From 6debe3ba4bd0c7cd5f2f12bee4440f037e77c37d Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Wed, 26 May 2021 17:04:08 -0400 Subject: [PATCH 1/4] feat: add proxy support --- chart/Chart.yaml | 2 +- chart/templates/bigbang/configmap-proxy.yaml | 15 ++++++ chart/templates/bigbang/proxy.yaml | 51 ++++++++++++++++++++ chart/values.yaml | 33 ++++++++++++- 4 files changed, 98 insertions(+), 3 deletions(-) create mode 100644 chart/templates/bigbang/configmap-proxy.yaml create mode 100644 chart/templates/bigbang/proxy.yaml diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 735e91a..b6173cf 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: nexus-repository-manager -version: 29.1.0-bb.1 +version: 29.1.0-bb.2 appVersion: 3.29.0 description: Sonatype Nexus Repository Manager - Universal Binary repository type: application diff --git a/chart/templates/bigbang/configmap-proxy.yaml b/chart/templates/bigbang/configmap-proxy.yaml new file mode 100644 index 0000000..e3bdc66 --- /dev/null +++ b/chart/templates/bigbang/configmap-proxy.yaml @@ -0,0 +1,15 @@ +{{- if .Values.proxy.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus.name" . }}-proxy + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | indent 4 }} + {{- end }} + {{- end }} +data: + proxy: {{ .Values.proxy.request | toJson | quote }} +{{- end }} + diff --git a/chart/templates/bigbang/proxy.yaml b/chart/templates/bigbang/proxy.yaml new file mode 100644 index 0000000..08a15ec --- /dev/null +++ b/chart/templates/bigbang/proxy.yaml @@ -0,0 +1,51 @@ +{{- if .Values.proxy.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": post-install + creationTimestamp: null + name: proxy +spec: + template: + metadata: + creationTimestamp: null + spec: + activeDeadlineSeconds: 90 + {{- with .Values.nexus.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8}} + {{- end }} + containers: + - image: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal:latest + name: proxy + command: + - sh + args: + - -c + - | + until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available" && + BASE_URL="http://{{ template "nexus.name" . }}.{{ template "nexus.name" . }}.svc.cluster.local:{{ .Values.nexus.nexusPort }}" + # proxy + curl -X POST \ + -u admin:"$API_CREDENTIALS" \ + "$BASE_URL/service/extdirect" \ + -H "Content-Type: application/json" \ + -d "$PROXY" && + curl -fsI -X POST http://localhost:15020/quitquitquit && + exit + env: + - name: API_CREDENTIALS + valueFrom: + secretKeyRef: + name: {{ template "nexus.name" . }}-secret + key: admin.password + - name: PROXY + valueFrom: + configMapKeyRef: + name: {{ template "nexus.name" . }}-proxy + key: proxy + resources: {} + restartPolicy: Never +status: {} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index aadeaa3..508f9db 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -36,6 +36,35 @@ sso: - "nx-all" roles: - "nx-admin" +proxy: + enabled: false + request: + tid: 1 + action: coreui_HttpSettings + method: update + type: rpc + data: + - userAgentSuffix: ~ + timeout: ~ + retries: ~ + httpEnabled: false + httpHost: ~ + httpPort: ~ + httpAuthEnabled: ~ + httpAuthUsername: ~ + httpAuthPassword: ~ + httpAuthNtlmHost: ~ + httpAuthNtlmDomain: ~ + httpsEnabled: false + httpsHost: ~ + httpsPort: ~ + httpsAuthEnabled: ~ + httpsAuthUsername: ~ + httpsAuthPassword: ~ + httpsAuthNtlmHost: ~ + httpsAuthNtlmDomain: ~ + nonProxyHosts: [] + # -- End of BigBang Additions ingress: @@ -78,7 +107,7 @@ nexus: properties: override: true data: {} - # data: + # data: # nexus.licenseFile: /nexus-data/sonatype-license.override.lic # nexus.scripts.allowCreation: true # See this article for ldap configuratioon options https://support.sonatype.com/hc/en-us/articles/216597138-Setting-Advanced-LDAP-Connection-Properties-in-Nexus-Repository-Manager @@ -199,7 +228,7 @@ persistence: tolerations: [] -# # Enable configmap and add data in configmap +# # Enable configmap and add data in configmap config: enabled: false mountPath: /sonatype-nexus-conf -- GitLab From 0184e362c70ee74b244faa466515390170558592 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 3 Jun 2021 10:23:02 -0400 Subject: [PATCH 2/4] chore: remediate password generation on upgrade purge jobs on completion --- chart/templates/_helpers.tpl | 7 +++++++ chart/templates/bigbang/proxy.yaml | 3 ++- chart/templates/bigbang/saml.yaml | 3 ++- chart/templates/bigbang/secret.yaml | 14 ++++++++++---- 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index 0a209ed..8bd9104 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -55,6 +55,13 @@ app.kubernetes.io/instance: {{ .Release.Name }} sonatype-license.lic: {{ .Values.license_key }} {{- end -}} +{{/* +Return Nexus default admin password +*/}} +{{- define "nexus.defaultAdminPassword" -}} +{{ randAlphaNum 12 }} +{{- end -}} + {{/* Create the name of the service account to use */}} diff --git a/chart/templates/bigbang/proxy.yaml b/chart/templates/bigbang/proxy.yaml index 08a15ec..3729a12 100644 --- a/chart/templates/bigbang/proxy.yaml +++ b/chart/templates/bigbang/proxy.yaml @@ -3,7 +3,8 @@ apiVersion: batch/v1 kind: Job metadata: annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed creationTimestamp: null name: proxy spec: diff --git a/chart/templates/bigbang/saml.yaml b/chart/templates/bigbang/saml.yaml index a03b1ab..3224f3a 100644 --- a/chart/templates/bigbang/saml.yaml +++ b/chart/templates/bigbang/saml.yaml @@ -3,7 +3,8 @@ apiVersion: batch/v1 kind: Job metadata: annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed creationTimestamp: null name: saml spec: diff --git a/chart/templates/bigbang/secret.yaml b/chart/templates/bigbang/secret.yaml index 6195fea..78c07b3 100644 --- a/chart/templates/bigbang/secret.yaml +++ b/chart/templates/bigbang/secret.yaml @@ -1,5 +1,12 @@ {{- if .Values.secret.enabled -}} -{{- if not (lookup "v1" "Secret" "" "{{ template 'nexus.name' . }}-secret") }} + +{{- $nexusAdminPass := (include "nexus.defaultAdminPassword" . | b64enc ) }} + +{{- if .Release.IsUpgrade }} +{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "nexus.name" .) "-secret")) }} +{{- $nexusAdminPass = (index $adminPassSecret.data "admin.password") }} +{{- end }} + apiVersion: v1 kind: Secret metadata: @@ -12,7 +19,6 @@ metadata: {{- end }} {{- end }} data: - admin.password: {{ randAlphaNum 12 | b64enc | quote }} + admin.password: {{ $nexusAdminPass }} admin.username: YWRtaW4K -{{- end}} -{{- end}} +{{- end }} -- GitLab From f2228114caf4c9bc030d3df27f6bb3309236d30c Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Thu, 3 Jun 2021 10:52:00 -0400 Subject: [PATCH 3/4] docs: add note regarding secret --- docs/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index f734a30..5940712 100644 --- a/docs/README.md +++ b/docs/README.md @@ -28,6 +28,9 @@ on the pod. However, we are generating a random password via `randAlphaNum` and method allows us to overwrite the generated file containing the Nexus generated random password with a Kubernetes secret to enable programmatic ingestion. +If you change the admin user's password via the UI you also must update the secret. Failure to do so will result +in proxy/saml job failures on subsequent upgrades. + Ensure the following is present to enable the randomized Kubernetes password: ```bash # values.yaml @@ -44,9 +47,9 @@ secret: ``` ### License -We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 +We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64 encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl` -will create a named template and generate the appropriate secret within the namespace. The chart will reference the +will create a named template and generate the appropriate secret within the namespace. The chart will reference the license via a secret volumeMount to ensure the application starts licensed. ### NXRM Dependent Packages -- GitLab From 9d40a45d7683641d304f3ddf3e821367e423efc4 Mon Sep 17 00:00:00 2001 From: Grant Duncklee Date: Mon, 14 Jun 2021 09:41:12 -0400 Subject: [PATCH 4/4] update chart tag version to 4 --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index b6173cf..6b6189e 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: nexus-repository-manager -version: 29.1.0-bb.2 +version: 29.1.0-bb.4 appVersion: 3.29.0 description: Sonatype Nexus Repository Manager - Universal Binary repository type: application -- GitLab