Merge branch 'bb-29/bigbang-addon' into 'main'

29.1.0-bb.0

See merge request !1

.gitlab-ci.yml

+include:
+  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
+    ref: master
+    file: '/templates/package-tests.yml'

CHANGELOG.md

+# Changelog
+

CONTRIBUTING.md

+# Contributing
+
+Thanks for contributing to this repository!
+
+This repository follows the following conventions:
+
+* [Semantic Versioning](https://semver.org/)
+* [Keep a Changelog](https://keepachangelog.com/)
+* [Conventional Commits](https://www.conventionalcommits.org/)
+
+Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters.
+
+To contribute a change:
+
+1. Create a branch on the cloned repository
+2. Make the changes in code.
+3. Write tests using [cypress](https://www.cypress.io) and [Conftest](https://conftest.dev)
+4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated.
+5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR.
+6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `main` branch.
+7. Wait for a maintainer of the repository (see CODEOWNERS) to approve.
+8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit.

README.md

-# Nexus
-This is a fork of the upstream Helm charts for installing Nexus Artifactor Repository Pro (i.e. Licenced Paid Version)     
+# Sonatype Nexus Repository Manager (NXRM) Documentation
 
-## Originally sourced from upstream, and minimially modified.
-Steps performed: 
-```
-kpt pkg get https://github.com/Oteemo/charts.git/charts/sonatype-nexus@sonatype-nexus-4.2.0 chart/
+## Table of Contents
+- [NXRM SSO Integration](docs/keycloak.md)
+- [NXRM High Availability](docs/general.md#high-availability)
+- [NXRM Storage](docs/general.md#storage)
+- [NXRM Database](docs/general.md#database)
+- [NXRM Dependent Packages](#nxrm-dependent-packages)
+- [NXRM BigBang Caveats, Notes, etc.](#bigbang-additions-comments-and-important-information)
+
+## Iron Bank
+You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus).
+
+## Helm
+Please reference complete list of providable variables [here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-repository-manager#configuration)
+
+```bash
+git clone https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/nexus-repository-manager.git
+helm install nexus-repository-manager chart
 ```
+## BigBang Additions, Comments, and Important Information
 
-## Upstream Changes
+### Random Admin Password
+NXRM's upstream chart ships with a standardized password and an optional values parameter to randomize a password. The
+problem with this approach it the user would be required to `exec` into the pod to retrieve the password. We are
+leveraging the existing `nexus.env['NEXUS_SECURITY_RANDOMPASSWORD']` item to force the creation of the random password
+on the pod. However, we are generating a random password via `randAlphaNum` and creating a Kubernetes secret. This
+method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes
+secret to enable programmatic ingestion.
 
-* TODO: no diff from upstream yet
+Ensure the following is present to enable the randomized Kubernetes password:
+```bash
+# values.yaml
+nexus:
+  env:
+    - name: NEXUS_SECURITY_RANDOMPASSWORD
+      key: "true"
+...
+secret:
+  enabled: true
+  mountPath: /nexus-data/admin.password
+  subPath: admin.password
+  readOnly: true
+```
 
-## Iron Bank
+### License
+We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 
+encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
+will create a named template and generate the appropriate secret within the namespace. The chart will reference the 
+license via a secret volumeMount to ensure the application starts licensed.
 
-You can `pull` the registry1 images for:
-* Nexus [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus%2Fnexus) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus)
-* Nexus IQ Server [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus-iq-server%2Fnexus-iq-server) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus-iq-server)
+### NXRM Dependent Packages
+Nexus IQ Server requires Nexus Repository Manager.

chart/Chart.yaml

-apiVersion: v1
-name: sonatype-nexus
-version: 4.2.0-bb.0
-appVersion: 3.27.0
-description: Sonatype Nexus is an open source repository manager
+apiVersion: v2
+name: nexus-repository-manager
+version: 29.1.0-bb.1
+appVersion: 3.29.0
+description: Sonatype Nexus Repository Manager - Universal Binary repository
+type: application
 keywords:
   - artifacts
   - dependency
@@ -10,16 +11,14 @@ keywords:
   - sonatype
   - nexus
   - repository
+  - quickstart
+  - ci
+  - repository-manager
+  - nexus3
 home: https://www.sonatype.com/nexus-repository-oss
-icon: http://www.sonatype.org/nexus/content/uploads/2015/06/Nexus-Logo.jpg
+icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
 sources:
   - https://github.com/sonatype/nexus-public
-  - https://github.com/travelaudience/docker-nexus
-  - https://github.com/travelaudience/kubernetes-nexus
-  - https://github.com/travelaudience/docker-nexus-backup
-  - https://github.com/dbccompany/docker-nexus-backup
 maintainers:
-  - name: rjkernick
-    email: rjkernick@gmail.com
-  - name: tsiddique
-    email: tsiddique@live.com
+  - email:  support@sonatype.com
+    name: Sonatype

chart/OWNERS

 approvers:
-- rjkernick
-- tsiddique
 reviewers:
-- rjkernick
-- tsiddique

chart/templates/NOTES.txt

-- To access Nexus:
-
-  NOTE: It may take a few minutes for the ingress load balancer to become available or the backends to become HEALTHY.
-        You can watch the status of the backends by running:
-        `kubectl get ingress -o jsonpath='{.items[*].metadata.annotations.ingress\.kubernetes\.io/backends}'`
-
-  To access Nexus you can check:
-  {{- if .Values.nexusProxy.env.enforceHttps }}
-   https://{{ .Values.nexusProxy.env.nexusHttpHost }}
-  {{- else }}
-   http://{{ .Values.nexusProxy.env.nexusHttpHost }}
-  {{- end }}
-
-- Login with the following credentials
-
-   username: admin
-  {{- if .Values.initAdminPassword.enabled }}
-   password: {{ .Values.initAdminPassword.password }}
-  {{- else }}
-   password: {{ .Values.nexusBackup.nexusAdminPassword }}
-  {{- end }}
-
-{{- if .Values.initAdminPassword.enabled }}
-- Change Your password after the first login
-
-  {{- if .Values.nexusBackup.enabled }}
-   Once you login you should change your admin password to match the value of `nexusBackup.env.nexusAdminPassword`
-   This is important for security reasons and also because backup container needs this password set for admin user
-   to access Nexus API to run backups.
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostRepo }}{{ . }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $.Values.ingress.hostDocker }}{{ . }}
+{{- else if contains "NodePort" .Values.service.serviceType }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "nexus.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.serviceType }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "nexus.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "nexus.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  {{- range $index, $port := .Values.service.ports }}
+    echo http://$SERVICE_IP:{{ $port }}
   {{- end }}
+{{- else if contains "ClusterIP" .Values.service.serviceType }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "nexus.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8081:80
 {{- end }}
-- Next steps in configuration
-
-   Please follow the link below to the README for nexus configuration, usage, backups and DR info:
-   https://github.com/Oteemo/charts/tree/master/charts/sonatype-nexus#after-installing-the-chart

chart/templates/_helpers.tpl

@@ -25,36 +25,43 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 
 {{/*
-Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+Create chart name and version as used by the chart label.
 */}}
-{{- define "nexus.namespace" -}}
-  {{- if .Values.namespaceOverride -}}
-    {{- .Values.namespaceOverride -}}
-  {{- else -}}
-    {{- .Release.Namespace -}}
-  {{- end -}}
+{{- define "nexus.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
-Create a default fully qualified name for proxy keystore secret.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+Common labels
 */}}
-{{- define "nexus.proxy-ks.name" -}}
-{{- printf "%s-%s" (include "nexus.fullname" .) "proxy-ks" | trunc 63 | trimSuffix "-" -}}
+{{- define "nexus.labels" -}}
+helm.sh/chart: {{ include "nexus.chart" . }}
+{{ include "nexus.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
-{{/*  Manage the labels for each entity  */}}
-{{- define "nexus.labels" -}}
-app: {{ template "nexus.name" . }}
-fullname: {{ template "nexus.fullname" . }}
-chart: {{ .Chart.Name }}
-release: {{ .Release.Name }}
-heritage: {{ .Release.Service }}
+{{/*
+Selector labels
+*/}}
+{{- define "nexus.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "nexus.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "nexus.licenseKey" -}}
+sonatype-license.lic: {{ .Values.license_key }}
 {{- end -}}
 
 {{/*
-Create a fully qualified name for docker ingress.
+Create the name of the service account to use
 */}}
-{{- define "nexus.ingres.docker" -}}
-{{- printf "%s-%s" (include "nexus.fullname" .) "docker" | trunc 63 | trimSuffix "-" -}}
+{{- define "nexus.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "nexus.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
 {{- end -}}

chart/templates/adtl-configmap.yaml

-{{ $root := . }}
-{{- if .Values.additionalConfigMaps }}
-{{- range $cm := .Values.additionalConfigMaps }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $cm.name }}
-  namespace: {{ template "nexus.namespace" $root }}
-  labels:
-{{ include "nexus.labels" $root | indent 4 }}
-{{- if $.Values.nexus.labels }}
-{{ toYaml $.Values.nexus.labels | indent 4 }}
-{{- end }}
-{{- if $cm.labels }}
-{{ toYaml $cm.labels | indent 4 }}
-{{- end }}
-data:
-{{ toYaml $cm.data | indent 2 }}
-{{- end }}
-{{- end }}
-

chart/templates/backup-pv.yaml

-{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }}
-{{- if .Values.nexusBackup.persistence.pdName -}}
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ .Values.nexusBackup.persistence.pdName }}
-  namespace: {{ template "nexus.namespace" . }}
-  labels:
-{{ include "nexus.labels" . | indent 4 }}
-spec:
-  capacity:
-    storage: {{ .Values.nexusBackup.persistence.storageSize }}
-  accessModes:
-    - ReadWriteOnce
-  claimRef:
-    name: {{ template "nexus.fullname" . }}-backup
-    namespace: {{ .Release.Namespace }}
-  gcePersistentDisk:
-    pdName: {{ .Values.nexusBackup.persistence.pdName }}
-    fsType: {{ .Values.nexusBackup.persistence.fsType }}
-{{- end }}
-{{- end }}

chart/templates/backup-pvc.yaml

-{{- if and .Values.nexusBackup.enabled (not .Values.statefulset.enabled) }}
-{{- if and .Values.nexusBackup.persistence.enabled (not .Values.nexusBackup.persistence.existingClaim) }}
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: {{ template "nexus.fullname" . }}-backup
-  namespace: {{ template "nexus.namespace" . }}
-  labels:
-{{ include "nexus.labels" . | indent 4 }}
-{{- if .Values.nexusBackup.persistence.annotations }}
-  annotations:
-{{ toYaml .Values.nexusBackup.persistence.annotations | indent 4 }}
-{{- end }}
-spec:
-  accessModes:
-    - {{ .Values.nexusBackup.persistence.accessMode }}
-  resources:
-    requests:
-      storage: {{ .Values.nexusBackup.persistence.storageSize | quote }}
-{{- if .Values.nexusBackup.persistence.storageClass }}
-{{- if (eq "-" .Values.nexusBackup.persistence.storageClass) }}
-  storageClassName: ""
-{{- else }}
-  storageClassName: "{{ .Values.nexusBackup.persistence.storageClass }}"
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}

chart/templates/backup-secret.yaml

-{{- if and .Values.nexusBackup.enabled (not .Values.nexusBackup.env.nexusAuthorization) }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "nexus.fullname" . }}
-  namespace: {{ template "nexus.namespace" . }}
-  labels:
-{{ include "nexus.labels" . | indent 4 }}
-type: Opaque
-data:
-  nexus.nexusAdminPassword: {{ printf "%s%s" "Basic " (printf "%s%s" "admin:" .Values.nexusBackup.nexusAdminPassword | b64enc) | cat | b64enc | quote }}
-{{- end }}

chart/templates/bigbang/configmap-sso.yaml

+{{- if and .Values.sso.enabled .Values.license_key -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "nexus.name" . }}-sso
+  labels: {{- include "nexus.labels" . | nindent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  idp-metadata: {{ .Values.sso.idp_data | toJson | quote }}
+  #realm: {{ .Values.sso.realm | quote }}
+  realm: '[{{ join "\",\"" .Values.sso.realm | printf "\"%s\""}}]'
+  role: {{ .Values.sso.role | toJson | quote }}
+{{- end }}
+

chart/templates/bigbang/license.yaml

+{{- if .Values.license_key }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "nexus.name" . }}-license
+  labels:
+{{ include "nexus.labels" . | indent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+{{ include "nexus.licenseKey" . | indent 2 }}
+{{- end -}}
\ No newline at end of file

chart/templates/bigbang/saml.yaml

+{{- if and .Values.sso.enabled .Values.secret.enabled .Values.license_key }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-install
+  creationTimestamp: null
+  name: saml
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      activeDeadlineSeconds: 90
+      {{- with .Values.nexus.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      containers:
+      - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest
+        name: saml
+        command:
+          - sh
+        args:
+          - -c
+          - |
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available"  &&
+            BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}"
+            # saml metadata
+            curl -X PUT \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/saml" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$IDP_DATA" &&
+            # realm configuration
+            curl -X PUT \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/realms/active" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$REALM" &&
+            # role creation
+            curl -X POST \
+                 -u admin:"$API_CREDENTIALS" \
+                 "$BASE_URL/service/rest/v1/security/roles" \
+                 -H "accept: application/json" \
+                 -H "Content-Type: application/json" \
+                 -d "$ROLE" &&
+            curl -fsI -X POST http://localhost:15020/quitquitquit &&
+            exit
+        env:
+        - name: API_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "nexus.name" . }}-secret
+              key: admin.password
+        - name: IDP_DATA
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: idp-metadata
+        - name: REALM
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: realm
+        - name: ROLE
+          valueFrom:
+            configMapKeyRef:
+              name: {{ template "nexus.name" . }}-sso
+              key: role
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}

chart/templates/bigbang/secret.yaml

+{{- if .Values.secret.enabled -}}
+{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "nexus.name" . }}-secret
+  labels:
+{{ include "nexus.labels" . | indent 4 }}
+    {{- if .Values.nexus.extraLabels }}
+      {{- with .Values.nexus.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  admin.password: {{ randAlphaNum 12 | b64enc | quote }}
+  admin.username: YWRtaW4K
+{{- end}}
+{{- end}}

chart/templates/bigbang/servicemonitor.yaml

+{{- if .Values.monitoring.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "nexus.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: monitoring
+spec:
+  selector:
+    matchLabels:
+      name: {{ include "nexus.fullname" . }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+    - interval: 30s
+      path: /service/metrics/prometheus
+      port: nexus-ui
+      scheme: http
+      basicAuth:
+        password:
+          name: {{ template "nexus.name" . }}-secret
+          key: admin.password
+        username:
+          name: {{ template "nexus.name" . }}-secret
+          key: admin.user
+  jobLabel: {{ template "nexus.fullname" . }}-metrics
+{{- end }}

chart/templates/bigbang/virtualservice.yaml

+{{- if .Values.istio.enabled -}}
+{{- $serviceName := include "nexus.fullname" . -}}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ template "nexus.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "nexus.name" . }}
+    helm.sh/chart: {{ include "nexus.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: nexus-repository-manager
+    app.kubernetes.io/component: {{ include "nexus.name" . }}
+spec:
+  gateways:
+  {{- range .Values.istio.nexus.gateways }}
+    - {{ . }}
+  {{- end }}
+  hosts:
+    - "{{ .Values.hostname }}.{{ .Values.domain }}"
+  http:
+    - route:
+        - destination:
+            port:
+              number: {{ .Values.nexus.nexusPort }}
+            host: {{ $serviceName }}
+{{- end }}
+{{- $fullName := include "nexus.fullname" . -}}
+{{ if .Values.nexus.docker.enabled }}
+{{ range $registry := .Values.nexus.docker.registries }}
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  gateways:
+  {{- range $.Values.istio.nexus.gateways }}
+    - {{ . }}
+  {{- end }}
+  hosts:
+  - {{ $registry.host | quote }}
+  http:
+  - route:
+    - destination:
+        port:
+          number: {{ $registry.port }}
+        host: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }}
+{{- end }}
+{{- end }}
+

chart/templates/cloudiam-pv.yaml

-{{- if and .Values.nexusCloudiam.enabled (not .Values.statefulset.enabled) }}
-{{- if .Values.nexusCloudiam.persistence.pdName -}}
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ .Values.nexusCloudiam.persistence.pdName }}
-  namespace: {{ template "nexus.namespace" . }}
-  labels:
-{{ include "nexus.labels" . | indent 4 }}
-spec:
-  capacity:
-    storage: {{ .Values.nexusCloudiam.persistence.storageSize }}
-  accessModes:
-    - ReadWriteOnce
-  claimRef:
-    name: {{ template "nexus.fullname" . }}-cloudiam
-    namespace: {{ .Release.Namespace }}
-  gcePersistentDisk:
-    pdName: {{ .Values.nexusCloudiam.persistence.pdName }}
-    fsType: {{ .Values.nexusCloudiam.persistence.fsType }}
-{{- end }}
-{{- end }}