feature: adding baseline chart templates

README.md

-# nexus-iq
+# Sonatype Nexus IQ
 
+Monitoring and notifications of open source vulnerabilities
+
+This chart was sourced from
+[Sonatype's Helm Charts.](https://github.com/sonatype/helm3-charts) with
+minimal changes.
+
+## Prerequisites
+
+- Kubernetes Cluster deployed
+- Kubernetes config installed in ~/.kube/config
+- Helm installed
+
+## Iron Bank
+
+You can `pull` the Iron Bank image [here](https://registry1.dso.mil/harbor/projects/3/repositories/sonatype%2Fnexus-iq-server%2Fnexus-iq-server) and view the container approval [here](https://ironbank.dso.mil/repomap/sonatype/nexus-iq-server).
+
+## Helm
+
+Please reference complete list of providable variables
+[here](https://github.com/sonatype/helm3-charts/tree/master/charts/nexus-iq#chart-configuration-options)
+
+```bash
+git clone https://repo1.dso.mil/platform-one/big-bang/apps/third-party/nexus-iq.git
+helm install nexus-iq chart
+```

chart/Chart.yaml

+apiVersion: v2
+name: nexus-iq-server
+
+version: 103.0.1-bb.0
+appVersion: 1.103.0
+
+type: application
+
+keywords:
+  - sonatype
+  - nexus
+  - lifecycle
+  - iq
+  - remediate
+  - vulnerabilities
+  - policy
+home: https://www.sonatype.com/product-nexus-lifecycle
+icon: https://sonatype.github.io/helm3-charts/NexusIQServer_Vertical.svg
+maintainers:
+  - email:  support@sonatype.com
+    name: Sonatype

chart/templates/NOTES.txt

+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "iqserver.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "iqserver.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "iqserver.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.appliocationPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "iqserver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8070 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8070:8070
+{{- end }}
+

chart/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "iqserver.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "iqserver.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "iqserver.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "iqserver.labels" -}}
+app.kubernetes.io/name: {{ include "iqserver.name" . }}
+helm.sh/chart: {{ include "iqserver.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "iqserver.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "iqserver.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "iqserver.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "iqserver.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

chart/templates/bigbang/virtualservice.yaml

+{{- if .Values.istio.enabled -}}
+{{- $serviceName := include "iqserver.fullname" . -}}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ template "iqserver.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "iqserver.name" . }}
+    helm.sh/chart: {{ include "iqserver.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: nexus-iq-server
+    app.kubernetes.io/component: {{ include "iqserver.name" . }}
+spec:
+  gateways:
+    - main.istio-system.svc.cluster.local
+  hosts:
+    - "nexus-iq-server.{{ .Values.hostname }}"
+  http:
+    - route:
+        - destination:
+            port:
+              number: {{ .Values.iq.applicationPort }}
+            host: {{ $serviceName }}
+    - route:
+        - destination:
+            port:
+              number: {{ .Values.iq.adminPort }}
+            host: {{ $serviceName }}
+{{- end }}

chart/templates/configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "iqserver.fullname" . }}-conf
+  labels:
+{{ include "iqserver.labels" . | indent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  config.yml: |
+{{ toYaml .Values.configYaml | indent 4 }}

chart/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "iqserver.fullname" . }}
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.deploymentStrategy }}
+  selector:
+    matchLabels:
+      {{- include "iqserver.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "iqserver.selectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "iqserver.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+{{ toYaml .Values.iq.env | indent 12 }}
+          ports:
+            - name: application
+              containerPort: {{ .Values.iq.applicationPort }}
+              protocol: TCP
+            - name: admin
+              containerPort: {{ .Values.iq.adminPort }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: admin
+          readinessProbe:
+            httpGet:
+              path: /
+              port: application
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /sonatype-work
+              name: nxiq-pv-data
+            - mountPath: /etc/nexus-iq-server
+              name: config-volume
+  {{- if .Values.iq.licenseSecret }}
+            - mountPath: /etc/nexus-iq-license
+              name: license-volume
+  {{- end }}
+      volumes:
+        - name: nxiq-pv-data
+          persistentVolumeClaim:
+            claimName: {{ template "iqserver.fullname" . }}-data
+        - name: config-volume
+          configMap:
+            name: {{ template "iqserver.fullname" . }}-conf
+            items:
+              - key: config.yml
+                path: config.yml
+  {{- if .Values.iq.licenseSecret }}
+        - name: license-volume
+          secret:
+            secretName: {{ template "iqserver.fullname" . }}-license
+  {{- end }}
+        {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

chart/templates/image-pull-secret.yaml

+{{- if .Values.iq.imagePullSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "iqserver.fullname" . }}-imagepull
+data:
+  .dockerconfigjson: {{ .Values.iq.imagePullSecret }}
+
+type: kubernetes.io/dockerconfigjson
+{{- end }}
\ No newline at end of file

chart/templates/ingress.yaml

+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "iqserver.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- $ingressPath := .Values.ingress.path -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+      - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.hostUI }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.hostUIPath }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: 8070
+    - host: {{ .Values.ingress.hostAdmin }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.hostAdminPath }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: 8071
+{{- end }}

chart/templates/licenseSecret.yaml

+{{- if .Values.iq.licenseSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "iqserver.fullname" . }}-license
+data:
+  license_lic: {{ .Values.iq.licenseSecret }}
+{{- end }}

chart/templates/persistentVolume.yaml

+{{- if .Values.persistence.volumeConfiguration -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ template "iqserver.fullname" . }}-data
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  capacity:
+    storage: {{ .Values.persistence.storageSize }}
+  persistentVolumeReclaimPolicy: Recycle
+{{ toYaml .Values.persistence.volumeConfiguration | indent 2 }}
+{{- end }}

chart/templates/persistentVolumeClaim.yaml

+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "iqserver.fullname" . }}-data
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.persistence.annotations }}
+annotations:
+  {{ toYaml .Values.persistence.annotations | indent 2 }}
+  {{- end }}
+spec:
+  {{- if .Values.persistence.storageClass }}
+  {{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+  {{- end }}
+  {{- end }}
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.storageSize | quote }}

chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "iqserver.fullname" . }}
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 8070
+      targetPort: application
+      protocol: TCP
+      name: application
+    - port: 8071
+      targetPort: admin
+      protocol: TCP
+      name: admin
+  selector:
+    {{- include "iqserver.selectorLabels" . | nindent 4 }}

chart/templates/serviceaccount.yaml

+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "iqserver.serviceAccountName" . }}
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

chart/templates/tests/test-connection.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "iqserver.fullname" . }}-test-connection"
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "iqserver.fullname" . }}:{{ .Values.iq.applicationPort }}']
+  restartPolicy: Never

chart/values.yaml

+# Default values for iqserver.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# Big Bang Additions
+hostname: bigbang.dev
+istio:
+  enabled: true
+
+#namespaceOverride: nexus
+replicaCount: 1
+image:
+  repository: registry1.dso.mil/ironbank/sonatype/nexus-iq-server/nexus-iq-server
+  tag: latest
+  pullPolicy: IfNotPresent
+
+iq:
+  name: nxiq
+  hostname: iq-server.demo
+  applicationPort: 8070
+  adminPort: 8071
+  memory: 1Gi
+  # base 64 encoded license file with no line breaks
+  licenseSecret: ""
+  # add this line with this file path and the `licenseSecret` above to autoconfigure licensing
+  # licenseFile: /etc/nexus-iq-license/license_lic
+  extraLabels:
+  env:
+    - name: JAVA_OPTS
+      value: "-Djava.util.prefs.userRoot=${SONATYPE_WORK}/javaprefs"
+
+
+deploymentStrategy: Recreate
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: "nexus-iq"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: "ClusterIP"
+  port: 80
+
+ingress:
+  enabled: true
+  annotations: {kubernetes.io/ingress.class: nginx}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hostUI: iq-server.demo
+  hostUIPath: /
+  hostAdmin: admin.iq-server.demo
+  hostAdminPath: /
+
+  tls: []
+    # - secretName: nexus-local-tls
+    #   hosts:
+    #     - iqserver.local
+    #     - admin.iqserver.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+persistence:
+  accessMode: ReadWriteOnce
+  ## If defined, storageClass: <storageClass>
+  ## If set to "-", storageClass: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClass spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  # storageClass: "-"
+  storageSize: 1Gi
+  # existingClaim:
+  # annotations:
+  #  "helm.sh/resource-policy": keep
+  ## Configure the volume type.
+  # volumeConfiguration:
+  #   hostPath:
+  #     path: /data/nxiq/
+
+# configYaml is the full text of the config.yml file that will be passed to IQ Server
+configYaml:
+  baseUrl: http://iq-server.demo
+  sonatypeWork: /sonatype-work
+  server:
+    applicationConnectors:
+      - type: http
+        port: 8070
+    adminConnectors:
+      - type: http
+        port: 8071
+    # HTTP request log settings.
+    requestLog: 
+      appenders:
+        #All appenders set to console
+        - type: console    
+          # Do not display log statements below this threshold to stdout.
+          threshold: INFO
+          logFormat: "%clientHost %l %user [%date] \"%requestURL\" %statusCode %bytesSent %elapsedTime \"%header{User-Agent}\""
+  
+  createSampleData: true
+
+  logging:
+
+    # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL.
+    level: ERROR
+
+    # Logger-specific settings.
+    loggers:
+      "com.sonatype.insight.scan": INFO
+      "eu.medsea.mimeutil.MimeUtil2": INFO
+      "org.apache.http": INFO
+      "org.apache.http.wire": ERROR
+      "org.eclipse.birt.report.engine.layout.pdf.font.FontConfigReader": WARN
+      "org.eclipse.jetty": INFO
+      "org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter": INFO   # WARNING: This reveals credentials at DEBUG level
+      "com.sonatype.insight.audit":
+        appenders:
+          #All appenders set to console
+          - type: console
+    
+            # Do not display log statements below this threshold to stdout.
+            threshold: INFO
+
+      "com.sonatype.insight.policy.violation":
+        appenders:
+          - type: console
+    
+            # Do not display log statements below this threshold to stdout.
+            threshold: INFO
+
+    appenders:
+  
+      # Settings for logging to stdout.
+      - type: console
+    
+        # Do not display log statements below this threshold to stdout.
+        threshold: INFO
+      
+        logFormat: "%d{'yyyy-MM-dd HH:mm:ss,SSSZ'} %level [%thread] %X{username} %logger - %msg%n"