## Prerequisites
- Kubernetes 1.15+ with Beta APIs enabled
- PV provisioner support in the underlying infrastructure
- [Fulfill Nexus kubernetes requirements](https://github.com/travelaudience/kubernetes-nexus#pre-requisites)
### With GCP IAM enabled
All the [Prerequisites](#Prerequisites) should be in place, plus:
- [Fulfill GCP IAM requirements](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#pre-requisites)
## Testing the Chart
To test the chart:
```bash
helm install --dry-run --debug ./
```
To test the chart with your own values:
```bash
helm install --dry-run --debug -f my_values.yaml ./
```
## Installing the Chart
To install the chart:
```bash
helm repo add oteemocharts https://oteemo.github.io/charts
helm install sonatype-nexus oteemocharts/sonatype-nexus
```
The above command deploys Nexus on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
The default login is admin/admin123
## Uninstalling the Chart
To uninstall/delete the deployment:
```bash
$ helm list
NAME REVISION UPDATED STATUS CHART NAMESPACE
plinking-gopher 1 Fri Sep 1 13:19:50 2017 DEPLOYED sonatype-nexus-0.1.0 default
$ helm delete plinking-gopher
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Official Nexus image vs TravelAudience
There are known issues with backups on the official image. If you want to swap in the official image, just override the values when installing the chart. Please note that backups will not work as expected with the official image.
- [https://issues.sonatype.org/browse/NEXUS-23442](https://issues.sonatype.org/browse/NEXUS-23442)
- [https://github.com/travelaudience/docker-nexus](https://github.com/travelaudience/docker-nexus)
## Configuration
The following table lists the configurable parameters of the Nexus chart and their default values.
| Parameter | Description | Default |
| ------------------------------------------------------------ | ---------------------------------- | ----------------------------------------|
| `namespaceOverride` | Override for namespace | `nil` |
| `statefulset.enabled` | Use statefulset instead of deployment | `false` |
| `replicaCount` | Number of Nexus service replicas | `1` |
| `deploymentStrategy` | Deployment Strategy | `rollingUpdate` |
| `initAdminPassword.enabled` | Enable initialization of admin password on Helm install | `false` |
| `initAdminPassword.defaultPasswordOverride` | Override the default admin password | `nil` |
| `initAdminPassword.password` | Admin password to be set | `admin321` |
| `nexus.imageName` | Nexus image | `quay.io/travelaudience/docker-nexus` |
| `nexus.imageTag` | Version of Nexus | `3.25.1` |
| `nexus.imagePullPolicy` | Nexus image pull policy | `IfNotPresent` |
| `nexus.imagePullSecret` | Secret to download Nexus image from private registry | `nil` |
| `nexus.env` | Nexus environment variables | `[{install4jAddVmParams: -Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap}]` |
| `nexus.resources` | Nexus resource requests and limits | `{}` |
| `nexus.dockerPort` | Port to access docker | `5003` |
| `nexus.nexusPort` | Internal port for Nexus service | `8081` |
| `nexus.additionalPorts` | expose additional ports | `[]` |
| `nexus.service.type` | Service for Nexus | `NodePort` |
| `nexus.service.clusterIp` | Specific cluster IP when service type is cluster IP. Use None for headless service |`nil` |
| `nexus.service.loadBalancerIP` | Custom loadBalancerIP |`nil` |
| `nexus.securityContextEnabled` | Security Context (for enabling official image use `fsGroup: 200`) | `{}` |
| `nexus.labels` | Service labels | `{}` |
| `nexus.podAnnotations` | Pod Annotations | `{}`
| `nexus.livenessProbe.initialDelaySeconds` | LivenessProbe initial delay | 30 |
| `nexus.livenessProbe.periodSeconds` | Seconds between polls | 30 |
| `nexus.livenessProbe.failureThreshold` | Number of attempts before failure | 6 |
| `nexus.livenessProbe.timeoutSeconds` | Time in seconds after liveness probe times out | `nil` |
| `nexus.livenessProbe.path` | Path for LivenessProbe | / |
| `nexus.readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay | 30 |
| `nexus.readinessProbe.periodSeconds` | Seconds between polls | 30 |
| `nexus.readinessProbe.failureThreshold` | Number of attempts before failure | 6 |
| `nexus.readinessProbe.timeoutSeconds` | Time in seconds after readiness probe times out | `nil` |
| `nexus.readinessProbe.path` | Path for ReadinessProbe | / |
| `nexus.hostAliases` | Aliases for IPs in /etc/hosts | [] |
| `nexus.context` | Non-root path to run Nexus at | `nil` |
| `nexus.chownNexusData` | Set false to not execute chown to the mounted nexus-data directory at startup | `true` |
| `nexusProxy.enabled` | Enable nexus proxy | `true` |
| `nexusProxy.svcName` | Nexus proxy service name | `nil` |
| `nexusProxy.targetPort` | Container Port for Nexus proxy | `8080` |
| `nexusProxy.port` | Port for exposing Nexus | `8080` |
| `nexusProxy.imageName` | Proxy image | `quay.io/travelaudience/docker-nexus-proxy` |
| `nexusProxy.imageTag` | Proxy image version | `2.6.0` |
| `nexusProxy.imagePullPolicy` | Proxy image pull policy | `IfNotPresent` |
| `nexusProxy.resources` | Proxy resource requests and limits | `{}` |
| `nexusProxy.env.nexusHttpHost` | Nexus url to access Nexus | `nil` |
| `nexusProxy.env.nexusDockerHost` | Containers url to be used with docker | `nil` |
| `nexusProxy.env.enforceHttps` | Allow only https access or not | `false` |
| `nexusProxy.env.cloudIamAuthEnabled` | Enable GCP IAM authentication in Nexus proxy | `false` |
| `nexusProxyRoute.enabled` | Set to true to create route for additional service | `false` |
| `nexusProxyRoute.labels` | Labels to be added to proxy route | `{}` |
| `nexusProxyRoute.annotations` | Annotations to be added to proxy route | `{}` |
| `nexusProxyRoute.path` | Host name of Route e.g jenkins.example.com | nil |
| `persistence.enabled` | Create a volume for storage | `true` |
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
| `persistence.storageClass` | Storage class of Nexus PVC | `nil` |
| `persistence.storageSize` | Size of Nexus data volume | `8Gi` |
| `persistence.annotations` | Persistent Volume annotations | `{}` |
| `persistence.existingClaim` | Existing PVC name | `nil` |
| `nexusBackup.enabled` | Nexus backup process | `false` |
| `nexusBackup.imageName` | Nexus backup image | `dbcc/docker-nexus-backup` |
| `nexusBackup.imageTag` | Nexus backup image version | `0.0.1` |
| `nexusBackup.imagePullPolicy` | Backup image pull policy | `IfNotPresent` |
| `nexusBackup.env.rcloneRemote` | Required if `nexusBackup` is enabled. Name of the Rclone remote as defined in the `rcloneConfig` entry. Example: `AWS` | `nil` |
| `nexusBackup.env.targetBucket` | Required if `nexusBackup` is enabled. Name of the target bucket or bucket/path. Example: `my_bucket` or `my_bucket/my_folder` | `nil` |
| `nexusBackup.env.streamingUploadCutoff` | Size of the data chunks to send to the Rclone remote, this value affects the maximum size of the backup file to upload. | `"5000000"` |
| `nexusBackup.env.nexusAuthorization` | If set, `nexusBackup.nexusAdminPassword` will be disregarded. | `nil` |
| `nexusBackup.env.offlineRepos` | Space separated list of repositories must be taken down to achieve a consistent backup. | `"maven-central maven-public maven-releases maven-snapshots"` |
| `nexusBackup.env.gracePeriod` | The amount of time in seconds to wait between stopping repositories and starting the upload. | `60` |
| `nexusBackup.nexusAdminPassword` | Nexus admin password used by the backup container to access Nexus API. This password should match the one that gets chosen by the user to replace the default admin password after the first login | `admin123` |
| `nexusBackup.persistence.enabled` | Create a volume for backing Nexus configuration | `true` |
| `nexusBackup.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
| `nexusBackup.persistence.storageClass` | Storage class of Nexus backup PVC | `nil` |
| `nexusBackup.persistence.storageSize` | Size of Nexus backup data volume | `8Gi` |
| `nexusBackup.persistence.annotations` | PV annotations for backup | `{}` |
| `nexusBackup.persistence.existingClaim` | Existing PVC name for backup | `nil` |
| `nexusBackup.resources` | Backup resource requests and limits | `{}` |
| `nexusBackup.rcloneConfig.rclone.conf` | Rclone remote configuration, can be generated using the `rclone config` command, or using docker: `docker run -it --rm rclone/rclone config` | `[AWS]` <br> `type = s3` <br> `provider = AWS` <br> `env_auth = true` <br> `region = us-east-1` <br> `acl = authenticated-read` |
| `nexusCloudiam.enabled` | Nexus Cloud IAM service account key path | `false` |
| `nexusCloudiam.persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
| `nexusCloudiam.persistence.annotations` | PV annotations for Cloud IAM service account key path | `{}` |
| `nexusCloudiam.persistence.enabled` | Create a volume for Cloud IAM service account key path | `true` |
| `nexusCloudiam.persistence.existingClaim` | Existing PVC name for Cloud IAM service account key path | `nil` |
| `nexusCloudiam.persistence.storageClass` | Storage class of Cloud IAM service account path PVC | `nil` |
| `nexusCloudiam.persistence.storageSize` | Size of Cloud IAM service account path volume | `8Gi` |
| `ingress.enabled` | Create an ingress for Nexus | `false` |
| `ingress.annotations` | Annotations to enhance ingress configuration | `{}` |
| `ingress.tls.enabled` | Enable TLS | `true` |
| `ingress.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` |
| `ingress.path` | Path for ingress rules. GCP users should set to `/*` | `/` |
| `ingressDocker.enabled` | Create an ingress for Docker registry | `false` |
| `ingressDocker.annotations` | Annotations to enhance docker ingress configuration | `{}` |
| `ingressDocker.tls.enabled` | Enable TLS | `true` |
| `ingressDocker.tls.secretName` | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate | `nexus-tls` |
| `ingressDocker.path` | Path for docker ingress rules. GCP users should set to `/*` | `/` |
| `tolerations` | tolerations list | `[]` |
| `config.enabled` | Enable configmap | `false` |
| `config.mountPath` | Path to mount the config | `/sonatype-nexus-conf` |
| `config.data` | Configmap data | `nil` |
| `deployment.annotations` | Annotations to enhance deployment configuration | `{}` |
| `deployment.initContainers` | Init containers to run before main containers | `nil` |
| `deployment.postStart.command` | Command to run after starting the nexus container | `nil` |
| `deployment.additionalContainers` | Add additional Container | `nil` |
| `deployment.additionalVolumes` | Add additional Volumes | `nil` |
| `deployment.additionalVolumeMounts` | Add additional Volume mounts | `nil` |
| `secret.enabled` | Enable secret | `false` |
| `secret.mountPath` | Path to mount the secret | `/etc/secret-volume` |
| `secret.readOnly` | Secret readonly state | `true` |
| `secret.data` | Secret data to add to secret. If nil then expects that a secret by name of `${.Values.nameOverride}-secret` or `${.Chart.Name}-secret` exists | `nil` |
| `service.enabled` | Enable additional service | `nil` |
| `service.name` | Service name | `nil` |
| `service.portName` | Service port name | `nil` |
| `service.labels` | Service labels | `nil` |
| `service.annotations` | Service annotations | `nil` |
| `service.loadBalancerSourceRanges` | Service LoadBalancer source IP whitelist | `nil` |
| `service.loadBalancerIP` | Custom loadBalancerIP |`nil` |
| `service.targetPort` | Service port | `nil` |
| `service.port` | Port for exposing service | `nil` |
| `serviceAccount.create` | Automatically create a service account | `true` |
| `serviceAccount.name` | Service account to use | `nil` |
| `serviceAccount.annotations` | Service account annotations | `nil` |
| `rbac.create` | Creates a ClusterRoleBinding attached to the Service account. | `false` |
| `rbac.roleRef` | ClusterRoleBinding field `roleRef` content. See examples [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example). | `nil` |
| `rbac.annotations` | ClusterRoleBinding annotations. | `nil` |
| `route.enabled` | Set to true to create route for additional service | `false` |
| `route.name` | Name of route | `docker` |
| `route.portName` | Target port name of service | `docker` |
| `route.labels` | Labels to be added to route | `{}` |
| `route.annotations` | Annotations to be added to route | `{}` |
| `route.path` | Host name of Route e.g jenkins.example.com | nil |
| `additionalConfigMaps` | List of ConfigMap data containing Name, Data and Labels | nil |
If `nexusProxy.env.cloudIamAuthEnabled` is set to `true` the following variables need to be configured
| Parameter | Description | Default |
| ----------------------------- | ---------------------------------- | ---------------------------------------------------- |
| `nexusProxy.env.clientId` | GCP OAuth client ID | `nil` |
| `nexusProxy.env.clientSecret` | GCP OAuth client Secret | `nil` |
| `nexusProxy.env.organizationId` | GCP organization ID | `nil` |
| `nexusProxy.env.redirectUrl` | OAuth callback url. example `https://nexus.example.com/oauth/callback` | `nil` |
| `nexusProxy.env.requiredMembershipVerification` | Whether users presenting valid JWT tokens must still be verified for membership within the GCP organization. | `true` |
| `nexusProxy.secrets.keystore` | base-64 encoded value of the keystore file needed for the proxy to sign user tokens. Example: cat keystore.jceks &#124; base64 | `nil` |
| `nexusProxy.secrets.password` | Password to the Java Keystore file | `nil` |
```bash
helm install --set persistence.enabled=false my-release stable/sonatype-nexus
```
The above example turns off the persistence. Data will not be kept between restarts or deployments
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
helm install -f my-values.yaml sonatype-nexus stable/sonatype-nexus
```
### Persistence
By default a PersistentVolumeClaim is created and mounted into the `/nexus-data` directory. In order to disable this functionality
you can change the `values.yaml` to disable persistence which will use an `emptyDir` instead.
> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*
You must enable StatefulSet (`statefulset.enabled=true`) for true data persistence. If using Deployment approach, you can not recover data after restart or delete of helm chart. Statefulset will make sure that it picks up the same old volume which was used by the previous life of the nexus pod, helping you recover your data. When enabling statefulset, its required to enable the persistence.
### Recommended settings
As a minimum for running in production, the following settings are advised:
```yaml
nexusProxy:
env:
nexusDockerHost: container.example.com
nexusHttpHost: nexus.example.com
nexusBackup:
env:
targetBucket: "gs://my-nexus-backup"
persistence:
storageClass: standard
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/tls-acme: true
persistence:
storageClass: standard
storageSize: 1024Gi
resources:
requests:
cpu: 250m
# Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem
# and https://twitter.com/analytically/status/894592422382063616:
# Xms == Xmx
# Xmx <= 4G
# MaxDirectMemory >= 2G
# Xmx + MaxDirectMemory <= RAM * 2/3 (hence the request for 4800Mi)
# MaxRAMFraction=1 is not being set as it would allow the heap
# to use all the available memory.
memory: 4800Mi
```
### Using GCP Storage for Backup
Irrespective of whether Nexus is deployed to Google's GKE, or to some other k8s installation, it is possible to configure the [nexus-backup](https://github.com/travelaudience/docker-nexus-backup) container to backup to GCP Cloud Storage.
This makes for a cost effective solution for backups.
To enable, add the following key to the values file:
```yaml
nexusCloudiam:
enabled: true
```
You should also deploy Nexus as a stateful app, rather than a deployment.
That means also adding:
```yaml
statefulset:
enabled: true
```
Deploying the chart now will result in a new PV and PVC within the pod that runs the containers.
Create a service account with privileges to upload to your GCP bucket, and creaet a key for this service account.
Download that service account key as a file, call it `service-account-key.json`.
This file now needs to be made available to the pod running in k8s, and should be called `/nexus-data/cloudiam/service-account-key.json`.
How this is done will depend upon the storage class used for the PV.
Confirm that the service account file is available to the pod, using:
kubectl exec --stdin --tty \
--container nexus-backup \
sonatype-nexus-0 \
-- find /nexus-data/cloudiam -type f
You might need to scale the deployment to zero and back up to pick up the changes:
kubectl scale --replicas=0 statefulset.apps/sonatype-nexus
kubectl scale --replicas=1 statefulset.apps/sonatype-nexus
## After Installing the Chart
After installing the chart a couple of actions need still to be done in order to use nexus. Please follow the instructions below.
### Nexus Configuration
The following steps need to be executed in order to use Nexus:
- [Configure Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md)
- [Configure Backups](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus.md#configure-backup)
and if GCP IAM authentication is enabled, please also check:
- [Enable GCP IAM authentication in Nexus](https://github.com/travelaudience/kubernetes-nexus/blob/master/docs/admin/configuring-nexus-proxy.md#enable-gcp-iam-auth)
### Nexus Usage
To see how to use Nexus with different tools like Docker, Maven, Python, and so on please check:
- [Nexus Usage](https://github.com/travelaudience/kubernetes-nexus#usage)
### Disaster Recovery
In a disaster recovery scenario, the latest backup made by the nexus-backup container should be restored. In order to achieve this please follow the procedure described below:
- [Restore Backups](https://github.com/travelaudience/kubernetes-nexus#restore)
chart/templates/NOTES.txt
View file @ fdeea492
- To access Nexus: 1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
NOTE: It may take a few minutes for the ingress load balancer to become available or the backends to become HEALTHY. http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostRepo }}{{ . }}
You can watch the status of the backends by running: http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostDocker }}{{ . }}
`kubectl get ingress -o jsonpath='{.items[*].metadata.annotations.ingress\.kubernetes\.io/backends}'` {{- else if contains "NodePort" .Values.service.serviceType }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "nexus.fullname" . }})
To access Nexus you can check: export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
{{- if .Values.nexusProxy.env.enforceHttps }} echo http://$NODE_IP:$NODE_PORT
https://{{ .Values.nexusProxy.env.nexusHttpHost }} {{- else if contains "LoadBalancer" .Values.service.serviceType }}
{{- else }} NOTE: It may take a few minutes for the LoadBalancer IP to be available.
http://{{ .Values.nexusProxy.env.nexusHttpHost }} You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "nexus.fullname" . }}'
{{- end }} export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "nexus.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
{{- range $index, $port := .Values.service.ports }}
- Login with the following credentials echo http://$SERVICE_IP:{{ $port }}
username: admin
{{- if .Values.initAdminPassword.enabled }}
password: {{ .Values.initAdminPassword.password }}
{{- else }}
password: {{ .Values.nexusBackup.nexusAdminPassword }}
{{- end }}
{{- if .Values.initAdminPassword.enabled }}
- Change Your password after the first login
{{- if .Values.nexusBackup.enabled }}
Once you login you should change your admin password to match the value of `nexusBackup.env.nexusAdminPassword`
This is important for security reasons and also because backup container needs this password set for admin user
to access Nexus API to run backups.
{{- end }} {{- end }}
{{- else if contains "ClusterIP" .Values.service.serviceType }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "nexus.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8081:80
{{- end }} {{- end }}
- Next steps in configuration
Please follow the link below to the README for nexus configuration, usage, backups and DR info:
https://github.com/Oteemo/charts/tree/master/charts/sonatype-nexus#after-installing-the-chart
chart/templates/_helpers.tpl
View file @ fdeea492
...@@ -25,36 +25,43 @@ If release name contains chart name it will be used as a full name. ...@@ -25,36 +25,43 @@ If release name contains chart name it will be used as a full name.
{{- end -}} {{- end -}}
{{/* {{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts. Create chart name and version as used by the chart label.
*/}} */}}
{{- define "nexus.namespace" -}} {{- define "nexus.chart" -}}
{{- if .Values.namespaceOverride -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}} {{- end -}}
{{/* {{/*
Create a default fully qualified name for proxy keystore secret. Common labels
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}} */}}
{{- define "nexus.proxy-ks.name" -}} {{- define "nexus.labels" -}}
{{- printf "%s-%s" (include "nexus.fullname" .) "proxy-ks" | trunc 63 | trimSuffix "-" -}} helm.sh/chart: {{ include "nexus.chart" . }}
{{ include "nexus.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}} {{- end -}}
{{/* Manage the labels for each entity */}} {{/*
{{- define "nexus.labels" -}} Selector labels
app: {{ template "nexus.name" . }} */}}
fullname: {{ template "nexus.fullname" . }} {{- define "nexus.selectorLabels" -}}
chart: {{ .Chart.Name }} app.kubernetes.io/name: {{ include "nexus.name" . }}
release: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
heritage: {{ .Release.Service }} {{- end -}}
{{- define "nexus.licenseKey" -}}
sonatype-license.lic: {{ .Values.license_key }}
{{- end -}} {{- end -}}
{{/* {{/*
Create a fully qualified name for docker ingress. Create the name of the service account to use
*/}} */}}
{{- define "nexus.ingres.docker" -}} {{- define "nexus.serviceAccountName" -}}
{{- printf "%s-%s" (include "nexus.fullname" .) "docker" | trunc 63 | trimSuffix "-" -}} {{- if .Values.serviceAccount.create -}}
{{ default (include "nexus.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}} {{- end -}}
chart/templates/adtl-configmap.yaml deleted 100644 → 0
View file @ 41dfdebe
{{ $root := . }}
{{- if .Values.additionalConfigMaps }}
{{- range $cm := .Values.additionalConfigMaps }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $cm.name }}
namespace: {{ template "nexus.namespace" $root }}
labels:
{{ include "nexus.labels" $root | indent 4 }}
{{- if $.Values.nexus.labels }}
{{ toYaml $.Values.nexus.labels | indent 4 }}
{{- end }}
{{- if $cm.labels }}
{{ toYaml $cm.labels | indent 4 }}
{{- end }}
data:
{{ toYaml $cm.data | indent 2 }}
{{- end }}
{{- end }}
chart/templates/backup-pv.yaml deleted 100644 → 0
View file @ 41dfdebe
{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }}
{{- if .Values.nexusBackup.persistence.pdName -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .Values.nexusBackup.persistence.pdName }}
namespace: {{ template "nexus.namespace" . }}
labels:
{{ include "nexus.labels" . | indent 4 }}
spec:
capacity:
storage: {{ .Values.nexusBackup.persistence.storageSize }}
accessModes:
- ReadWriteOnce
claimRef:
name: {{ template "nexus.fullname" . }}-backup
namespace: {{ .Release.Namespace }}
gcePersistentDisk:
pdName: {{ .Values.nexusBackup.persistence.pdName }}
fsType: {{ .Values.nexusBackup.persistence.fsType }}
{{- end }}
{{- end }}
chart/templates/backup-pvc.yaml deleted 100644 → 0
View file @ 41dfdebe
{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }}
{{- if and .Values.nexusBackup.persistence.enabled (not .Values.nexusBackup.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "nexus.fullname" . }}-backup
namespace: {{ template "nexus.namespace" . }}
labels:
{{ include "nexus.labels" . | indent 4 }}
{{- if .Values.nexusBackup.persistence.annotations }}
annotations:
{{ toYaml .Values.nexusBackup.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.nexusBackup.persistence.accessMode }}
resources:
requests:
storage: {{ .Values.nexusBackup.persistence.storageSize | quote }}
{{- if .Values.nexusBackup.persistence.storageClass }}
{{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
chart/templates/backup-secret.yaml deleted 100644 → 0
View file @ 41dfdebe
{{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.env.nexusAuthorization) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "nexus.fullname" . }}
namespace: {{ template "nexus.namespace" . }}
labels:
{{ include "nexus.labels" . | indent 4 }}
type: Opaque
data:
nexus.nexusAdminPassword: {{ printf "%s%s" "Basic " (printf "%s%s" "admin:" .Values.nexusBackup.nexusAdminPassword | b64enc) | cat | b64enc | quote }}
{{- end }}
chart/templates/bigbang/configmap-sso.yaml 0 → 100644
View file @ fdeea492
{{- if and .Values.sso.enabled .Values.license_key -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "nexus.name" . }}-sso
labels: {{- include "nexus.labels" . | nindent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
data:
idp-metadata: {{ .Values.sso.idp_data | toJson | quote }}
#realm: {{ .Values.sso.realm | quote }}
realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]'
role: {{ .Values.sso.role | toJson | quote }}
{{- end }}
chart/templates/bigbang/license.yaml 0 → 100644
View file @ fdeea492
{{- if .Values.license_key }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "nexus.name" . }}-license
labels:
{{ include "nexus.labels" . | indent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
data:
{{ include "nexus.licenseKey" . | indent 2 }}
{{- end -}}
\ No newline at end of file
chart/templates/bigbang/saml.yaml 0 → 100644
View file @ fdeea492
{{- if and .Values.sso.enabled .Values.secret.enabled .Values.license_key }}
apiVersion: batch/v1
kind: Job
metadata:
annotations:
"helm.sh/hook": post-install
creationTimestamp: null
name: saml
spec:
template:
metadata:
creationTimestamp: null
spec:
activeDeadlineSeconds: 90
{{- with .Values.nexus.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8}}
{{- end }}
containers:
- image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
name: saml
command:
- sh
args:
- -c
- |
until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available" &&
BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
# saml metadata
curl -X PUT \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/saml" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$IDP_DATA" &&
# realm configuration
curl -X PUT \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/realms/active" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$REALM" &&
# role creation
curl -X POST \
-u admin:"$API_CREDENTIALS" \
"$BASE_URL/service/rest/v1/security/roles" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "$ROLE" &&
curl -fsI -X POST http://localhost:15020/quitquitquit &&
exit
env:
- name: API_CREDENTIALS
valueFrom:
secretKeyRef:
name: {{ template "nexus.name" . }}-secret
key: admin.password
- name: IDP_DATA
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: idp-metadata
- name: REALM
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: realm
- name: ROLE
valueFrom:
configMapKeyRef:
name: {{ template "nexus.name" . }}-sso
key: role
resources: {}
restartPolicy: Never
status: {}
{{- end }}
chart/templates/bigbang/secret.yaml 0 → 100644
View file @ fdeea492
{{- if .Values.secret.enabled -}}
{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "nexus.name" . }}-secret
labels:
{{ include "nexus.labels" . | indent 4 }}
{{- if .Values.nexus.extraLabels }}
{{- with .Values.nexus.extraLabels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
data:
admin.password: {{ randAlphaNum 12 | b64enc | quote }}
admin.username: YWRtaW4K
{{- end}}
{{- end}}
chart/templates/bigbang/servicemonitor.yaml 0 → 100644
View file @ fdeea492
{{- if .Values.monitoring.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "nexus.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
release: monitoring
spec:
selector:
matchLabels:
name: {{ include "nexus.fullname" . }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- interval: 30s
path: /service/metrics/prometheus
port: nexus-ui
scheme: http
basicAuth:
password:
name: {{ template "nexus.name" . }}-secret
key: admin.password
username:
name: {{ template "nexus.name" . }}-secret
key: admin.user
jobLabel: {{ template "nexus.fullname" . }}-metrics
{{- end }}
chart/templates/bigbang/virtualservice.yaml 0 → 100644
View file @ fdeea492
{{- if .Values.istio.enabled -}}
{{- $serviceName := include "nexus.fullname" . -}}
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ template "nexus.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "nexus.name" . }}
helm.sh/chart: {{ include "nexus.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: nexus-repository-manager
app.kubernetes.io/component: {{ include "nexus.name" . }}
spec:
gateways:
{{- range .Values.istio.nexus.gateways }}
- {{ . }}
{{- end }}
hosts:
- "{{ .Values.hostname }}.{{ .Values.domain }}"
http:
- route:
- destination:
port:
number: {{ .Values.nexus.nexusPort }}
host: {{ $serviceName }}
{{- end }}
{{- $fullName := include "nexus.fullname" . -}}
{{ if .Values.nexus.docker.enabled }}
{{ range $registry := .Values.nexus.docker.registries }}
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }}
namespace: {{ $.Release.Namespace }}
spec:
gateways:
{{- range $.Values.istio.nexus.gateways }}
- {{ . }}
{{- end }}
hosts:
- {{ $registry.host | quote }}
http:
- route:
- destination:
port:
number: {{ $registry.port }}
host: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }}
{{- end }}
{{- end }}
chart/templates/cloudiam-pv.yaml deleted 100644 → 0
View file @ 41dfdebe
{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }}
{{- if .Values.nexusCloudiam.persistence.pdName -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .Values.nexusCloudiam.persistence.pdName }}
namespace: {{ template "nexus.namespace" . }}
labels:
{{ include "nexus.labels" . | indent 4 }}
spec:
capacity:
storage: {{ .Values.nexusCloudiam.persistence.storageSize }}
accessModes:
- ReadWriteOnce
claimRef:
name: {{ template "nexus.fullname" . }}-cloudiam
namespace: {{ .Release.Namespace }}
gcePersistentDisk:
pdName: {{ .Values.nexusCloudiam.persistence.pdName }}
fsType: {{ .Values.nexusCloudiam.persistence.fsType }}
{{- end }}
{{- end }}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED